Support OPA integration

[shohamyamin]

Is it possible to support opa integration to the catalog. I found that implementing ABAC with openFGA is not that easy

[c-thiel]

Hi @shohamyamin, in principle it is possible and we do want to be open for other forms of Auth. However openFGA has a higher priority for us and we will probably change the current interface for AuthZ in the next month.

Do you have a few more details on how you envision ABAC? Would attributes be stored as part of iceberg-metadata, or would they be stored separately? I am asking mainly because openFGA is pretty much a self-contained dynamic system, while working with OPA is typically dependent on an external dynamic store (i.e. Attributes of Tables as part of Iceberg Metadata) and OPA is a quite static rule processing engine - you wouldn't store Attribute <- Table Mappings in OPA directly.

[shohamyamin]

Yes. The case of abac that i am taking about is when you have attributes for both the user and the resources(tables/columns) so if it is possible that this will come from the catalog itself( the user attribute from the connection to the AD and the table asttributes some how to save it in the catalog) as part of the input of the request to opa that whould be great but even if opa will be needed to take care of getting the attributes from diffrent source that still will be good. in opa there are a lot of diffrent ways to load data to the opa. there is thing that called opal that has api/postgres/mongo fetcher that allows the opa to fetch the data every X minutes?

there is also the possibilty to fetch the data from with simple http request as part of the opa policy

The opa integration for start should be simple only providing the information about the action that is being performed and the resources that relevents for that action and the all logics will be in the opa policies.

Here is how Trino implements an OPA plugin for some reference: https://trino.io/docs/current/security/opa-access-control.html#security-opa-access-control--page-root