Flyte Admin RBAC + Project/Domain Isolation

[Sovietaced]

Tracking issue

Closes:

• Flyte Project isolation #5189
• [Feature request] Make Flyte's All Scope configurable #4622

Related: #5871

Why are the changes needed?

See: #5871

What changes were proposed in this pull request?

This pull request adds an optional rbac/authorization interceptor. This interceptor does the following:

1. Attempts to derive roles from the tokens based on the configuration
   2 Evaluates whether the target RPC is allowed to be called based on the authorization policy rules associated with any matching roles.
2. Generates an isolation context (ie. what is the user's resource scope based on their roles) and adds that to the go context for use in the DB layer.

This pull request also modified the DB layer such that mutative operations on resources are validated against the isolation context scope (if present) and filters resources based on the isolation context scope (if present). There are key implementation details where where clauses are carefully injected into queries being made against the DB.

How was this patch tested?

Unit tests. I could add unit tests to the DB layer but this would require a lot of coverage.

Hasn't been tested end to end yet.

Setup process

Screenshots

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

Summary by Bito

This PR implements Role-Based Access Control (RBAC) and resource isolation in Flyte Admin, introducing an authorization interceptor for validating user roles and permissions. The implementation includes configuration structures, command-line flags, and deployment updates across different environments. The changes enable fine-grained access control at project and domain levels, with support for bypass patterns and flexible role resolution mechanisms.

Unit tests added: True

Estimated effort to review (1-5, lower is better): 5

[flyte-bot]

Code Review Agent Run Status

• Limitations and other issues: ❌ Failure - The AI Code Review Agent skipped reviewing this change because it is configured to exclude certain pull requests based on the source/target branch or the pull request status. You can change the settings here, or contact the agent instance creator at [email protected].

[codecov]

Codecov Report

Attention: Patch coverage is 44.05738% with 273 lines in your changes missing coverage. Please review.

Project coverage is 33.84%. Comparing base (37386ba) to head (d3ddd31).

Files with missing lines	Patch %	Lines
flyteadmin/pkg/manager/impl/util/filters.go	0.00%	58 Missing ⚠️
flyteadmin/pkg/common/filters.go	0.00%	27 Missing ⚠️
flyteadmin/auth/interceptors/rbac.go	81.29%	18 Missing and 8 partials ⚠️
...teadmin/pkg/repositories/gormimpl/resource_repo.go	26.66%	16 Missing and 6 partials ⚠️
...n/pkg/repositories/gormimpl/node_execution_repo.go	29.16%	14 Missing and 3 partials ⚠️
flyteadmin/auth/config/config.go	0.00%	16 Missing ⚠️
...dmin/pkg/repositories/gormimpl/launch_plan_repo.go	33.33%	11 Missing and 5 partials ⚠️
flyteadmin/pkg/server/service.go	0.00%	15 Missing ⚠️
...eadmin/pkg/repositories/gormimpl/execution_repo.go	52.38%	7 Missing and 3 partials ⚠️
...yteadmin/pkg/repositories/gormimpl/project_repo.go	37.50%	7 Missing and 3 partials ⚠️
... and 9 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6190      +/-   ##
==========================================
+ Coverage   33.82%   33.84%   +0.02%     
==========================================
  Files        1329     1332       +3     
  Lines      147808   148260     +452     
==========================================
+ Hits        49999    50184     +185     
- Misses      92967    93188     +221     
- Partials     4842     4888      +46     

Flag	Coverage Δ
unittests-datacatalog	48.01% <ø> (ø)
unittests-flyteadmin	49.94% <44.05%> (-0.17%)	⬇️
unittests-flytecopilot	30.99% <ø> (ø)
unittests-flytectl	58.14% <ø> (+0.04%)	⬆️
unittests-flyteidl	6.78% <ø> (ø)
unittests-flyteplugins	49.01% <ø> (ø)
unittests-flytepropeller	36.52% <ø> (ø)
unittests-flytestdlib	50.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[flyte-bot]

Code Review Agent Run Status

• Limitations and other issues: ❌ Failure - The AI Code Review Agent was unable to review this change due to a technical failure. Please contact Bito support [email protected] and provide the following details:
  
  Agent Run ID: 19205245-41f1-4fd3-b593-95ed9e3c97ec

[flyte-bot]

Code Review Agent Run Status

• Limitations and other issues: ❌ Failure - The AI Code Review Agent skipped reviewing this change because it is configured to exclude certain pull requests based on the source/target branch or the pull request status. You can change the settings here, or contact the agent instance creator at [email protected].

[flyte-bot]

Code Review Agent Run Status

• Limitations and other issues: ❌ Failure - The AI Code Review Agent skipped reviewing this change because it is configured to exclude certain pull requests based on the source/target branch or the pull request status. You can change the settings here, or contact the agent instance creator at [email protected].

