Authorization (Access Control)¶
Authorization scope¶
It is important to note that Nessie does not store data directly but only data location and other metadata.
As a consequence, the Nessie authorization layer can only really control access to metadata, but might not prevent data itself to be accessed directly without interacting with Nessie. It is then expected that another system can control access to data itself to make sure unauthorized access isn’t possible.
The same is true for access to historical data, which is one of Nessie’s main features. For example, while it might seem safe committing a change that removes undesired sensitive data and restricting access to only the latest version of the dataset, the truth is that the sensitive data may still exist on the data lake and be accessed by other means (similar to how redacting a PDF by adding black boxes on top of sensitive information does not prevent people to read what is written beneath in most cases). The only safe way to remove this data is to remove it from the table (e.g. via DELETE
statements) and then run the Garbage Collection algorithm to ensure the data has been removed from Nessie history and deleted on the data lake.
Stories¶
Here’s a list of common authorization scenarios:
- Alice attempts to execute a query against the table
Foo
on branchprod
. As she has read access to the table on this branch, Nessie allows the execution engine to get the table details. - Bob attempts to execute a query against the table
Foo
on branchprod
. However, Bob does not have read access to the table. Nessie returns an authorization error, and the execution engine refuses to execute the query. - Carol has access to the content on branch
prod
, but not to the tableFoo
on this branch. Carol creates a new reference namedcarol-branch
with the same hash asprod
, and attempts to change permissions on tableFoo
. However, request is denied and Carol cannot access the content ofFoo
. - Dave has access to the content on branch
prod
, and wants to update the content of the tableFoo
. He creates a new reference nameddave-experiment
, and executes several queries against this branch to modify tableFoo
. Each modification is a commit done againstdave-experiment
branch which is approved by the Nessie server. When all the desired modifications are done, Dave attempts to merge the changes back to theprod
branch. However, Dave doesn’t have the rights to modify theprod
branch, causing Nessie to deny the request.
Access control model¶
Any object in Nessie can be designated by a pair of coordinates (reference, path), therefore access control is also designed around those two concepts.
Access control against references¶
References can be designated by their name (branches and tags) and there are several operations that can be exercised:
- view/list available references
- create a new named reference
- assign a hash to a reference
- delete a reference
- list objects present in the tree
- read objects content in the tree
- commit a change against the reference
Note that a user needs to be able to view a reference in order to list objects on that reference.
Access control against paths¶
For a specific reference, an entity is designated by its path which is why a simple way of performing access control can be done by applying restrictions on path.
Several operations can be exercised against an entity:
- create a new entity
- delete an entity
- update entity’s content
Note that those operations combine themselves with the reference operations. For example to actually be able to update the content of an entity, user needs both permission to do the update AND to commit the change against the reference where the change will be stored
Service Provider Interface¶
The SPI is named AccessChecker and uses AccessContext, which carries information about the overall context of the operation. Implementers of AccessChecker
are completely free to define their own way of creating/updating/checking authorization rules.
ContentId Usage¶
Note that there is a contentId
parameter in some methods of the AccessChecker, which allows checking specific rules for a given entity at a given point in time. The contentId
parameter refers to the ID of a Content
object and its contract is defined here.
One can think of this similar to how permissions are defined in Google Docs. There are some permissions that are specific to the parent folder and to the doc itself. When a Doc is moved from one folder to another, it inherits the permissions of the parent folder. However, the doc-specific permissions are carried over with the doc and still apply. The same is true in the context of entities. There are some rules that apply to an entity in a global fashion, and then there’s the possibility to define rules specific to the contentId
of an entity.
Reference implementation for Metadata Authorization¶
The reference implementation allows defining authorization rules via application.properties and is therefore dependent on Quarkus. Nessie’s metadata authorization can be enabled via nessie.server.authorization.enabled=true
.
Authorization Rules¶
Authorization rule definitions are using a Common Expression Language (CEL) expression (an intro to CEL can be found at https://github.com/google/cel-spec/blob/master/doc/intro.md).
Rule definitions are of the form nessie.server.authorization.rules.<ruleId>=<rule_expression>
, where <ruleId>
is a unique identifier for the rule.
<rule_expression>
is basically a CEL expression string, which allows lots of flexibility on a given set of variables.
Variables¶
Certain variables are available within the <rule_expression>
depending on context:
- op - refers to the type name (string) of the operation that is being authorized. See BatchAccessChecker and Check types for details.
- role - refers to the user’s primary role and can be any string.
- roles - refers to the list of all known user roles.
- ref - refers to a string representing a branch/tag name or
DETATCHED
for direct access to a commit id. - path - refers to the URI path representation (
ContentKey.toPathString()
) of the content key for the object related to the authorization check. - contentType - refers to a (possibly empty) string representing the name of the object’s
Content.Type
. - type - refers to the repository config type to be retrieved or updated.
Checks for Reference operations¶
Applicable op
types:
VIEW_REFERENCE
CREATE_REFERENCE
DELETE_REFERENCE
ASSIGN_REFERENCE_TO_HASH
DELETE_REFERENCE
READ_ENTRIES
LIST_COMMIT_LOG
Available variables:
role
roles
ref
Checks for Content operations¶
Applicable op
types:
READ_CONTENT_KEY
READ_ENTITY_VALUE
CREATE_ENTITY
UPDATE_ENTITY
DELETE_ENTITY
Available variables:
role
roles
ref
path
contentType
Checks for Repository Config operations¶
Applicable op
types:
READ_REPOSITORY_CONFIG
UPDATE_REPOSITORY_CONFIG
Available variables:
role
roles
type
Relevant CEL features¶
Since all available authorization rule variables are strings, the relevant CEL-specific things that are worth mentioning are shown below:
Example authorization rules¶
Below are some basic examples that show how to give a permission for a particular operation. In reality, one would want to keep the number of authorization rules for a single user/role low and grant permissions for all required operations through as few rules as possible.
-
allows viewing the branch/tag starting with the name
allowedBranch
for the role that starts with the nametest_
:nessie.server.authorization.rules.allow_branch_listing=\ op=='VIEW_REFERENCE' && role.startsWith('test_') && ref.startsWith('allowedBranch')
-
allows creating branches/tags that match the regex
.*allowedBranch.*
for the roletest_user
:nessie.server.authorization.rules.allow_branch_creation=\ op=='CREATE_REFERENCE' && role=='test_user' && ref.matches('.*allowedBranch.*')
-
allows deleting branches/tags that end with
allowedBranch
for the role namedtest_user123
:nessie.server.authorization.rules.allow_branch_deletion=\ op in ['VIEW_REFERENCE', 'DELETE_REFERENCE'] && role=='test_user123' && ref.endsWith('allowedBranch')
-
allows listing the commit log for all branches/tags starting with
dev
:nessie.server.authorization.rules.allow_listing_commitlog=\ op in ['VIEW_REFERENCE', 'LIST_COMMIT_LOG'] && ref.startsWith('dev')
-
allows reading the entity value where teh
path
starts withallowed.
for the roletest_user
:nessie.server.authorization.rules.allow_reading_entity_value=\ op in ['VIEW_REFERENCE', 'READ_ENTITY_VALUE'] && role=='test_user' && path.startsWith('allowed.')
-
allows deleting the entity where the
path
starts withdev.
for all roles:nessie.server.authorization.rules.allow_deleting_entity=\ op in ['VIEW_REFERENCE', 'DELETE_ENTITY'] && path.startsWith('dev.')
-
allows listing reflog for the role
admin_user
:nessie.server.authorization.rules.allow_listing_reflog=\ op=='VIEW_REFLOG' && role=='admin_user'
Example authorization rules from Stories section¶
As mentioned in the Stories section, a few common scenarios that are possible are:
- Alice attempts to execute a query against the table
Foo
on branchprod
. As she has read access to the table on this branch, Nessie allows the execution engine to get the table details. - Bob attempts to execute a query against the table
Foo
on branchprod
. However, Bob does not have read access to the table. Nessie returns an authorization error, and the execution engine refuses to execute the query. - Carol has access to the content on branch
prod
, but not to the tableFoo
on this branch. Carol creates a new reference namedcarol-branch
with the same hash asprod
, and attempts to change permissions on tableFoo
. However, request is denied and Carol cannot access the content ofFoo
. - Dave has access to the content on branch
prod
, and wants to update the content of the tableFoo
. He creates a new reference nameddave-experiment
, and executes several queries against this branch to modify tableFoo
. Each modification is a commit done againstdave-experiment
branch which is approved by the Nessie server. When all the desired modifications are done, Dave attempts to merge the changes back to theprod
branch. However, Dave doesn’t have the rights to modify theprod
branch, causing Nessie to deny the request.
Below are the respective authorization rules for these scenarios:
# read access for all on the prod branch
nessie.server.authorization.rules.prod=\
op in ['VIEW_REFERENCE'] && ref=='prod' && role in ['Alice', 'Bob', 'Carol', 'Dave']
# alice & dave can read Foo
nessie.server.authorization.rules.reading_foo_on_prod=\
op in ['READ_ENTITY_VALUE'] && ref=='prod' && path=='Foo' && role in ['Alice', 'Dave']
# specific rules for carol on her branch
nessie.server.authorization.rules.carol-branch=\
op in ['VIEW_REFERENCE', 'CREATE_REFERENCE', 'DELETE_REFERENCE', 'COMMIT_CHANGE_AGAINST_REFERENCE'] && ref=='carol-branch' && role=='Carol'
# specific rules for dave on his branch
nessie.server.authorization.rules.dave-experiment=\
op in ['VIEW_REFERENCE', 'CREATE_REFERENCE', 'DELETE_REFERENCE', 'COMMIT_CHANGE_AGAINST_REFERENCE'] && ref=='dave-experiment' && role=='Dave'
# bob can read/update/delete BobsBar only
nessie.server.authorization.rules.bob=\
op in ['READ_ENTITY_VALUE', 'UPDATE_ENTITY', 'DELETE_ENTITY'] && path=='BobsBar` && role=='Bob')
# carol can read/update/delete CarolsSecret
nessie.server.authorization.rules.carol=\
op in ['READ_ENTITY_VALUE', 'UPDATE_ENTITY', 'DELETE_ENTITY'] && path=='CarolsSecret` && role=='Alice')
# dave can read/update/delete DavesHiddenX
nessie.server.authorization.rules.dave=\
op in ['READ_ENTITY_VALUE', 'UPDATE_ENTITY', 'DELETE_ENTITY'] && path=='DavesHiddenX` && role=='Dave')