Hello team I am trying to prevent regular users non admin to lakeFS #help

Hello team, I am trying to prevent regular users (...

Jérôme Viveret

05/13/2024, 3:14 PM

Hello team, I am trying to prevent regular users (non-admin) to write and delete objects under

_lakefs_actions

as it seems legitimate to enforce company wide data policies. Can a strategy based on RBAC and policies allow this, typically

Copy code

{
  "statement": [
    {
      "action": [
        "fs:WriteObject",
        "fs:DeleteObject"
      ],
      "effect": "deny",
      "resource": "arn:lakefs:fs:::repository/<repository-name>/object/_lakefs_actions*"
    }
  ]
}

Iddo Avneri

05/13/2024, 6:19 PM

Hi @Jérôme Viveret happy to take a look at this.

Iddo Avneri

05/13/2024, 6:19 PM

If you are available, we can jump on a quick call?

Iddo Avneri

05/13/2024, 6:41 PM

Seems like we missed you 🙂 Generally speaking, you are correct. You can find a similar example here. Notice this code there:

Copy code

admin1Client.auth.create_policy(
    policy=models.Policy(
        id='FSBlockAccessToPIIData',
        statement=[models.Statement(
            effect="deny",
            resource="arn:lakefs:fs:::repository/"+repo+"/object/PII/*",
            action=["fs:*"],
        ),
        ]
    )
)

The only difference @Amit Kesarwani and I noticed is that there is a

before the

. You might want to add that.

Jérôme Viveret

05/14/2024, 6:39 AM

Amazing @Iddo Avneri, thanks a lot !

Jérôme Viveret

05/14/2024, 7:01 AM

I mostly wanted to ensure that we were going in the right direction and that objects were matched by path and not HMACs 🙂

Ariel Shaqed (Scolnicov)

05/14/2024, 2:46 PM

Objects are matched by path, not by digest

2 Views

Open in Slack

Previous Next