[Feature] Enhance Flyteadmin authentication and authorization

[honnix]

Motivation: Why do you think this is important?

As it is today, Flyteadmin has OAuth2 support that is used for authentication to some extend as Flyteadmin doesn't apply any further identity check.

This has a few major problems going forward:

• When plug in an identity provider such as Google Cloud Platform, access token (or id token) can be valid but the user or service account behind it could belong to another organisation; as an example, we solved it in Styx (our scheduling service) by ensuring the identity has valid domain or belongs to a whitelisted organisation: https://github.com/spotify/styx/blob/master/styx-standalone-service/src/main/resources/styx-standalone.conf#L46
• There is no ACL in place, so any authenticated user or service account is able to CRUD and run any workflow through console or using flyte-cli, and this is not secure

Goal: What should the final outcome look like, ideally?

• Flyteadmin can apply identity check
• Flyteadmin has a way to ensure a user can only act on their own workflows/tasks/...

Describe alternatives you've considered

NA

Flyte component

• [ ] Overall
• [ ] Flyte Setup and Installation scripts
• [ ] Flyte Documentation
• [ ] Flyte communication (slack/email etc)
• [ ] FlytePropeller
• [ ] FlyteIDL (Flyte specification language)
• [x] Flytekit (Python SDK)
• [x] FlyteAdmin (Control Plane service)
• [ ] FlytePlugins
• [ ] DataCatalog
• [ ] FlyteStdlib (common libraries)
• [ ] FlyteConsole (UI)
• [ ] Other

[Optional] Propose: Link/Inline

I'm happy to talk more in depth how we did it in Styx.

Additional context

Is this a blocker for you to adopt Flyte

Somewhat and our workaround is to fully hide Flyte behind Styx.

[kumare3]

I think this is a critical feature and we should work on the authentication part soon.

[kumare3]

@EngHabu I think we can resolve this one?

[github-actions[bot]]

Hello 👋, This issue has been inactive for over 9 months. To help maintain a clean and focused backlog, we'll be marking this issue as stale and will close the issue if we detect no activity in the next 7 days. Thank you for your contribution and understanding! 🙏

[github-actions[bot]]

Hello 👋, This issue has been inactive for over 9 months and hasn't received any updates since it was marked as stale. We'll be closing this issue for now, but if you believe this issue is still relevant, please feel free to reopen it. Thank you for your contribution and understanding! 🙏

[kumare3]

This sounds more like RBAC and currently the community has decided not support RBAC in open source. We can revisit this later next year