Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Support for Authorization Using Open Policy Agent (OPA) #45215

Open
3 tasks done
shohamyamin opened this issue Dec 9, 2024 · 0 comments
Open
3 tasks done

[Feature] Support for Authorization Using Open Policy Agent (OPA) #45215

shohamyamin opened this issue Dec 9, 2024 · 0 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@shohamyamin
Copy link

Search before asking

  • I had searched in the issues and found no similar issues.

Description

Currently, Apache Doris supports a predefined authorization mechanism for queries and operations. However, many organizations require a more flexible and dynamic approach to authorization that can accommodate complex logic, such as attribute-based access control (ABAC), or other policy-based controls.

This feature request proposes integrating Open Policy Agent (OPA) for authorization, enabling live policy evaluation during query execution. By leveraging OPA, Doris can support highly customizable and dynamic authorization logic tailored to various use cases.

Benefits

  1. Flexibility in Authorization:
    OPA allows organizations to define policies in Rego, a declarative language, which supports complex logic such as ABAC. Policies can evaluate attributes such as user roles, query context, resource metadata, and more.

  2. Real-Time Policy Evaluation:
    This feature enables live authorization checks when a query is executed, ensuring the most up-to-date policies are enforced.

  3. Centralized Policy Management:
    Organizations can manage and maintain authorization policies in a single location, improving governance and reducing duplication of efforts.

  4. Enhanced Security:
    Fine-grained access control based on live policies helps prevent unauthorized access to sensitive data.

Proposed Solution

  1. OPA Integration:
    Doris will communicate with an OPA server to evaluate policies in real time.

    • During query execution, Doris sends relevant attributes (e.g., user info, query details, resource metadata) to OPA for evaluation.
    • OPA responds with a decision (allow or deny) based on the defined policies.
  2. Dynamic Policy Context:
    Doris will collect contextual attributes dynamically for each query, such as:

    • User attributes (e.g., role, department).
    • Resource attributes (e.g., table metadata, data sensitivity level).
    • Query-specific attributes (e.g., query type, fields accessed).
  3. Policy Evaluation Flow:

    • Before executing a query, Doris invokes the OPA API to evaluate the authorization policy.
    • The query proceeds only if OPA returns allow.
  4. Policy Definition:

    • Administrators define policies in Rego and deploy them to the OPA server.
    • Example policy: Deny queries accessing sensitive tables unless the user has a specific attribute.
package doris.auth

default allow = false

allow {
    input.user.role == "data_analyst"
    not input.resource.is_sensitive
}

Impact

Integrating OPA with live policy evaluation will significantly enhance Doris's authorization capabilities, making it a viable choice for organizations with complex security requirements.

Additional Information

Requested Support

  1. Feedback on feasibility and potential challenges.
  2. Collaboration to define the API contract between Doris and OPA.
  3. Where to start?

Use case

  1. ABAC: Allow or deny access based on user attributes (e.g., department, role) and resource attributes (e.g., data sensitivity).
  2. Row-Level Security: Dynamically filter rows based on policies evaluated by OPA.
  3. Time-Based Access: Enforce policies like “users can only access data during business hours.”

Related issues

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

@shohamyamin shohamyamin added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

1 participant