I tried to create a read policy but somehow instead of a new policy, the change is merged to an existing policy. is this a known issue?

No, I don't know of any such bug. (Unfortunately it wouldn't be the first time I display ignorance...) Is this with the GUI, or lakectl, or the API? It sounds very strange. I mean, how would it even be able to pick which policy to merge it into? If you can reproduce or recall the sequence if steps, could you please open us a bug?

Thanks, I figured it out. I used GUI. I gave a new policy name, but in the JSON I copied, I forget to change the policy id, then lakeFS “smartly” merge it to existing policy instead of creating a new one.

I'm not sure that behaviour is correct. If you don't mind I'd still like that bug. I cannot promise that it won't turn out to be a feature (and then we'll close it, no harm in that), but I for one don't like "smart" computers!

Last question for today. 🙂 I tried to create a policy to read just main branch, not feature branch. I specified “arnlakefsfs:::repository/my-repo/main/*” in resource. but now this user cannot access any branches.

ARNs are weird (and not just because Lotti the Axolotl axolotl managed to creep into yours). Give me a few minutes, I'll send the link to how to write that arn.

I used examples here, https://docs.lakefs.io/reference/authorization.html#resource-naming---arns

That's the one I was going to to send. You can control repo and object access by saying

arn:lakefs:fs:::repository/myrepo/object/path/*

You cannot control branch access - merges and refs mean that it will give no protection. So drop the "main". (you'll need to re-add the "object/" prefix if you want to control the path!)

Search for "get object" or action "fs:ReadObject" in the huge table on that section for the full description.

I see, so no way to hide uncommitted change even if it’s in another branch.

You're right! My suggestion works for isolation. It does not offer security. I guess you could make it more secure by using a random component in branch names and denied ListBranches. Sorry. AFAIK lakeFS gives you no direct way to pre ent reading uncommitted data.

Got it, thanks a lot