Replace Keto Authorization with External HTTP Authorization#864
Conversation
woop
requested review from
davidheryanto,
khorshuheng,
pyalex and
zhilingc
as code owners
woop
force-pushed
the
replace-keto-with-http
branch
from
437e872 to
83d3a65
Compare
| String subject = getSubjectFromAuth(authentication, DEFAULT_SUBJECT_CLAIM); | ||
| checkAccessRequest.setAction("ALL"); | ||
| checkAccessRequest.setContext(context); | ||
| checkAccessRequest.setResource(projectId); |
There was a problem hiding this comment.
we probably need to change this to include the resourcetype like org.feast.project:{projectId} or something
There was a problem hiding this comment.
Oops, I fixed it but havent pushed yet.
There was a problem hiding this comment.
I had the do-not-merge on for protection ;)
But no worries, this at least allows your team to move ahead. I'll submit a patch tomorrow. I am going to bed now.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dr3s, woop The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
|
/ok-to-test |
|
/ok-to-merge |
3 participants
What this PR does / why we need it:
We need to extend Feast Auth towards Feast Serving, but pulling in more and more dependencies in Serving (and throughout Feast) is becoming a big pain. This PR replaces the existing Keto Authorization Provider with an HTTP Authorization Provider. It also comes with an Open API specification that users can implement as a web service in order to roll their own authorization layer.
Does this PR introduce a user-facing change?: