I would also like to share the RBAC support for the OSS version is deprecated and replaced with ACLs. For the reasoning and ways to configure lakeFS authorization, please read our announcement.

We just started using to so yes it is pretty much the first time we are using it

I fear you need to explain this in more basic terms, I'm a mathematician, I have very limited knowledge about authorization methods 😄 That's why I like the interface you provide even though I struggle with it :D

The lakeFS RBAC model is defined here. In short, it has 5 basic components: Users, Actions, Resources, Policies, Groups which you may combine to have a fine-grained access-control. For example, User that belongs to the Group

Developers

is allowed to perform all read and write (

fs:*

) Actions on the Resource

repository-dev

. The linked guide has several great examples and that’s a good place to start. Remember,

0.90.1

is the last version where lakeFS RBAC capabilities are supported for the OSS.

On the other hand, ACLs are a much more simplified solution. The Groups are predefined and cannot be altered. The attached Actions & Policies cannot be modified too. It all boils down to 4 basic Groups with predefined Policies and you can assign Users to any of these groups.

Adding @Isan Rivkin & @Ariel Shaqed (Scolnicov) who are working on this as we speak, to keep me honest 🙂

And thank you so much for explaining it like this!

Yes, we needed to decouple the security aspects like RBAC from lakeFS OSS. It allows us to focus on building lakeFS to be the best data version control tool. We added RBAC to our paid offerings as we can fully back all security considerations there, hence the SOC2 compliance we’re offering just for the paid solutions.