jvz
commented
1 year ago This has rescoped a bit since I began. It seems like using OPA may not be necessary (at least not at first). I'll file a new RFC with the updated version later (if there's any reason to file RFCs anymore that is).
Surprise: it's not just about Kayenta! This proposal for RBAC in Kayenta includes support for account management, a new Fiat backend based on Open Policy Agent, and a brand new security concept in Spinnaker: role-based access controls.
But wait, doesn't Spinnaker already support RBAC? Yes, in the same way that a body of water supports an aircraft.
This also introduces the concept of a role policy to abstract the concept of a bundle of permissions linked to external roles to allow for simpler user management of access controls on the resources they own. This can be extended into Clouddriver, Front50, Igor, et al., in the future, though Kayenta's lack of RBAC made it the perfect place to begin.