search

spyglasshq / spyglass-cli

Access management as code.
https://spyglass.software
MIT License
26 stars 1 forks source link

Support tag-based role definitions #33

Open spyglass-software opened 1 year ago

spyglass-software commented 1 year ago

Part of the Managed Roles feature.

Should support the following definitions:

Proposed YAML

rolesGrants:
  engineering:
    sub_roles:
      - acme_prod_call_center_reader
      - acme_prod_catalog_page_reader
      - pii_viewer

  pii_viewer: # programmatically generated - do not edit this role!
    select:
      tables:
        - pii_table_1
        - pii_table_2

  non_pii_viewer: # programmatically generated - do not edit this role!
    select:
      tables:
        - acme.prod.call_center
        - acme.prod.catalog_page

managedRoles:
  pii_viewer:
    select:
      any_table_with_tag: pii

  non_pii_viewer:
    select:
      all_tables_except_tag: pii

Implementation: Managed Roles

Managed roles are programmatically generated and updated by Spyglass.

Tags are used as high level policy (or intent) to describe what tables a role should have access to.

For example,

  1. Role pii_viewer should have read access to tables tagged pii.
  2. To achieve this, Spyglass queries all tables tagged pii.
  3. Then Spyglass grants privileges on pii_viewer for the resulting tables.
  4. Users are prevented from updating the pii_viewer role manually in YAML.
  5. Periodic calls to sync --managed will ensure the role stays up to date with tag changes.

What Else Should Be Expressible?

There could be more complex policies to express, for example:

Role accounting should be able to view any tables with tags (accounts_payable OR accounts_receivable) AND NOT soc2.

This would make the language much more powerful, but at the cost of being more complicated. It may be some kind of "expert mode" we allow for, when the need arises.

Alternative Considered: Row Level Access Policies

We could use row level access policies (for example), but they would need to be maintained across every table in the account. This potentially results in extra cost (in both credits and performance) to all queries, in addition to creating a more complex access story. That said, we may still pursue this approach in the near future.

APTy commented 1 year ago

One thought regarding building policies for "all tables except pii tables" - this may actually be implemented best by using masking policies, rather than including it in our grammar.