Skip to content

fix: Denial by default to all resources when no permissions set #5663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Denial by default to all resources when no permissions set #5663

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 39 additions & 9 deletions sdk/python/feast/permissions/enforcer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ def enforce_policy(
# If no permissions are defined, deny access to all resources
# This is a security measure to prevent unauthorized access
logger.warning("No permissions defined - denying access to all resources")
if not filter_only:
raise FeastPermissionError("No permissions defined - access denied")
return []
raise FeastPermissionError(
"Permissions are not defined - access denied for all resources"
)

_permitted_resources: list[FeastObject] = []
for resource in resources:
Expand All @@ -71,17 +71,47 @@ def enforce_policy(

if evaluator.is_decided():
grant, explanations = evaluator.grant()
if not grant and not filter_only:
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
if not grant:
if not filter_only:
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
elif filter_only and not p.name_patterns:
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
else:
continue
if grant:
logger.debug(
f"Permission granted for {type(resource).__name__}:{resource.name}"
)
_permitted_resources.append(resource)
break
else:
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
raise FeastPermissionError(message)
if not filter_only:
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
raise FeastPermissionError(message)
else:
# filter_only=True: Check if there are permissions for this resource type
resource_type_permissions = [
p
for p in permissions
if any(isinstance(resource, t) for t in p.types) # type: ignore
]
if not resource_type_permissions:
# No permissions exist for this resource type - should raise error
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
raise FeastPermissionError(message)
elif not any(p.name_patterns for p in resource_type_permissions):
# Permissions exist for this resource type but no name_patterns - should raise error
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
raise FeastPermissionError(message)
else:
# Permissions exist for this resource type with name_patterns - filter out this resource
logger.debug(
f"Filtering out {type(resource).__name__}:{resource.name} - no matching permissions"
)
continue
return _permitted_resources
Loading