You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I had searched in the issues and found no similar issues.
Description
Currently, Apache Doris supports a predefined authorization mechanism for queries and operations. However, many organizations require a more flexible and dynamic approach to authorization that can accommodate complex logic, such as attribute-based access control (ABAC), or other policy-based controls.
This feature request proposes integrating Open Policy Agent (OPA) for authorization, enabling live policy evaluation during query execution. By leveraging OPA, Doris can support highly customizable and dynamic authorization logic tailored to various use cases.
Benefits
Flexibility in Authorization:
OPA allows organizations to define policies in Rego, a declarative language, which supports complex logic such as ABAC. Policies can evaluate attributes such as user roles, query context, resource metadata, and more.
Real-Time Policy Evaluation:
This feature enables live authorization checks when a query is executed, ensuring the most up-to-date policies are enforced.
Centralized Policy Management:
Organizations can manage and maintain authorization policies in a single location, improving governance and reducing duplication of efforts.
Enhanced Security:
Fine-grained access control based on live policies helps prevent unauthorized access to sensitive data.
Proposed Solution
OPA Integration:
Doris will communicate with an OPA server to evaluate policies in real time.
During query execution, Doris sends relevant attributes (e.g., user info, query details, resource metadata) to OPA for evaluation.
OPA responds with a decision (allow or deny) based on the defined policies.
Dynamic Policy Context:
Doris will collect contextual attributes dynamically for each query, such as:
User attributes (e.g., role, department).
Resource attributes (e.g., table metadata, data sensitivity level).
Integrating OPA with live policy evaluation will significantly enhance Doris's authorization capabilities, making it a viable choice for organizations with complex security requirements.
Search before asking
Description
Currently, Apache Doris supports a predefined authorization mechanism for queries and operations. However, many organizations require a more flexible and dynamic approach to authorization that can accommodate complex logic, such as attribute-based access control (ABAC), or other policy-based controls.
This feature request proposes integrating Open Policy Agent (OPA) for authorization, enabling live policy evaluation during query execution. By leveraging OPA, Doris can support highly customizable and dynamic authorization logic tailored to various use cases.
Benefits
Flexibility in Authorization:
OPA allows organizations to define policies in Rego, a declarative language, which supports complex logic such as ABAC. Policies can evaluate attributes such as user roles, query context, resource metadata, and more.
Real-Time Policy Evaluation:
This feature enables live authorization checks when a query is executed, ensuring the most up-to-date policies are enforced.
Centralized Policy Management:
Organizations can manage and maintain authorization policies in a single location, improving governance and reducing duplication of efforts.
Enhanced Security:
Fine-grained access control based on live policies helps prevent unauthorized access to sensitive data.
Proposed Solution
OPA Integration:
Doris will communicate with an OPA server to evaluate policies in real time.
allow
ordeny
) based on the defined policies.Dynamic Policy Context:
Doris will collect contextual attributes dynamically for each query, such as:
Policy Evaluation Flow:
allow
.Policy Definition:
Impact
Integrating OPA with live policy evaluation will significantly enhance Doris's authorization capabilities, making it a viable choice for organizations with complex security requirements.
Additional Information
Requested Support
Use case
Related issues
No response
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: