shohamyamin opened a new issue, #45215: URL: https://github.com/apache/doris/issues/45215
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues. ### Description Currently, Apache Doris supports a predefined authorization mechanism for queries and operations. However, many organizations require a more flexible and dynamic approach to authorization that can accommodate complex logic, such as **attribute-based access control (ABAC)**, or other policy-based controls. This feature request proposes integrating **Open Policy Agent (OPA)** for authorization, enabling **live policy evaluation** during query execution. By leveraging OPA, Doris can support highly customizable and dynamic authorization logic tailored to various use cases. ### Benefits 1. **Flexibility in Authorization**: OPA allows organizations to define policies in Rego, a declarative language, which supports complex logic such as ABAC. Policies can evaluate attributes such as user roles, query context, resource metadata, and more. 2. **Real-Time Policy Evaluation**: This feature enables live authorization checks when a query is executed, ensuring the most up-to-date policies are enforced. 3. **Centralized Policy Management**: Organizations can manage and maintain authorization policies in a single location, improving governance and reducing duplication of efforts. 4. **Enhanced Security**: Fine-grained access control based on live policies helps prevent unauthorized access to sensitive data. ### Proposed Solution 1. **OPA Integration**: Doris will communicate with an OPA server to evaluate policies in real time. - During query execution, Doris sends relevant attributes (e.g., user info, query details, resource metadata) to OPA for evaluation. - OPA responds with a decision (`allow` or `deny`) based on the defined policies. 2. **Dynamic Policy Context**: Doris will collect contextual attributes dynamically for each query, such as: - User attributes (e.g., role, department). - Resource attributes (e.g., table metadata, data sensitivity level). - Query-specific attributes (e.g., query type, fields accessed). 3. **Policy Evaluation Flow**: - Before executing a query, Doris invokes the OPA API to evaluate the authorization policy. - The query proceeds only if OPA returns `allow`. 4. **Policy Definition**: - Administrators define policies in Rego and deploy them to the OPA server. - Example policy: Deny queries accessing sensitive tables unless the user has a specific attribute. ```rego package doris.auth default allow = false allow { input.user.role == "data_analyst" not input.resource.is_sensitive } ``` ### Impact Integrating OPA with live policy evaluation will significantly enhance Doris's authorization capabilities, making it a viable choice for organizations with complex security requirements. ### Additional Information - [Open Policy Agent Documentation](https://www.openpolicyagent.org/docs/latest/) - Similar Implementations: OPA has been successfully integrated with Trino ### Requested Support 1. Feedback on feasibility and potential challenges. 2. Collaboration to define the API contract between Doris and OPA. 3. Where to start? ### Use case 1. **ABAC**: Allow or deny access based on user attributes (e.g., department, role) and resource attributes (e.g., data sensitivity). 2. **Row-Level Security**: Dynamically filter rows based on policies evaluated by OPA. 3. **Time-Based Access**: Enforce policies like “users can only access data during business hours.” ### Related issues _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org For additional commands, e-mail: commits-h...@doris.apache.org
