So if I understand correctly some groups should be able to a lakeFS #help

So if I understand correctly, some groups should b...

user

07/08/2022, 3:04 PM

So if I understand correctly, some groups should be able to access specific branch names (corresponding to data domains), across different repositories?

user

07/08/2022, 3:43 PM

@filip floegel, to achieve such a segregation, you will have to write policies explicitly allowing users to access these branches. You will have to specify each repository as a statement in your policy. For example, a policy to access branches named "domain1" across two different repositories, would look like:

user

07/10/2022, 8:07 AM

Sorry @filip floegel, but apparently what I wrote was not accurate. We currently do not support denying writes according to branch names. We do support denying commits according to branch names. So a policy that allows commits to branches named "domain1" across two different repositories, would look like:

Copy code

{
  "id": "Domain1Commits",
  "statement": [
    {
      "action": [
        "fs:CreateCommit"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/my-first-repo/branch/domain1"
    },
    {
      "action": [
        "fs:CreateCommit"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/my-second-repo/branch/domain2"
    }
  ]
}

I understand this is not a very strong segregation. You are welcome to DM me and we can discuss what kind of feature is needed in lakeFS to support your use case.

user

07/11/2022, 11:59 AM

cool thank you!!! When I understand correctly I could define the branches in advance and allow the domains to make commits across repositories. Will contact you anyway but thank you so far!!!

Open in Slack

Previous Next