Platform Authentication & Authorization

[soenkeliebau]

This is an initiative to track the work needed until we have an integrated authentication & authorization story for our platform.

This will be split into sub-epics to generate units of work that can be pulled onto the board and finished in a reasonable amount of time.

Authentication

- [ ] https://github.com/stackabletech/issues/issues/462
- [ ] https://github.com/stackabletech/issues/issues/352

Authorization

The following diagram shows a high level view of the entire process, which should be helpful for dividing the work into separate projects that have value on their own.

• Decision Layer: This refers to the collection of RegoRules that we supply that handle the actual policy decision making in OPA.
• Abstraction Layer: This is built on top of the decision layer and should be an opinionated, simplified authorization model that should allow 90% of users to specify their authorization policies in a way that doesn't involve writing RegoRules. This might be implemented with CRDs like KafkaAcl, TrinoAcl, etc.. It should be based on a model like ReBAC, ABAC or RBAC.

Decision Layer

- [ ] https://github.com/stackabletech/issues/issues/499

The decision layer does the actual policy decisions. This still needs to be developed and is product specific.

Most of the work in the decision layer will happen in the operator repositories, as writing the generic RegoRules per product is part of the product specific implementation tickets (e.g. https://github.com/stackabletech/issues/issues/500).

The groundwork for moving the data and rules into place should already be present in the OPA operator and the bundle builder.

Having these RegoRules in place is necessary for the abstraction layer (next step).

Abstraction Layer

- [ ] https://github.com/stackabletech/issues/issues/439

Rego is not something that is really suitable to be exposed to the average user, so Stackable will define a suitable abstraction layer, probably per product that is the exposed to the users. This abstraction will be implemented via CRDs, read by the product operators and converted into an internal format (configmaps, secrets, crds, tbd during refinement/implementation). The initial step here will be to decide on some guiding principles and the overarching design in the form of an ADR (https://github.com/stackabletech/issues/issues/439). The actual design and implementation of the decisions from the ADR will then happen in the operator issues (e.g. https://github.com/stackabletech/trino-operator/issues/479).

UserInfoFetcher

The current idea for the UserInfoFetcher is to develop it as part of the OPA Operator. The following diagram shows the current idea of how it could be deployed and interact with the rest of the system.

One thing currently missing, but shown as part of the decision layer is the UserInfoFetcher, which will need to be implemented. This component is not named "UserGroupFetcher" or similar on purpose, as users may want to enrich user objects with arbitrary data, not just groups. An example for such a use case would be this message from the Trino slack:

However I wanted to post a user story/use case we have. Need others opinions. 1) User is a US citizens and employee of a French company 2) User runs a query against a table that has (hypothetical) mix of US, Canada, Mexico, Korean, and various European customers 3) Since the user is a US citizen, if the customers is Korean there is a restriction on even accessing said information. 4a) If the customers is European and said user is currently geographically inside the US, rows returned should NOT include the European user. 4a) If the customers is European and said user is currently at the French office, then rows returned can include the European customers. 5) If the customers is Canadian, the data may be viewed but there is a reporting requirement for said data (reporting handled via Telemetry not OPA) 6) If the customer is from Mexico or US, said User is entitled to see all rows 7) The row filters (and/or masking) applied should be based on said geopolitical rules

So the general idea is to allow defining arbitrary properties that user principals should be enriched with, if they are available in the backend. This will have to be backend specific, as for example Keycloak and AD have different concepts around group membership, usernames and custom properties.

### Group based authorization
- [ ] https://github.com/stackabletech/opa-operator/issues/477
- [ ] https://github.com/stackabletech/opa-operator/issues/523
- [ ] https://github.com/stackabletech/opa-operator/issues/524

Products

In the products themselves authorizer implementations that use OPA as backend will need to be provided. This will need to be investigated per product, with a few already being taken care of:

• In Trino this is currently being contributed upstream: https://github.com/trinodb/trino/pull/17940
• For Druid we have an authorizer
• For Kafka we have an authorizer

For the rest of the tools we'll need individual tickets in the operators (e.g. https://github.com/stackabletech/hdfs-operator/issues/400). In some cases it might not make sense, we'll need to determine this per product (e.g. https://github.com/stackabletech/issues/issues/120#issuecomment-1044696630).

In some cases, on top of the authorizer a group mapper might be needed, as some products actually have a concept of user groups and use these internally (HDFS being a prominent example). The idea here is to implement a simple group mapper for the product in question that calls out to OPA to retrieve the groups for that user via a rest call, so that the actual functionality remains in the UserInfoFetcher and is not spread throughout the entire plattform (https://github.com/stackabletech/hdfs-operator/issues/401).

### HDFS
- [ ] https://github.com/stackabletech/hdfs-operator/issues/400
- [ ] https://github.com/stackabletech/hdfs-operator/issues/401
- [ ] Define and implement abstraction layer according to guidelines set out in ADR

### HBase
- [ ] https://github.com/stackabletech/hbase-operator/issues/488
- [x] Define rego rules for HBase

### Trino
- [ ] https://github.com/trinodb/trino/pull/19532
- [ ] https://github.com/stackabletech/trino-operator/issues/479
- [ ] https://github.com/stackabletech/trino-operator/issues/26
- [ ] Implement Rego rule file for abstraction layer
- [ ] Implement abstraction layer in CRDs
- [ ] https://github.com/stackabletech/trino-operator/issues/295

### Druid
- [ ] https://github.com/stackabletech/druid-operator/issues/473
- [ ] https://github.com/stackabletech/druid-operator/issues/368
- [ ] Define abstraction layer according to guidelines set out in ADR
- [ ] Implement Rego rule file for abstraction layer
- [ ] Implement abstraction layer in CRDs
- [ ] https://github.com/stackabletech/druid-operator/issues/384

### NiFi
- [ ] https://github.com/stackabletech/nifi-operator/issues/633
- [ ] https://github.com/stackabletech/issues/issues/47

Miscelaneous Tickets

Things related to the initiative but not to any particular epic

### Tasks
- [ ] https://github.com/stackabletech/opa-operator/issues/422
- [ ] https://github.com/stackabletech/opa-operator/issues/505
- [ ] https://github.com/stackabletech/opa-operator/issues/489
- [ ] https://github.com/stackabletech/opa-operator/issues/514
- [ ] https://github.com/stackabletech/airflow-operator/issues/446

[fhennig]

This is very broadly also related: https://github.com/stackabletech/issues/issues/124

Since this ticket is an initiative now, maybe we can have another tasklist with "Ideas/Nice to Have" or something where tickets like the one above can go?