Sorry, something went wrong.
|
This is gonna take a while 😄 |
Sorry, something went wrong.
|
Hey, this is a great feature and also a big PR. Maybe it's better to walk us through the design, implementation, demo etc. in the next standup to get us understanding it better? |
Sorry, something went wrong.
|
Hey, this is a great feature and also a big PR. Maybe it's better to walk us through the design, implementation, demo etc. in the next standup to get us understanding it better? sure, this will be a good idea. |
Sorry, something went wrong.
|
@tokoko we realized that when the remote registry (transparently) invokes a server API, there's no way to catch a FeatureViewNotFoundException as in this example, because the server raises an InactiveRpcError instead. Should we create an issue to extend the registry server to add error details and the registry client to convert the grpc error into the original Exception? I don't think this has to be part of the RBAC commit. @redhatHameed FYI this is also the root cause of the error in the demo setup An error occurred: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "Exception calling application: Feature view driver_hourly_stats_fresh does not exist in project server"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"Exception calling application: Feature view driver_hourly_stats_fresh does not exist in project server", grpc_status:2, created_time:"2024-08-07T15:00:29.930731564+00:00"}"
>
|
Sorry, something went wrong.
|
@dmartinol sure, sounds like a bug to me. That should be tested in registry tests as well, I think. please go ahead and create a ticket. |
Sorry, something went wrong.
|
In the PR template you say "To avoid backward compatibilities with existing installations, the default authorization is not enabled (e.g., auth type is set to no-auth) ." Did you mean "To avoid backward incompatibility with.." |
Sorry, something went wrong.
| @@ -0,0 +1,133 @@ | |||
| # Role-Based Access Control (RBAC) in Feast Feature Store | |||
There was a problem hiding this comment.
| # Role-Based Access Control (RBAC) in Feast Feature Store | |
| # Role-Based Access Control (RBAC) in Feast |
Sorry, something went wrong.
|
|
||
| ## Introduction | ||
|
|
||
| Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles of individual users within an organization. In the context of the Feast Feature Store, RBAC ensures that only authorized users or groups can access or modify specific resources, thereby maintaining data security and operational integrity. |
There was a problem hiding this comment.
| Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles of individual users within an organization. In the context of the Feast Feature Store, RBAC ensures that only authorized users or groups can access or modify specific resources, thereby maintaining data security and operational integrity. | |
| Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles of individual users within an organization. In the context of the Feast Feature Store, RBAC ensures that only authorized users or groups can access or modify specific resources, thereby maintaining data security and operational integrity. |
| Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles of individual users within an organization. In the context of the Feast Feature Store, RBAC ensures that only authorized users or groups can access or modify specific resources, thereby maintaining data security and operational integrity. | |
| Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles of individual users within an organization. In the context of the Feast, RBAC ensures that only authorized users or groups can access or modify specific resources, thereby maintaining data security and operational integrity. |
Sorry, something went wrong.
|
|
||
| ## Functional Requirements | ||
|
|
||
| The RBAC implementation in Feast Feature Store is designed to: |
There was a problem hiding this comment.
| The RBAC implementation in Feast Feature Store is designed to: | |
| The RBAC implementation in Feast is designed to: |
Sorry, something went wrong.
|
|
||
| ## Business Goals | ||
|
|
||
| The primary business goals of implementing RBAC in the Feast Feature Store are: |
There was a problem hiding this comment.
| The primary business goals of implementing RBAC in the Feast Feature Store are: | |
| The primary business goals of implementing RBAC in the Feast are: |
Sorry, something went wrong.
|
|
||
| The primary business goals of implementing RBAC in the Feast Feature Store are: | ||
|
|
||
| 1. **Feature Sharing**: Enable multiple teams to share the feature store while ensuring controlled access to data partitions. This allows for collaborative work without compromising data security. |
There was a problem hiding this comment.
| 1. **Feature Sharing**: Enable multiple teams to share the feature store while ensuring controlled access to data partitions. This allows for collaborative work without compromising data security. | |
| 1. **Feature Sharing**: Enable multiple teams to share the feature store while ensuring controlled access. This allows for collaborative work without compromising data security. |
Sorry, something went wrong.
|
|
||
| ## Reference Architecture | ||
|
|
||
| The Feast Feature Store operates as a collection of connected services, each enforcing authorization permissions. The architecture is designed as a distributed microservices system with the following key components: |
There was a problem hiding this comment.
| The Feast Feature Store operates as a collection of connected services, each enforcing authorization permissions. The architecture is designed as a distributed microservices system with the following key components: | |
| Feast operates as a collection of connected services, each enforcing authorization permissions. The architecture is designed as a distributed microservices system with the following key components: |
Sorry, something went wrong.
|
|
||
| The Feast Feature Store operates as a collection of connected services, each enforcing authorization permissions. The architecture is designed as a distributed microservices system with the following key components: | ||
|
|
||
| - **Service Endpoints**: These enforce authorization permissions, ensuring that only authorized requests are processed. |
There was a problem hiding this comment.