[flyte-bot]

Code Review Agent Run Status

• Limitations and other issues: ❌ Failure - The AI Code Review Agent skipped reviewing this change because it is configured to exclude certain pull requests based on the source/target branch or the pull request status. You can change the settings here, or contact the agent instance creator at [email protected].

[Sovietaced]

One key implementation detail is that we use GORM's scopes in order to dynamically alter queries: https://gorm.io/docs/advanced_query.html#Scopes

[Sovietaced]

Another key implementation detail is that a new session must be declared on the transaction in order to properly separate the newly injected where clauses within a paranthesis. If this is not done we've see gorm try and be smart and combine/deduplicate clauses which causes bugs.

[flyte-bot]

Code Review Agent Run #c2b01c

Actionable Suggestions - 18

• deployment/gcp/flyte_helm_controlplane_generated.yaml - 1

  • Consider enabling RBAC for security · Line 132-132
• flyteadmin/pkg/repositories/gormimpl/workflow_repo.go - 1

  • Consider adding error handling for isolation · Line 126-127
• flyteadmin/auth/config/config_flags.go - 1

  • Consider adding regex pattern validation · Line 87-90
• flyteadmin/pkg/repositories/gormimpl/resource_repo.go - 1

  • Context propagation in new db session · Line 214-215
• charts/flyte-core/values.yaml - 1

  • Consider enabling RBAC by default · Line 771-771
• flyteadmin/auth/interceptors/rbac.go - 1

  • Consider adding regex pattern validation · Line 196-197
• flyteadmin/pkg/server/service.go - 1

  • Consider adding nil check for Options · Line 121-121
• deployment/eks/flyte_helm_controlplane_generated.yaml - 1

  • Consider enabling RBAC for security · Line 132-132
• deployment/sandbox/flyte_helm_generated.yaml - 1

  • RBAC disabled but policies defined · Line 283-283
• deployment/eks/flyte_aws_scheduler_helm_generated.yaml - 1

  • Consider enabling RBAC for defined policies · Line 151-151
• flyteadmin/pkg/repositories/gormimpl/description_entity_repo.go - 1

  • Consider adding error handling for isolation · Line 39-40
• deployment/gcp/flyte_helm_generated.yaml - 1

  • Consider enabling RBAC for security · Line 163-163
• flyteadmin/pkg/repositories/gormimpl/project_repo.go - 2

  • Missing error handling for isolation filter · Line 71-71
  • Context propagation in new DB session · Line 52-53
• flyteadmin/auth/config/config.go - 2

  • Incorrect JSON unmarshaling implementation · Line 268-269
  • Incorrect TokenClaim JSON unmarshaling · Line 303-304
• deployment/eks/flyte_helm_generated.yaml - 1

  • Consider enabling RBAC for security · Line 163-163
• flyteadmin/pkg/repositories/gormimpl/node_execution_repo.go - 1

  • Consider context propagation in new session · Line 96-97

Additional Suggestions - 10

• flyteadmin/pkg/repositories/gormimpl/named_entity_repo.go - 1

  • Consider error handling for GetIsolationFilter · Line 198-199
• flyteadmin/pkg/repositories/gormimpl/execution_event_repo.go - 1

  • Consider moving validation to service layer · Line 22-22
• flyteadmin/auth/config/config_flags_test.go - 1

  • Consider table-driven tests for RBAC flags · Line 578-633
• flyteadmin/pkg/repositories/gormimpl/resource_repo.go - 4

  • Consider adding context to error return · Line 70-72
  • Consider wrapping error for better context · Line 227-229
  • Consider validating scopes before applying · Line 161-164
  • Consider optimizing database session usage · Line 214-215
• flyteadmin/pkg/repositories/gormimpl/task_execution_repo.go - 3

  • Consider adding error context for filtering · Line 98-100
  • Consider adding error context for filtering · Line 31-33
  • Consider reordering isolation filter application · Line 179-180

