for creating custom policies e.g. <https://docs.la...
# helpt
T. P.
04/06/2021, 7:29 PMfor creating custom policies e.g. https://docs.lakefs.io/reference/authorization.html
where should the policy files go in HelmRelease managed by flux ci/cd into k8s cluster
a
Ariel Shaqed (Scolnicov)
04/06/2021, 7:32 PMTBH I don't think we placed those in any chart yet. They get stored on the lakeFS server, of course, so I do understand why you'd want to have configuration-as-code
t
T. P.
04/06/2021, 7:36 PMthank you
a
Ariel Shaqed (Scolnicov)
04/06/2021, 7:38 PMAriel Shaqed (Scolnicov)
04/06/2021, 7:45 PMActually I'm a bit confused on how this should work. E.g. https://github.com/hypnoglow/helm-s3 basically lets you write your own policy JSONs for AWS IAM configuration.
Do you have examples of some charts that apply a similar configuration?
t
T. P.
04/07/2021, 2:01 PMi am already having my s3 policies in aws
T. P.
04/07/2021, 2:02 PMthis is in context of lakefs policies for group, user, resource, action setup
T. P.
04/07/2021, 2:02 PMas specified here: https://docs.lakefs.io/reference/authorization.html
T. P.
04/07/2021, 2:02 PMi need to be able to setup users, groups, policies via IaC e.g. TF, flux yaml
T. P.
04/07/2021, 2:03 PMdoing this in ui or lakectl is not an option as we have fully automated ci/cd pipelines integrated with github, flux, aws, eks for build and deployments
a
Ariel Shaqed (Scolnicov)
04/07/2021, 2:10 PMUnderstood. However this needs to control something stateful (add or remove policies), which can end up being complex (e.g. Terraform ends up managing state separately, which, while necessary, makes for complex ops).
As an example of state, consider renaming a policy stored in a config file. Applying the new config means discovering that the old policy exists and deleting it.
Ariel Shaqed (Scolnicov)
04/07/2021, 2:10 PMWe'll figure try to out a proposal :-)
Ariel Shaqed (Scolnicov)
04/08/2021, 1:20 PMHad a design meeting at work.
Some questions...
1. New IAM permissions. If you control all auth directly, then how do you install an upgrade that adds a new capability?
2. Would it make sense (for you) to control directly the desired state? I.e., you have all policie*s s*tored in files, and once you run Helm we replace all policies with the state stored in files. So after running Helm you remain exactly with the policies in files, all other policies are deleted.
3. What about setup, how do you do it currently?
4. You would have to supply the access key IDs and secret keys for users. lakeFS doesn't care about that, but AWS has rules for allowed formats, and some clients may enforce some of these rules. afaict this will place responsibility on you to supply key IDs and secrets that are correctly formatted.
t
T. P.
04/08/2021, 4:12 PMso basically, i look @ this the same way i would do an upgrade of lakefs version and config
T. P.
04/08/2021, 4:12 PMall via flux ci/cd
T. P.
04/08/2021, 4:13 PMpolicies are integral part of service state i.e. lakefs state
T. P.
04/08/2021, 4:13 PMso policies life cycle should be integral to service deployment life cycle
T. P.
04/08/2021, 4:14 PMas for aws and iam side of the game, lakefs is correctly interacting via credentials and does not care how iam policies are setup on that side
T. P.
04/08/2021, 4:14 PM@ the moment, that is fine
T. P.
04/08/2021, 4:14 PMbecause duplicating functionality of aws sdk in context of s3 buckets is too large a pie to eat 🙂
T. P.
04/08/2021, 4:15 PMhope this helps to clarify !!
a
Ariel Shaqed (Scolnicov)
04/08/2021, 7:25 PMAnd your users don't get to add iam policies, because you manage that for them, right? I.e. You replace their lakectl auth commands with configuration as code.
2 Views