Can you confirm that these three are correct? i know this was generated with an LLM (which is fine!) but I think some of this may not be right.
Sorry, something went wrong.
There was a problem hiding this comment.
that's correct, simplified it more .
note Service-to-Service Communication this feature not yet part of this PR will be implementation next PRs.
Sorry, something went wrong.
| - **Action**: A logical operation performed on a resource, such as Create, Describe, Update, Delete, query, or write operations. | ||
| - **Policy**: A set of rules that enforce authorization decisions on resources. The default implementation uses role-based policies. | ||
|
|
||
| ### Configuring Permissions |
There was a problem hiding this comment.
Please remove this section as the architecture is meant to give a motivation and not the implementation details.
Sorry, something went wrong.
There was a problem hiding this comment.
Last changes. The architecture section should be pretty high level. I believe some of what you added to a PR is included in other documentation. If it's not, can you add it to the components section? I like the documentation, I just think it's better served under the components section.
After that I think we're good.
Sorry, something went wrong.
| ) | ||
| ``` | ||
|
|
||
| ### Enforcing Permission Policy |
There was a problem hiding this comment.
Please remove this section as well.
Sorry, something went wrong.
| ```python | ||
| assert_permissions( | ||
| resource=feature_service, | ||
| actions=[AuthzedAction.QUERY_ONLINE] | ||
| ) | ||
| ``` | ||
|
|
||
| ## Use Cases | ||
|
|
||
| ### Tag-Based Permission |
There was a problem hiding this comment.
Please remove this section as well.
Sorry, something went wrong.
| ) | ||
| ``` | ||
|
|
||
| ### Name-Based Permission |
There was a problem hiding this comment.
Please remove this section as well.
Sorry, something went wrong.
| 3. **Policy Enforcer**: Validates the secured endpoint against the retrieved user details. | ||
| 4. **Token Injector**: Adds the authorization token to each secured request header. | ||
|
|
||
| ### OIDC Authorization |
There was a problem hiding this comment.
Please remove this section as well.
Sorry, something went wrong.
| auth_server_url: _OIDC_SERVER_URL_ | ||
| ``` | ||
|
|
||
| ### Kubernetes Authorization |
There was a problem hiding this comment.
Please remove this section as well.
Sorry, something went wrong.
|
Last changes. The architecture section should be pretty high level. I believe some of what you added to a PR is included in other documentation. If it's not, can you add it to the components section? I like the documentation, I just think it's better served under the components section. After that I think we're good. Agreed was repetition these are already aded into components section, hence removed from here. |
Sorry, something went wrong.
| [](https://github.com/feast-dev/feast/blob/master/LICENSE) | ||
| [](https://github.com/feast-dev/feast/releases) | ||
|
|
||
| ## Join us on Slack! |
There was a problem hiding this comment.
Can you revert this change?
Sorry, something went wrong.
There was a problem hiding this comment.
Done.
Sorry, something went wrong.
There was a problem hiding this comment.
Amazing work here, thanks for taking in all of the changes!
/lgtm
Sorry, something went wrong.
|
@tokoko @franciscojavierarceo Thanks for taking time to review and approve this Next PRs will handle:
Also if there is no any further concern can you merge this Thanks |
Sorry, something went wrong.
What this PR does / why we need it:
This PR proposes a permission model to enable the store administrator to identify which users are allowed to execute operations on each managed resource.
Granular permission enforcement identifies user roles (*) allowed to execute requested operations on
resources matched by type, optional name patterns, and tags:
Such resource partitioning allows teams working on the same set of features to share the same feature store, mitigating the risk of unexpected changes due to unauthorized operations.
The PR also adds support for managing authorization tokens from either OIDC or Kubernetes, in a configurable way.
Permission authorization enforcement is performed when requests are executed through one of the Feast (Python) servers:
To avoid backward incompatibility with existing installations, the default authorization is not enabled (e.g., auth type
is set to no-auth) .
Feast clients can use the same configuration options to automatically retrieve the token from the authorization server
and transparently secure all the remote requests. This pattern allows the client to use the authorization infrastructure without affecting the business code.
By design, only the client requests are validated: once the endpoint execution is permitted for the original client request,
all the next service-to-service requests generated by the execution flow are automatically allowed.
Validation is typically implemented within the endpoint functions using an assertion-like style:
The PR also includes:
Fully working examples both Kubernetes and OIDC authorization will be in another next PR.
(*) Match by role is the predefined option, but it can be customized to support any other user validation.
Other features coming soon
Which issue(s) this PR fixes:
Fixes #4198