Feathr Registry Access Control

A project level role based access control (RBAC) plugin is available to help you manage who have access to Feathr Registry.

It provides a simple authorization system built on OAuth tokens along with a SQL database as backend storage for userrole records.

How Registry Access Control works?

With Registry Access Control, you can

  • Share your project metadata(read-only) by assigning consumer role.
  • Invite contributors to update features in this project by assigning producer role.
  • Transfer project admin by assigning admin role.

For admin, producer, consumer explanation, please refer to Role section.

Scope

Scope is the set of resources that the permission applies to. In Feathr, you can specify a scope at 2 levels: global, project. Lower levels inherit role permissions from higher levels.

flowchart TD
    A[Global] --> B[Project A];
    A[Global] --> C[Project B];
    A[Global] --> D[...Project N];

When you specify the scope in role assignment, please use global for global-level scope and {project name} for project-level scope.

Feature level access control is NOT supported yet. Users are encouraged to group features with similar access control rules in one project.

Role

A role is a collection of permissions. We have 3 built-in roles with different permissions: | Role | Description | Permissions | | ——– | ————————– | ——————- | | Admin | The owner of project | Read, Write, Manage | | Producer | The contributor of project | Read, Write | | Consumer | The reader of project | Read |

Permission

permission refers to the a certain kind of access to registry metadata or role assignment records. | Permission | Description | | ———- | ————————————————————– | | Read | Read registry meta data; GET Registry APIs | | Write | Write registry meta data; POST Registry APIs | | Manage | Create and manage role assignment records with management APIs |

User

A user can be an email account or an Azure AppId.

All Registry API requests requires token in header to identify the requestor and validate the permission.

  • Feathr UI uses the id token of login account. User credentials will be auto generated with @azure/msal-browser
  • Feathr Client let users to pass their own credentials.
  • In particular, Feathr samples get token with DefaultAzureCredential().

Please make sure your token is valid when getting 500 or 401 Exceptions.

AAD Group is NOT supported yet.

Role Assignment

A Role Assignment is the process of add a user-role mapping record into backend storage table.

Feature Registry section briefly introduced the access control management page, where project admins can manage role assignments. Management APIs are not exposed in Feathr Client by design. As we don’t want to put control plane together with data plane.

How to enable Registry Access Control?

Azure Resource Provisioning section has detailed instructions on resource provisioning. For RBAC specific, you will need to manually:

  1. Choose Yes for Enable RBAC in ARM Template, and provision the resources.
  2. Create a userrole table in provisioned SQL database with RBAC Schema.
  3. Initialize the userrole table refer to commands in test data.
  4. Login to the Web UI and navigate to the management page, and the roles you initialized in #3 should be in table.

For more details, please refer to the Feathr Registry Access Control Gateway Specifications.