search

StarRocks / starrocks

StarRocks, a Linux Foundation project, is a next-generation sub-second MPP OLAP database for full analytics scenarios, including multi-dimensional analytics, real-time analytics, and ad-hoc queries.
https://starrocks.io
Apache License 2.0
8.74k stars 1.75k forks source link

Support LDAP Group Memberships for AuthZ and RBAC #38960

Closed metalshanked closed 1 month ago

metalshanked commented 8 months ago

Feature request

Is your feature request related to a problem? Please describe. Currently StarRocks has LDAP integration but no LDAP Group support. One common use case is to allow only certain LDAP group users to access StarRocks.

Describe the solution you'd like As a user, I would like StarRocks to:-

  1. Support LDAP Group membership attributes for AuthZ
  2. Use these LDAP groups for fine grained RBAC (Eg:- only certain groups are allowed certain data objects)

Describe alternatives you've considered Trino provides this in its OSS version. This enables users to evaluate the product in a secure way without restrictions. https://trino.io/docs/current/security/ldap.html#authorization-based-on-ldap-group-membership

Many thanks!

nshangyiming commented 8 months ago

Hi @metalshanked, we have a similar feature where you can use a ldap user to authenticate with SR directly, without creating a SR user first, and you can also map the group(s) to which the user belongs to SR RBAC role(s), so that you can gain fine grained access control to certain data objects based on your ldap group(s). But all those are only in our enterprise version, tell me whether you're interested, and i will ask our pre-sales colleague to contact you.

metalshanked commented 8 months ago

Hi @metalshanked, we have a similar feature where you can use a ldap user to authenticate with SR directly, without creating a SR user first, and you can also map the group(s) to which the user belongs to SR RBAC role(s), so that you can gain fine grained access control to certain data objects based on your ldap group(s). But all those are only in our enterprise version, tell me whether you're interested, and i will ask our pre-sales colleague to contact you.

Thanks @nshangyiming :- Can you share the documentation or code location with the attributes for this feature?

github-actions[bot] commented 1 month ago

We have marked this issue as stale because it has been inactive for 6 months. If this issue is still relevant, removing the stale label or adding a comment will keep it active. Otherwise, we'll close it in 10 days to keep the issue queue tidy. Thank you for your contribution to StarRocks!