Authentication and Authorization in Prefect OSS #20463
Unanswered
esisilvestri
asked this question in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
While the Basic auth that was added is great I think many users would like a more flexible system that also allows for either role based or ressource based permissions. I wanted to start a discussion around how this could be implemented and wanted, as a first step, share my thoughts on potential implementations (very high level).
In my opinion the authentication and authorization system has to be external to the Prefect API. Ideally we would have a base Authenitcation and base Authorization logic that can then be adapted by external providers. This could be something like KeyCloak etc. which implement the necessary endpoints.
The Authorization logic should also be able to be used for the UI and the worker processes so make sure workers only access ressources that they are allowed to access.
For authentication I was thinking of JWT which would allow us to cache the JWSK keys in an external cache and validate the JWT locally on the Prefect server. For authorization I was thinking of ressource based permissions (think CASL for example).
Was are other users thoughts on this topic?
Beta Was this translation helpful? Give feedback.
All reactions