Access Control Lists (ACLs)
ACLs were introduced in their current form in v0.98 of lakeFS as part of changes to the security model in lakeFS. They are an alternative to the more granular control that role-based access control provides.
ACLs
You can attach Permissions and scope them to groups in the Groups page. There are 4 default groups, named after the 4 permissions. Each group is global (applies for all repositories).
| Group ID | Allows |
|---|---|
| Read | Read operations, creating access keys |
| Write | Allows all data read and write operations. |
| Super | Allows all operations except auth. |
| Admin | Allows all operations. |
Pluggable Authentication and Authorization
Authorization and authentication is pluggable in lakeFS. If lakeFS is attached to a remote authentication server (or you are using lakeFS Cloud) then the role-based access control user interface can be used.
If you are using ACL then the lakeFS configuration element auth.ui_config.RBAC should be set to simplified.
Previous versions of ACL in lakeFS
Here’s a comparison of the current ACL model against the behavior prior to the changes introduced in v0.98.
| Permission | Allows | Previous Group Name | Previous Policy Names and Actions |
|---|---|---|---|
| Read | Read operations, creating access keys. | Viewers | FSReadAll [fs:List, fs:Read] |
| Write | Allows all data read and write operations. | Developers | FSReadWriteAll [fs:ListRepositories, fs:ReadRepository, fs:ReadCommit, fs:ListBranches, fs:ListTags, fs:ListObjects, fs:ReadObject, fs:WriteObject, fs:DeleteObject, fs:RevertBranch, fs:ReadBranch, fs:ReadTag, fs:CreateBranch, fs:CreateTag, fs:DeleteBranch, fs:DeleteTag, fs:CreateCommit] RepoManagementReadAll [ci:Read, retention:Get, branches:Get*, fs:ReadConfig] |
| Super | Allows all operations except auth. | SuperUsers (with changes) | FSFullAccess [fs:] RepoManagementReadAll [ci:Read, retention:Get, branches:Get, fs:ReadConfig] |
| Admin | Allows all operations. | Admins | AuthFullAccess [auth:] FSFullAccess [fs:] RepoManagementFullAccess [ci:, retention:, branches:*, fs:ReadConfig] |
Migrating from the previous version of ACLs
Upgrading the lakeFS version will require migrating to the new ACL authorization model.
In order to run the migration run:
lakefs migrate up
The command will run the migration to ACL. The migration process might adjust the current authorization policies to fit ACL, in that case the command will not make any changes, only print warnings.
In case of warnings to apply the migration, re-run with the --force flag
The upgrade will ensure that the 4 default groups exist, and modify existing groups to fit into the new ACLs model:
- When creating the 4 default global groups: if another group exists and has the desired name, upgrading will rename it by appending “.orig”. So after upgrading the 4 default global groups exist, with these known names.
- For any group, upgrading configured policies follows these rules, possibly increasing access:
- Any “Deny” rules are stripped, and a warning printed.
- “Manage own credentials” is added.
- If any actions outside of “fs:” and manage own credentials are allowed, the group becomes an Admin group, a warning is printed, and no further changes apply.
- The upgrade script unifies repositories: If a resource applies to a set of repositories, permissions are unified to all repositories.
- The upgrade script unifies actions: it selects the least permission of Read, Write, Super that contains all of the allowed actions.
The upgrade will detach every directly attached policy from users
Note that moving to ACL from RBAC may only be performed once and will lose some configuration. The upgrade script will detail the changes made by the transition.
For any question or concern during the upgrade, don’t hesitate to get in touch with us through Slack or email.