Integrating OPA/openFGA for ABAC and Column-Level Access in Gravitino #7161
-
|
Hi Gravitino Team/Community, I’m evaluating Gravitino’s capabilities for enforcing fine-grained access control, such as restricting access to specific columns in a table using Attribute-Based Access Control (ABAC). Does Gravitino natively support ABAC policies (e.g., using user/role attributes to dynamically restrict access to columns)? For external policy engines, is there documented support for integrating Open Policy Agent (OPA) or OpenFGA to enforce ABAC rules? For example: Using OPA’s Rego policies to filter accessible columns based on user attributes. Leveraging OpenFGA’s relationship-based authorization for column-level permissions. Are there examples or guidance for configuring Gravitino connectors (e.g., Trino/Spark) to work with OPA/openFGA for such use cases? Any insights into best practices, limitations, or roadmap plans for these integrations would be invaluable. Thank you for your time and expertise! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hello, we don't support ABAC model now. But ABAC is on our roadmap. We have started some work of policies. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick response. Is there any expected timeline planned to implement ABAC? Does this authorization plugin only support ranger? Is it possible to integrate OPA / OpenFGA to implement the RBAC? |
Beta Was this translation helpful? Give feedback.
-
|
There is no plan for OPA now. If you want this feature, you can contribute it. |
Beta Was this translation helpful? Give feedback.
Hello, we don't support ABAC model now. But ABAC is on our roadmap. We have started some work of policies.
You can find #7139
For external authorization system, we provide a mechanism called authorization plugin to integrate them. You can see https://github.com/apache/gravitino/blob/main/docs/security/authorization-pushdown.md