-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve authorization feature #409
Comments
For syncing permissions across nodes, a few options come to mind that might be worth exploring:
I am not quite sure yet which is the best approach, if any. We probably want to define what the permissions API should look like / how it should work from a user standpoint. |
For all options, I think:
|
A high level proposalFrom user standpoint
The procedure to modify policy from admin standpoint would look like: Edge cases:
From server standpointIn general, the server should load the local Finally, it sends a Edge cases:
@tylertreat Sorry for the long comments, I just try to give as much detail as possible for the discussion. WDYT ? |
I agree with your proposal to use the existing Raft system to handle authz syncing. The existing Raft system handles a lot of the concerns you mention such as checking leader status, acking replication, etc. which should simplify the replication component. Liftbridge also handles forwarding Raft requests to the metadata leader if they are sent to a follower. The CSV file being exposed is a legitimate concern and was one of the concerns that came to mind for me. I'm not sure if there is much we can do there though other than warn the operator to not manually modify that file? |
I don't love the idea of having to modify a CSV file to apply authz changes. In theory we don't even need the CSV file unless we are wanting to apply static policies? Seems like the Raft operation could update the Casbin instance directly, which would also negate the need for a SIGHUP? |
Indeed. The CSV for casbin is used to store data, but since with Raft, we are pretty certain that the data is persistent at all time, we can ditch the CSV logic. However, I still think that that Casbin implementation requires a CSV file to be stored somewhere ( I need to confirm that part), but even if it is the case, as long as we "hide" the csv file under Side effect:
Also, |
I like the idea of "hiding" the CSV as an implementation detail, though I suppose that breaks existing users and makes it more difficult for implementing statically defined policies. Perhaps we can support both statically-defined policies and "dynamic" policies applied via the Raft system? |
I have not spent lots of time looking into implementation details, but I think supporting both (Raft and CSV based) should be possible. In fact, the current authz configuration allows the switching of both method quite easily.
Also, a small |
What
As mentioned in the docs, there are a few issues remained in the authorization feature (which is experimental):
Why
I want to create this issue to discuss possible routes for improvement on these 2 points.
IMHO, point (1) is more urgent than point (2). If (1) is implemented, then (2) can be considered as acceptable (aka: it will not be more painful than manually edit JSON-based IAM policies on AWS anyway)
The text was updated successfully, but these errors were encountered: