← 返回首页
feat: Groups and Namespaces based authorization, for Users and Service Accounts by jyejare · Pull Request #5619 · feast-dev/feast · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted
Cancel Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search
Appearance settings
Resetting focus

feat: Groups and Namespaces based authorization, for Users and Service Accounts#5619

Merged
franciscojavierarceo merged 7 commits into
feast-dev:masterfrom
jyejare:groups_nss_roles
Oct 10, 2025
Merged

feat: Groups and Namespaces based authorization, for Users and Service Accounts#5619
franciscojavierarceo merged 7 commits into
feast-dev:masterfrom
jyejare:groups_nss_roles

Conversation

Copy link
Copy Markdown
Collaborator

jyejare commented Sep 16, 2025
edited
Loading

Implementation of Groups and Namespaces Based Authorization support

Overview

This PR implements groups and namespaces extraction support in Feast for user authentication (along with existing service account) in Pull Request #5619.

Changes Made

1. Enhanced User Model (sdk/python/feast/permissions/user.py)

  • Extended User class to include groups and namespaces attributes
  • Added methods:
    • has_matching_group(): Check if user has required groups
    • has_matching_namespace(): Check if user has required namespaces
  • Maintained backward compatibility with existing role-based functionality

2. New Policy Types (sdk/python/feast/permissions/policy.py)

  • GroupBasedPolicy: Grants access based on user group membership
  • NamespaceBasedPolicy: Grants access based on user namespace association
  • CombinedGroupNamespacePolicy: Requires both group OR namespace match
  • Updated Policy.from_proto() to handle new policy types
  • Maintained backward compatibility with existing RoleBasedPolicy

3. Protobuf Definitions (protos/feast/core/Policy.proto)

  • Added GroupBasedPolicy message with groups field
  • Added NamespaceBasedPolicy message with namespaces field
  • Extended Policy message to include new policy types in oneof
  • [Love] Regenerated Python protobuf files using make compile-protos-python

4. Token Access Review Integration (sdk/python/feast/permissions/auth/kubernetes_token_parser.py)

  • Added AuthenticationV1Api client for Token Access Review
  • Implemented _extract_groups_and_namespaces_from_token():
    • Uses Kubernetes Token Access Review API
    • Extracts groups and namespaces from token response
    • Handles both service accounts and regular users
  • Updated user_details_from_access_token() to include groups and namespaces

5. Client SDK Updates (sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py)

  • Extended KubernetesAuthConfig to support user tokens
  • Updated get_token() method to check for user_token in config
  • Maintained backward compatibility with service account tokens

6. Configuration Model (sdk/python/feast/permissions/auth_model.py)

  • Added user_token field to KubernetesAuthConfig for external users
  • Maintained backward compatibility with existing configurations

7. Comprehensive Tests (sdk/python/tests/permissions/test_groups_namespaces_auth.py)

  • 15 test cases covering all new functionality
  • Tests for:
    • User creation with groups/namespaces
    • Group matching functionality
    • Namespace matching functionality
    • All new policy types
    • Backward compatibility

8. Documentation (docs/getting-started/components/groups_namespaces_auth.md)

  • Usage examples and configuration guides
  • Security considerations and best practices
  • Troubleshooting guide and migration instructions

Key Features Implemented

✅ Token Access Review Integration

  • Uses Kubernetes Token Access Review API to extract user details
  • Handles both service accounts and external users

✅ Groups and Namespaces Extraction

  • Extracts groups and namespaces from token response
  • Supports both service account and regular user tokens

✅ New Policy Types

  • GroupBasedPolicy: Access based on group membership
  • NamespaceBasedPolicy: Access based on namespace association
  • CombinedGroupNamespacePolicy: Requires either group OR namespace

✅ Client SDK Support

  • Extended to support user tokens for external users
  • Maintains backward compatibility with service account tokens
  • New parameter in KubernetesAuthConfig for user tokens

Usage Examples

Basic Group-Based Permission

from feast.permissions.policy import GroupBasedPolicy from feast.permissions.permission import Permission policy = GroupBasedPolicy(groups=["data-team", "ml-engineers"]) permission = Permission( name="data_team_access", types=ALL_RESOURCE_TYPES, policy=policy, actions=[AuthzedAction.DESCRIBE] + READ )

Basic Namespace-Based Permission

from feast.permissions.policy import NamespaceBasedPolicy from feast.permissions.permission import Permission policy = NamespaceBasedPolicy(namespaces=["de-dsp", "ml-dsp"]) permission = Permission( name="data_team_access", types=ALL_RESOURCE_TYPES, policy=policy, actions=[AuthzedAction.DESCRIBE] + READ )

Combined Group + Namespace Permission

from feast.permissions.policy import CombinedGroupNamespacePolicy policy = CombinedGroupNamespacePolicy( groups=["data-team"], namespaces=["production"] )

Client Configuration with User Token

from feast.permissions.auth_model import KubernetesAuthConfig auth_config = KubernetesAuthConfig( type="kubernetes", user_token="your-kubernetes-user-token" # For external users )

jyejare requested a review from a team as a code owner September 16, 2025 19:16
jyejare marked this pull request as draft September 16, 2025 19:16
jyejare changed the title feat: Groups and Namespaces authorization along with roles, for user as well feat: Groups and Namespaces authorization, for user as well Sep 17, 2025
jyejare force-pushed the groups_nss_roles branch 5 times, most recently from 4b9f9fc to 2b8e653 Compare September 19, 2025 08:04
jyejare force-pushed the groups_nss_roles branch 5 times, most recently from 3e90d71 to 9c913b9 Compare September 27, 2025 11:14
jyejare force-pushed the groups_nss_roles branch 3 times, most recently from 0d9e32e to 61704dd Compare October 8, 2025 16:02
jyejare added 2 commits October 8, 2025 21:34
Groups and Namespaces authorization
64ab0c5
Signed-off-by: jyejare <jyejare@redhat.com>
Role binding for token access review and groups identifications from …
12e2587
…namespace Signed-off-by: jyejare <jyejare@redhat.com>
jyejare marked this pull request as ready for review October 8, 2025 16:16
jyejare added 3 commits October 8, 2025 21:58
Fixing unit tests
940183a
Signed-off-by: jyejare <jyejare@redhat.com>
TLS Path automatic setup
83c94e5
Signed-off-by: jyejare <jyejare@redhat.com>
Documentation added along with some Makefile additions
65ca1b1
Signed-off-by: jyejare <jyejare@redhat.com>
jyejare changed the title feat: Groups and Namespaces authorization, for user as well feat: Groups and Namespaces based authorization, for Users and Service Accounts Oct 8, 2025
ntkathole reviewed Oct 9, 2025
View reviewed changes
Comment thread docs/changelogs/Groups_Namespaces_Auth_implmentation_summary.md Show resolved Hide resolved
ntkathole reviewed Oct 9, 2025
View reviewed changes
Comment thread docs/reference/auth/groups_namespaces_auth.md Outdated Show resolved Hide resolved
ntkathole reviewed Oct 9, 2025
View reviewed changes
Comment thread infra/scripts/feature_store_client_configs_gen.py Show resolved Hide resolved
ntkathole reviewed Oct 9, 2025
View reviewed changes
Comment thread sdk/python/feast/permissions/auth/kubernetes_token_parser.py Outdated Show resolved Hide resolved
ntkathole reviewed Oct 9, 2025
View reviewed changes
Comment thread docs/reference/auth/kubernetes_auth_setup.md Outdated Show resolved Hide resolved
Review comments addressed
fa12ca7
Signed-off-by: jyejare <jyejare@redhat.com>
ntkathole approved these changes Oct 10, 2025
View reviewed changes
Copy link
Copy Markdown
Member

ntkathole left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Low Quality Hide comment

Looks good, Thank you @jyejare . This is nice improvement to kubernetes authentication.

Hide details View details franciscojavierarceo merged commit da6257c into feast-dev:master Oct 10, 2025
20 checks passed
franciscojavierarceo pushed a commit that referenced this pull request Oct 14, 2025
chore(release): release 0.55.0
dfb7c50
# [0.55.0](v0.54.0...v0.55.0) (2025-10-14) ### Bug Fixes * Added unix_timestamp_val in _serialize_val ([#5659](#5659)) ([35a8423](35a8423)) * BatchFeatureView transformation should persist in Registry Ser/Deserialization ([3364bad](3364bad)) * Check if DynamoDB table exists before create ([#5658](#5658)) ([e7fd506](e7fd506)) * Fix the link to Expedia in the Go Feature Server readme. ([3ed0163](3ed0163)) ### Features * Add Claude instructions ([#5651](#5651)) ([4807a52](4807a52)) * Groups and Namespaces based authorization, for Users and Service Accounts ([#5619](#5619)) ([da6257c](da6257c))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

ntkathole ntkathole approved these changes

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

Footer

© 2026 GitHub, Inc.