Skip to content

Implement Basic RBAC Roles (Admin, Producer, Consumer) #146

New issue
New issue
Closed
#409
Closed
Implement Basic RBAC Roles (Admin, Producer, Consumer)#146
#409
Assignees
Yuqing-cat
Labels
featureNew feature or request
@Yuqing-cat

Description

@Yuqing-cat
Yuqing-cat
opened on Apr 21, 2022

General Design

  • Leverage AAD in login logics
  • A storage is needed for user/role mapping
  • RBAC info will be retrieced and stored in "user.profile"
  • RBAC will be a Python API protection extentions. API would act differently based on user profile.
  • Consider a API bahavior as an "Action", e.g. list_features(filter:tags, owners, etc). Action List can be stored as "Permission"
  • RBAC specific APIs
    • admin_management
      • add_user: add user info to user map with given / default role
      • add_role: add a new kind of role with role definition
      • assign_user: assign user to certain roles
      • add_permission: a set of Actions
      • grant: grant permission to a role
    • access_management
      • get_user_profile: user login and retrieve user profile info
      • get_access: list all the permissions allowed for user
      • check_access: check user access to a certain action / permission (action list).
      • is_user_in_role: if a user is in role
      • get_role: get all roles available in current project
    • review_management
      • get_access_log: return all the access changes for audit (nice to have for MVP)
  • Above APIs should supports add, delete, update, list and other necessary vairance.

Azure Resources

Microsoft Azure includes standard and built-in RBAC, which is an authorization system built on Azure Resource Manager that provides detailed access management to Azure resources.

Role Definition

Multi-layer roles is not revealed in below definition

{
    "Roles":[
        {
            "id":0,
            "name": "Admin",
            "description" : "",
            "permissions": ["admin_management", "access_management", "review_management", "registry_apis","spark_apis"]
            "AssignableScopes":["project","anchor"]

        },
        {
            "id":1,
            "name":"Producer",
            "description": "",
            "permissions": ["admin_management.add_permission/grant","access_management","registry_apis","spark_apis"],
            "AssignableScopes":["project","anchor"]
        },
        {
            "id":2,
            "name":"Consumer",
            "description":"",
            "permissions":["access_management","registry_apis",""spark_apis"],
            "AssignableScopes":["project","anchor"]
        },
        {
            "id":3,
            "name":"Monitoring",
            "description":"",
            "permissions":["review_management", "log_apis","spark_apis"],
            "AssignableScopes":["project"]
        }
    ]
}

Metadata

Metadata

Assignees

Labels

featureNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions