[discourse] Limit namespaces display with authz

[markphelps]

Originally posted by andi4000 on Discourse

Hello community,

OPA noob here. With following rego policy

package flipt.authz.v1
import rego.v1

default allow := false

allow if {
  input.request.namespace in ["default", "my-team"]
}

I was hoping to only able to see only both namespaces in the UI. But instead all namespaces are displayed (GET /api/v1/namespaces returns all namespaces). Access is then denied when I click the other namespace not defined in the rego policy.

Is it possible that the unauthorized namespaces not to be displayed in the UI? So the team member can only see the namespaces they own.

Thanks!

[dosubot[bot]]

Yes, it is possible to limit which namespaces are displayed in the UI using OPA policies in Flipt, but your policy needs to define a viewable_namespaces rule. Flipt's authorization engine uses this rule to determine which namespaces a user can see, and the API/UI should only show those namespaces.

Here's an example of how you can structure your Rego policy:

package flipt.authz.v1
import rego.v1

default allow := false

# Define which namespaces are viewable for the user
viewable_namespaces := ["default", "my-team"]

allow if {
  input.request.namespace in viewable_namespaces
}

Or, for more dynamic control (for example, based on user roles):

package flipt.authz.v1
import rego.v1

default allow := false

# Example: data.roles_to_namespaces = {"admin": ["default", "my-team"], "user": ["my-team"]}
viewable_namespaces contains namespace if {
  some role in input.roles
  some namespace in data.roles_to_namespaces[role]
}

allow if {
  input.request.namespace in viewable_namespaces
}

Flipt's backend will use the viewable_namespaces rule to filter the results of GET /api/v1/namespaces, so only authorized namespaces are returned and shown in the UI. Make sure your policy is loaded correctly and that authorization is enabled in your Flipt configuration. For more details, see the authorization overview and policy configuration.

If you still see all namespaces, double-check that your policy includes the viewable_namespaces rule and that Flipt is using your updated policy file.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[markphelps]

Reply from erka on Discourse:

Hey @andi4000,

Unfortunately, it isn’t implemented. Please create an issue in Github about it.

[markphelps]

Reply from andi4000 on Discourse:

Got it, will do. Thanks!

edit: created the issue here Restrict namespace listing based on user authorization · Issue #3686 · flipt-io/flipt · GitHub