Creating this issue to track the discussion around user authentication & authorization.
1. Prior Art: Auth as proposed in the Feast Projects RFC
In the Feast: Projects RFC we proposed a basic form of authentication as a "minmal" implementation for Feast 0.5.
Overview
At a high level, this proposal adds user authentication based on a new user table that Feast maintains. No API is made available to manage the creation/removal of users, but the actions taken by users is on the Feast Core API is limited to the resources they have access to. Resource access is managed only based on membership of users to projects.
Note on Roles: "Roles" were originally proposed but will be delayed until a future release can implement them properly. Right now there is only a full "owner" role which is implicit. All users either have ownership of a project, or not.
Assumptions:
- User authentication only applies to Feast Core, not ingestion or "serving".
Out of scope:
- Full user management (create or remove users, or manage user profiles).
- JWT or functionality like sessions on user auth.
- RBAC
Data model
API
- Feast Core API
- New RPCs
- AddMember: Add a user to a specific project
- RemoveMember: Remove user from a specific project
- ListMembers: List members in a project
AddRoleRemoveRole
- Feast Core Data Model
- New table
- Users: Users table
- UserProjects: Relation between users & projects
Roles: Roles tableUserProjectRole: Relation between roles, users, and projects
- New classes
- Python SDK
- Addition of user auth configuration
- New methods:
- add_member()
- remove_member()
- list_members()
add_role()remove_role()
2. Objectives
The main objective of this issue is to finalize two proposals. The first is a "minimal" set of functionality that we want to support, and the second is a "full" set of functionality. Since Feast 0.5 is our next release, the priority is to finalize the implementation of the minimal release.
- Minimal: To implement a basic form of authentication in Feast 0.5.
- Full: Create an extensible/pluggable authentication & authorization system that supports multiple providers, can be used by both services and users, and covers ingestion, Core, and serving. No PR exists for this functionality yet.
3. Requirements (minimal release)
The following user stories should be supported as part of the first minimal release (Feast 0.5).
3.1 User stories
- As a Feast user, so that I can prevent other users from modifying my feature sets, I would like to have a way to prevent modification of feature sets by unauthorized users.
As a Feast user, so that I can prevent other users from seeing my feature sets, I would like to have a way to limit access to certain users to view my feature sets [Edit: Removing this story. It would be simpler to allow full view access]- As a Feast user, so that I can allow my team to modify/view my feature sets, I would like to have a way to selectively grant or revoke access to feature sets for specific users.
- As a Feast user, so that I can grant access to multiple feature sets in a project, I would like to manage access control to feature sets at the project level
- As a Feast user, so that Feast can uniquely identify me, I would like to be able to authenticate myself to Feast.
3.2 In Scope
- Authentication of users
- Management of membership of users to projects for the purposes of granting access to feature sets within those projects
- Project level access control (read vs write) based on membership of projects
3.3 Out of Scope
- Full authorization or RBAC.
- Stream, ingestion, and serving are also out of scope for the purposes of authentication and authorization.
- Full user management (create or remove users, or manage user profiles).
- JWT or functionality like sessions on user auth.
4. Open questions
- Which authentication frameworks or providers should be supported for Feast 0.5?
- Are there any frameworks or open source services that would make implementing authorization safer, especially offload the responsibility of managing user credentials?
- Do our long term and short term goals for both user authentication and authorization align?
- What should be in scope for authentication for Feast 0.5?
Creating this issue to track the discussion around user authentication & authorization.
1. Prior Art: Auth as proposed in the Feast Projects RFC
In the Feast: Projects RFC we proposed a basic form of authentication as a "minmal" implementation for Feast 0.5.
Overview
At a high level, this proposal adds user authentication based on a new user table that Feast maintains. No API is made available to manage the creation/removal of users, but the actions taken by users is on the Feast Core API is limited to the resources they have access to. Resource access is managed only based on membership of users to projects.
Note on Roles: "Roles" were originally proposed but will be delayed until a future release can implement them properly. Right now there is only a full "owner" role which is implicit. All users either have ownership of a project, or not.
Assumptions:
Out of scope:
Data model
API
AddRoleRemoveRoleRoles: Roles tableUserProjectRole: Relation between roles, users, and projectsRolesadd_role()remove_role()2. Objectives
The main objective of this issue is to finalize two proposals. The first is a "minimal" set of functionality that we want to support, and the second is a "full" set of functionality. Since Feast 0.5 is our next release, the priority is to finalize the implementation of the minimal release.
3. Requirements (minimal release)
The following user stories should be supported as part of the first minimal release (Feast 0.5).
3.1 User stories
As a Feast user, so that I can prevent other users from seeing my feature sets, I would like to have a way to limit access to certain users to view my feature sets[Edit: Removing this story. It would be simpler to allow full view access]3.2 In Scope
3.3 Out of Scope
4. Open questions