ContextQMD
Back to Feast

Groups and Namespaces Based Authorization Implementation Summary

docs/changelogs/Groups_Namespaces_Auth_implmentation_summary.md

0.63.04.8 KB
Original Source

Groups and Namespaces Based Authorization Implementation Summary

Overview

This document summarizes the implementation of groups and namespaces extraction support in Feast for user authentication in Pull Request https://github.com/feast-dev/feast/pull/5619.

Changes Made

1. Enhanced User Model (sdk/python/feast/permissions/user.py)

  • Extended User class to include groups and namespaces attributes
  • Added methods:
    • has_matching_group(): Check if user has required groups
    • has_matching_namespace(): Check if user has required namespaces
  • Maintained backward compatibility with existing role-based functionality

2. New Policy Types (sdk/python/feast/permissions/policy.py)

  • GroupBasedPolicy: Grants access based on user group membership
  • NamespaceBasedPolicy: Grants access based on user namespace association
  • CombinedGroupNamespacePolicy: Requires both group OR namespace match
  • Updated Policy.from_proto() to handle new policy types
  • Maintained backward compatibility with existing RoleBasedPolicy

3. Protobuf Definitions (protos/feast/core/Policy.proto)

  • Added GroupBasedPolicy message with groups field
  • Added NamespaceBasedPolicy message with namespaces field
  • Extended Policy message to include new policy types in oneof
  • [Love] Regenerated Python protobuf files using make compile-protos-python

4. Token Access Review Integration (sdk/python/feast/permissions/auth/kubernetes_token_parser.py)

  • Added AuthenticationV1Api client for Token Access Review
  • Implemented _extract_groups_and_namespaces_from_token():
    • Uses Kubernetes Token Access Review API
    • Extracts groups and namespaces from token response
    • Handles both service accounts and regular users
  • Updated user_details_from_access_token() to include groups and namespaces

5. Client SDK Updates (sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py)

  • Extended KubernetesAuthConfig to support user tokens
  • Updated get_token() method to check for user_token in config
  • Maintained backward compatibility with service account tokens

6. Configuration Model (sdk/python/feast/permissions/auth_model.py)

  • Added user_token field to KubernetesAuthConfig for external users
  • Maintained backward compatibility with existing configurations

7. Comprehensive Tests (sdk/python/tests/permissions/test_groups_namespaces_auth.py)

  • 15 test cases covering all new functionality
  • Tests for:
    • User creation with groups/namespaces
    • Group matching functionality
    • Namespace matching functionality
    • All new policy types
    • Backward compatibility

8. Documentation (docs/getting-started/components/groups_namespaces_auth.md)

  • Usage examples and configuration guides
  • Security considerations and best practices
  • Troubleshooting guide and migration instructions

Key Features Implemented

✅ Token Access Review Integration

  • Uses Kubernetes Token Access Review API to extract user details
  • Handles both service accounts and external users

✅ Groups and Namespaces Extraction

  • Extracts groups and namespaces from token response
  • Supports both service account and regular user tokens

✅ New Policy Types

  • GroupBasedPolicy: Access based on group membership
  • NamespaceBasedPolicy: Access based on namespace association
  • CombinedGroupNamespacePolicy: Requires either group OR namespace

✅ Client SDK Support

  • Extended to support user tokens for external users
  • Maintains backward compatibility with service account tokens
  • New parameter in KubernetesAuthConfig for user tokens

Usage Examples

Basic Group-Based Permission

python
from feast.permissions.policy import GroupBasedPolicy
from feast.permissions.permission import Permission

policy = GroupBasedPolicy(groups=["data-team", "ml-engineers"])
permission = Permission(
    name="data_team_access",
    types=ALL_RESOURCE_TYPES,
    policy=policy,
    actions=[AuthzedAction.DESCRIBE] + READ
)

Basic Namespace-Based Permission

python
from feast.permissions.policy import NamespaceBasedPolicy
from feast.permissions.permission import Permission

policy = NamespaceBasedPolicy(namespaces=["de-dsp", "ml-dsp"])
permission = Permission(
    name="data_team_access",
    types=ALL_RESOURCE_TYPES,
    policy=policy,
    actions=[AuthzedAction.DESCRIBE] + READ
)

Combined Group + Namespace Permission

python
from feast.permissions.policy import CombinedGroupNamespacePolicy

policy = CombinedGroupNamespacePolicy(
    groups=["data-team"],
    namespaces=["production"]
)

Client Configuration with User Token

python
from feast.permissions.auth_model import KubernetesAuthConfig

auth_config = KubernetesAuthConfig(
    type="kubernetes",
    user_token="your-kubernetes-user-token"  # For external users
)