OpenMetadata icon indicating copy to clipboard operation
OpenMetadata copied to clipboard
Published 4 weeks ago verified publisher icon open-metadata

Rework Roles and Policies

Open sureshms opened this issue 3 years ago • 5 comments

This is an umbrella issue to track all the changes to Roles and Policies. The following diagram shows the entities related to access control functionality. Blank diagram - Page 10

Roles and Policies for Access Control are described in this blog. Few changes are being made from the previous version.

API and Modeling changes:

  1. A Role now has one or more Policies with a 1:N relationship instead of a 1:1 relationship. CreateRole now requires at least one policy to be attached to a role. A policy is not automatically created during the creation of a role.
  2. Policies that the system comes with have been renamed. DataConsumerAccessControlPolicy is now DataConsumerPolicy and DataStewardAccessControlPolicy is just DataStewardPolicy.
  3. A policy has rules. Both the policy and the rule had an enabled flag. Now the enabled flag per rule is removed.

For more details and implementation changes, see the description of the following tasks:

  • #3031
  • #3776
  • #4113
  • #4120
  • #4166
  • #4170
  • #5509
  • #5558
  • #2907
  • #3032
  • #4079
  • #4580
  • #3553
  • #4677
  • #6172
  • #6336
  • #6365
  • #6368
  • #6391
  • #6518
  • #6631
  • #6676
  • #6719
  • #6723
  • #6728
  • #6860
  • #6886
  • #7072
  • #7145
  • #7181
  • #7643

sureshms avatar Apr 18 '22 16:04 sureshms

in 0.11 following tasks will be addressed

  • [ ] #4677
  • [ ] #4580
  • [ ] #4079
  • [ ] #3776
  • [ ] #3316
  • [ ] #3050
  • [ ] #3032
  • [ ] #2762
  • [ ] #4684
  • [ ] #5246
  • [ ] #4684
  • [ ] #5311

harshach avatar May 03 '22 19:05 harshach

Currently, policies capture minimal operations through UI and APIs are enforcing the permissions in a generic way. We are going to enumerate all the operations that are possible through UI or APIs and have admins create policies at Site-wide/Domain/Entity level and Settings at Services / Glossaries / Tags etc..

Metadata Operations at Entity

Common Operations across Entities

  1. SuggestDescription - Allowed by Default, Ideally grouping actions on Suggest based ones and allowing them by default unless there is an explicitly stated rule to deny
  2. SuggestTags
  3. UpdateDescription
  4. UpdateTags
  5. UpdateOwner
  6. UpdateTier
  7. UpdateCustomFields
  8. Read PII Tags data
  9. Write PII Tags data
  10. Soft Delete Entity
  11. Hard Delete Entity
  12. Create/update Lineage

Table

  1. Read Sample Data
  2. Write Sample Data
  3. Create/Update Data Quality Test
  4. Read Data Quality Tests
  5. Read Sample Queries
  6. Create/Update Sample Queries
  7. Read Profiler data
  8. Write Profiler data

Topic

  1. Write sample data to a Topic
  2. Read sample data on a topic

Dashboards

No additional special permissions for now

Pipelines

No Additional special permissions for now

ML Models

No Additional special permissions for now

Glossaries

  1. Add Glossary
  2. Add Glossary Term
  3. Read -> is default no special permission is needed
  4. Assign Owner
  5. Assign Reviewer
  6. Delete Glossary

Tags & Tag Category

  1. Add a Tag Category
  2. Add a Tag
  3. Read -> Default allow
  4. Delete Tag
  5. Delete Tag Category

Services - Default Admin only

  1. Add a Service
  2. Read Service connection details
  3. Add Ingestion

Webhooks - Admin only

Teams & Users

  1. Add a user
  2. Delete a User
  3. Add a Team
  4. Assign Team owner
  5. Team Owner should be able to add/remove users and perform other ops such as adding the description

Add Bot - Admin only

harshach avatar Jun 01 '22 18:06 harshach

  1. Domain level policy restrictions, A policy should have an option to evaluate the site-wide or at the domain level.
  2. Admin while creating a policy should be able to input a domain into the policy and at the evaluation, the authorizer should accept the Entity domain it's validating against and the user's policy details and see if the user policy states that they can access the domain's entities and which operations they are allowed to perform. If the User doesn't have the domain in the policy they shouldn't be able to access any entities if they do have the domain access we will evaluate the operations similar to site-wide access but within that domain

harshach avatar Jun 01 '22 18:06 harshach

image image

harshach avatar Jun 01 '22 19:06 harshach

image image

  1. We need to build APIs for a role with multiple policies to retrieve the allowed operations by going through all the policies. That will help summarize what operations an admin is giving to a policy while creating
  2. Another API for a logged In user, based on the roles they got assigned to what policies they have, and finally what operations they can perform. UI can make this request to see what tabs they need to show and if they should make an API call such as a sample data call should they make this one or not and also hide components such as edit description if they do not have edit description or suggest description option

harshach avatar Jun 01 '22 19:06 harshach