Hi all, I observe the lakeFS project for a while and so glad to see the 1.0 release with a lot of surprising features. I see that RBAC is now only available in cloud or enterprise version. I wonder if the enterprise version supports RBAC on the branch level? Following concrete scenario: in our company, there are data scientists in different groups. Some of them should only be able to access specific branches. The post shows a similar scenario but whether it is certainly branch-restricted is not clear. Would one have an idea if it is supported? If not, whether it is somewhen planed in the roadmap? Thanks.

Hey @Maaax Maaax! The question of whether to add branch-level access control is almost as old as lakeFS itself 🙂 The main reason why this feature doesn't exist is that for different people this concept means different things. Can you explain more what you would expect from such a feature? For example, do you hope to control read access, or only writes?

Hi @Yoni Augarten. Glad to hear from you. The concrete scenario is that the team would like to have branches like 1) training 2) testing 3) QA validation. Each of the branch should be assigned to different groups of users, so that they could only have read access to them. For example data scientist in training branch does not see the branch testing which is assigned to the group for testing. I hope you have seen similar requests before 🙂

@Maaax Maaax thanks for clarifying. We have seen similar requests before, and I can see why you would want different personas to have different access permissions. However, in the Git-like model of lakeFS, a branch is simply a pointer to a commit. So the way I see it, even if we enforce some kind of branch-level read access control, a commit will still always be accessible using its ID. Moreover, a single commit may have multiple branches pointing to it, so other branches may allow you to access this commit as well. Hence, such a mechanism would become more of a convenience "filter by role" thing, and not a security feature, which is what RBAC intends to be. That being said, our product team @Oz Katz @Tal Sofer may have deeper thoughts. Are you willing to open an issue about this so they can take a look?

@Yoni Augarten. Thank you for the explanation. I see where the consideration comes from. I think the restriction of branch-level RBAC could be left for now. May I know whether the cloud or enterprise RBAC contains tag/attribute-based access control? see an example from ARN that the resources marked with certain tag to restrict user access.

@Maaax Maaax, I'm not sure if you are referring to object access control or commit access control. Limiting the access to commits raises similar issues to the ones I described above.

@Yoni Augarten it is about access to objects in this case. As it is part of the ARN setup, I have thought if the attribute/tag-based object access control is known. Thanks for the information.

Thanks for confirming - so like I said, this is not supported today, but you are welcome to open an issue.