DependencyTrack / hyades

Incubating project for decoupling responsibilities from Dependency-Track's monolithic API server into separate, scalable services.
https://dependencytrack.github.io/hyades/latest
Apache License 2.0
51 stars 17 forks source link

Fine Grained ACL #1075

Open MFry opened 4 months ago

MFry commented 4 months ago

Hello,

Our team at Lockheed is looking into leveraging Hyades and I was wondering if there are any future plans for a more fine grained control of permissions on a per project basis. Something like what is proposed here, specifically something along this level of control:

Configure user or group permissions for a certain project In project page, user can config this project auth user or group. Configure project permissions for a certain users in Portfolio Access Control module, user can config project permission to a certain user

nscuro commented 4 months ago

Hey @MFry, thanks for reaching out!

No definitive plans yet, but I'd say the work we did so far (and are continuing to do) is contributing towards making such ACLs easier to implement. We're dropping a few persistence-related abstractions which made it harder than necessary to perform ACL checks, among other things.

I'm thinking something similar to Spring Security's ACL implementation would be nice to have.

Slightly related, we have had users ask for mutli-tenancy capabilities. Perhaps a more fine-grained permission model should take tenants into consideration.

nscuro commented 4 months ago

An additional idea (just putting it out there for discussion): We already adopted CEL for policy usage.

Using it for authorization could make sense as well. This is an area where historically OPA was popular, but using CEL avoids additional network calls, while still allowing users to nicely express AuthZ rules.

Project Nessie is doing something similar: https://projectnessie.org/features/metadata_authorization/#authorization-rules

Major downside being that AuthZ can't be enforced on the database level, which can make aggregating queries such as for metrics borderline impossible.

MFry commented 3 months ago

I appreciate the information and input @nscuro. My team is starting to deploy Hyades now and we will be looking at our access control needs and how best we can contribute back to Hyades so that our needs align.