[Feature] Access control on who can run/view workflows #555
Comments
senthilnathan23
added
enhancement
kumare3
added
the
spec-first
kumare3
removed
the
untriaged
|
This is something that we want to work on in Milestone Q1, 2021 |
|
@kumare3 Thank you for the update. Looking forward to it. Are we planning to use google auth or something different? just curious. |
|
@senthilnathan23 so Flyte already supports OAuth2 based Authentication flow. https://flyte.readthedocs.io/en/latest/administrator/install/authentication.html?highlight=auth. Since this uses OAuth2 you should be able to use Google Auth for the sign in. This issue aims at implementing Authorization (AuthZ / Role based access control). I am not 100% sure if we can have RBAC policies in Google. We are definitely thinking on the lines of Open Policy Agent. Would love your thoughts. Please join the slack channel at https://docs.google.com/forms/d/e/1FAIpQLScWPJZncyL-bBCWbuQ9HWuMzA8-r2RJc__CSWJoAYUQADN-BQ/viewform and join the discussin |
|
I guess your intention here is to use the singular hosted platform at Lyft for more sensitive pipelines. If so, then we should be able to support this soon. |
Yes, that's right. Thank you! |
|
Hi all, I've taken a stab at a proposal for authz... Probably needs more work but thought I'd put it out there to start the discussion and get your input. |
|
There is no standard for authZ available in open source, so we are closing this issue - until someone proposes a workable rfc |
* updated flyteplugins version Signed-off-by: Daniel Rammer <[email protected]> * go mod tidy Signed-off-by: Daniel Rammer <[email protected]> --------- Signed-off-by: Daniel Rammer <[email protected]>
* updated flyteplugins version Signed-off-by: Daniel Rammer <[email protected]> * go mod tidy Signed-off-by: Daniel Rammer <[email protected]> --------- Signed-off-by: Daniel Rammer <[email protected]>
Cherry-pick the following change to populate oauth metadata once on initialization using Sync.Do ca04314 Tested locally using uctl-admin and fetched projects calling into admin which exercises the auth flow https://buildkite.com/unionai/org-staging-sync/builds/3541 Rollout to all canary and then prod tenants - [x] To be upstreamed to OSS *TODO: Link Linear issue(s) using [magic words](https://linear.app/docs/github#magic-words). `fixes` will move to merged status, while `ref` will only link the PR.* * [ ] Added tests * [ ] Ran a deploy dry run and shared the terraform plan * [ ] Added logging and metrics * [ ] Updated [dashboards](https://unionai.grafana.net/dashboards) and [alerts](https://unionai.grafana.net/alerting/list) * [ ] Updated documentation
Cherry-pick the following change to populate oauth metadata once on initialization using Sync.Do ca04314 Tested locally using uctl-admin and fetched projects calling into admin which exercises the auth flow https://buildkite.com/unionai/org-staging-sync/builds/3541 Rollout to all canary and then prod tenants - [x] To be upstreamed to OSS *TODO: Link Linear issue(s) using [magic words](https://linear.app/docs/github#magic-words). `fixes` will move to merged status, while `ref` will only link the PR.* * [ ] Added tests * [ ] Ran a deploy dry run and shared the terraform plan * [ ] Added logging and metrics * [ ] Updated [dashboards](https://unionai.grafana.net/dashboards) and [alerts](https://unionai.grafana.net/alerting/list) * [ ] Updated documentation Signed-off-by: pmahindrakar-oss <[email protected]>
…ource (#6001) * Auth/prevent lookup per call (#5686) (#555) Cherry-pick the following change to populate oauth metadata once on initialization using Sync.Do ca04314 Tested locally using uctl-admin and fetched projects calling into admin which exercises the auth flow https://buildkite.com/unionai/org-staging-sync/builds/3541 Rollout to all canary and then prod tenants - [x] To be upstreamed to OSS *TODO: Link Linear issue(s) using [magic words](https://linear.app/docs/github#magic-words). `fixes` will move to merged status, while `ref` will only link the PR.* * [ ] Added tests * [ ] Ran a deploy dry run and shared the terraform plan * [ ] Added logging and metrics * [ ] Updated [dashboards](https://unionai.grafana.net/dashboards) and [alerts](https://unionai.grafana.net/alerting/list) * [ ] Updated documentation Signed-off-by: pmahindrakar-oss <[email protected]> * [COR-1114] Fix token validity check logic to use exp field in access token (#330) * Add logs for token * add logs * Fixing the validity check logic for token * nit * nit * Adding in memory token source provider * nit * changed Valid method to log and ignore parseDateClaim error * nit * Fix unit tests * lint * fix unit tests Signed-off-by: pmahindrakar-oss <[email protected]> * remove debug logs Signed-off-by: pmahindrakar-oss <[email protected]> --------- Signed-off-by: pmahindrakar-oss <[email protected]>
Motivation: Why do you think this is important?
We want to have better access control over who can run/view workflows. Currently this is blocker to create any critical pipelines on Flyte.
Goal: What should the final outcome look like, ideally?
Flyte UI/CLI: Should allow certain list of users to view/run the workflows. This could be configured through the code.
Describe alternatives you've considered
There are no alternatives at this point to overcome this.
Flyte component
[Optional] Propose: Link/Inline
N/A
Additional context
N/A
Is this a blocker for you to adopt Flyte
This is a blocker for us to start using Flyte for our critical data pipelines.
The text was updated successfully, but these errors were encountered: