Authorization (RBAC) in lakeFS: Step-by-Step Configuration Tutorial

Introduction

Last month, the lakeFS team decided to move from the decoupled security authentication and access control features to enable you to plug your own authentication and security mechanism. Consequently, the team decided to change the architecture to a pluggable one which enables you to choose your preference without being dependent on the lakeFS solution.

This change is necessary as it lets you decide on access control and authentication that best fits your security needs. It matters, since one can ensure security only if one controls the full environment.

As a lakeFS user you are able to develop and use existing identity providers and wrap lakeFS with your own authorization logic (if they so desire) – to meet their specific security needs.

Now that the architecture is pluggable, you can use the solution of your choice.

Depending on your needs, you might want to take a look at lakeFS Cloud, which enables us to provide a holistic, secure solution that is SOC2 compliant and provides security guarantees. lakeFS Cloud supports and maintains more advanced authentication methods such as SAML and OIDC, and granular access control in the form of role-based access control (RBAC) policies.

This tutorial will review all steps needed to configure RBAC on lakeFS Cloud. This tutorial assumes that lakeFS Cloud is already set up and running against your own storage, and is focused on setting up the RBAC.

Prerequisites

1. lakeFS Cloud

Step 1 – Create a User

1. There are 2 types of users in lakeFS: Integration Users and Regular Users:
   1. Integration users are ones that are used mainly to integrate other software tools/applications and require only API access.
   2. Regular users are real people who need to log in using email and password. If you use SSO (Single Sign-On) with lakeFS Cloud then regular users are automatically created in lakeFS.
2. Let’s create a regular user first. Login to your lakeFS Cloud instance and click on Administration -> Users -> Invite User

3. Enter user’s email address and click Invite button:

4. Users will receive an email invitation from lakeFS Cloud to activate their account with lakeFS.
5. Let’s create an integration user next. Click on Administration -> Users -> Create Integration User.
6. Enter integration user name e.g. Python and click Create button:

7. Once you create the user, you can click on User ID to review it. If you want to create an Access Key for the API access then click on “Access Credentials” tab and click on “Create Access Key” button:

8. A new key will be generated:

As instructed, copy the Secret Access Key and store it somewhere safe. You will not be able to access it again (You will be able to create new ones).

Step 2 – Create a Policy

1. Let’s create an example policy to allow users to get the list of branches and get commit information for those branches in all repositories (refer to all Actions and Permissions in lakeFS documentation). These example permissions might be required for the users running Python programs and they may not need additional permissions required for the lakeFS UI.
2. Login to your lakeFS Cloud instance and click on Administration -> Policies -> Create Policy

You will now see this screen:

3. Enter a unique Policy ID e.g. ListBranchesGetCommit, copy & paste following JSON in Policy JSON Document box and click Save button:

{
    "statement": [
        {
            "action": [
                "fs:ListBranches",
                "fs:ReadCommit"
            ],
            "effect": "allow",
            "resource": "*"
        }
    ]
}

4. Once you save the policy, you can click on ListBranchesGetCommit policy to review it. You can click on the toggle switch to get the JSON View.

JSON View:

Step 3 – Create a Group

1. Controlling access is done by attaching Policies, either directly to Users, or to Groups they belong to. You will create a group and will attach policy to a group in this step. If you want to attach policies directly to a user, then go directly to Step 4.
2. Login to your lakeFS Cloud instance and click on Administration -> Groups -> Create Group

You will now see this screen:

3. Enter a unique Group Name e.g. PythonDevelopers and click Create button.
4. Once you save the Group Name, click on the PythonDevelopers group to review it. Click on the “Attached Policies” tab and click on the “Attach Policy” button:

5.  Search for ListBranchesGetCommit policy, select it and click on “Attach Policies” button:

Step 4 – Add Users to a Group

1. You will add users to a group in this step. If you want to attach policies directly to a user then go to Step 4.
2. Login to your lakeFS Cloud instance and click on Administration -> Groups.
3. Click on the PythonDevelopers group to review it. Click on the “Add Members” button under “Group Memberships” tab:

4. Search for users and select one or multiple users. Click on “Add to Group” button:

Step 5 – Attach Policy to a User

1. You can attach policies directly to a user instead of adding users to a group (previous two steps).
2. Login to your lakeFS Cloud instance and click on Administration -> Users.
3. Click on the User ID who requires access permissions. Click on the “Directly Attached Policies” tab and click on “Attach Policy” button:

4. Search for ListBranchesGetCommit policy, select it and click on “Attach Policies” button:

Summary

As you have seen in this post, It is very easy that configuring RBAC on lakeFS Cloud is a simple and straightforward action. It is similar to RBAC functionality that you might have used in other applications.

Controlling access in lakeFS Cloud is done by creating and attaching Policies, either directly to Users, or to Groups they belong to.

Next steps

To learn more about lakeFS functionalities and other data lake governance features, read more in the lakeFS blog, or join the friendly lakeFS community on Slack.