Review Details

• Files reviewed - 34 · Commit Range: f2aaeb2..d3ddd31

  • charts/flyte-core/values.yaml
  • deployment/eks/flyte_aws_scheduler_helm_generated.yaml
  • deployment/eks/flyte_helm_controlplane_generated.yaml
  • deployment/eks/flyte_helm_generated.yaml
  • deployment/gcp/flyte_helm_controlplane_generated.yaml
  • deployment/gcp/flyte_helm_generated.yaml
  • deployment/sandbox/flyte_helm_generated.yaml
  • docker/sandbox-bundled/manifests/complete-agent.yaml
  • docker/sandbox-bundled/manifests/complete.yaml
  • docker/sandbox-bundled/manifests/dev.yaml
  • flyteadmin/auth/config/config.go
  • flyteadmin/auth/config/config_flags.go
  • flyteadmin/auth/config/config_flags_test.go
  • flyteadmin/auth/interceptors/interceptorstest/test_utils.go
  • flyteadmin/auth/interceptors/rbac.go
  • flyteadmin/auth/interceptors/rbac_test.go
  • flyteadmin/auth/isolation/isolation_context.go
  • flyteadmin/pkg/common/filters.go
  • flyteadmin/pkg/manager/impl/util/filters.go
  • flyteadmin/pkg/repositories/gormimpl/common.go
  • flyteadmin/pkg/repositories/gormimpl/description_entity_repo.go
  • flyteadmin/pkg/repositories/gormimpl/execution_event_repo.go
  • flyteadmin/pkg/repositories/gormimpl/execution_repo.go
  • flyteadmin/pkg/repositories/gormimpl/launch_plan_repo.go
  • flyteadmin/pkg/repositories/gormimpl/named_entity_repo.go
  • flyteadmin/pkg/repositories/gormimpl/node_execution_event_repo.go
  • flyteadmin/pkg/repositories/gormimpl/node_execution_repo.go
  • flyteadmin/pkg/repositories/gormimpl/project_repo.go
  • flyteadmin/pkg/repositories/gormimpl/resource_repo.go
  • flyteadmin/pkg/repositories/gormimpl/signal_repo.go
  • flyteadmin/pkg/repositories/gormimpl/task_execution_repo.go
  • flyteadmin/pkg/repositories/gormimpl/task_repo.go
  • flyteadmin/pkg/repositories/gormimpl/workflow_repo.go
  • flyteadmin/pkg/server/service.go
• Files skipped - 1

  • charts/flyte-core/README.md - Reason: Filter setting
• Tools

  • Golangci-lint (Linter) - ✖︎ Failed
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

AI Code Review powered by

[flyte-bot]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
New Feature - RBAC Authorization Implementation	- rbac_test.go - Added comprehensive test suite for RBAC authorization interceptor - isolation_context.go - Implemented isolation context for managing resource scopes - service.go - Added RBAC authorization interceptor to gRPC server setup
Feature Improvement - Database Layer Authorization	- filters.go - Added resource isolation filter implementation for database queries - filters.go - Added utility functions for handling resource isolation and authorization - common.go - Updated filter application logic to include isolation filters - description_entity_repo.go - Added resource isolation to description entity operations - execution_event_repo.go - Added resource mutation filtering for execution events - execution_repo.go - Implemented resource isolation for execution operations - launch_plan_repo.go - Added resource isolation to launch plan operations - named_entity_repo.go - Implemented resource isolation for named entity operations - node_execution_event_repo.go - Added resource mutation filtering for node execution events - node_execution_repo.go - Added resource isolation to node execution operations - project_repo.go - Implemented resource isolation for project operations - resource_repo.go - Added resource isolation to resource operations - signal_repo.go - Implemented resource isolation for signal operations - task_execution_repo.go - Added resource isolation to task execution operations - task_repo.go - Implemented resource isolation for task operations - workflow_repo.go - Added resource isolation to workflow operations

[flyte-bot]

Consider adding error handling for isolation

Consider adding error handling for the GetIsolationFilter() call. While the function may not return an error currently, it's good practice to handle potential errors from security-related functions.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	isolationFilter := util.GetIsolationFilter(ctx, isolation.DomainTargetResourceScopeDepth, workflowColumnNames)
	tx, err := applyFilters(tx, input.InlineFilters, input.MapFilters, isolationFilter)
	isolationFilter, err := util.GetIsolationFilter(ctx, isolation.DomainTargetResourceScopeDepth, workflowColumnNames)
	if err != nil {
	return interfaces.WorkflowCollectionOutput{}, err
	}
	tx, err = applyFilters(tx, input.InlineFilters, input.MapFilters, isolationFilter)

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Consider adding regex pattern validation

Consider adding validation for rbac.bypassMethodPatterns to ensure valid regex patterns. Invalid regex patterns could cause runtime errors when attempting pattern matching.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.enabled"), DefaultConfig.Rbac.Enabled, "Enables RBAC.")
	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbac.bypassMethodPatterns"), DefaultConfig.Rbac.BypassMethodPatterns, "List of regex patterns to match against method names to bypass RBAC.")
	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenScopeRoleResolver.enabled"), DefaultConfig.Rbac.TokenScopeRoleResolver.Enabled, "Enables token scope based role resolution.")
	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenClaimRoleResolver.enabled"), DefaultConfig.Rbac.TokenClaimRoleResolver.Enabled, "Enables token claim based role resolution.")
	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.enabled"), DefaultConfig.Rbac.Enabled, "Enables RBAC.")
	bypassPatterns := cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbac.bypassMethodPatterns"), DefaultConfig.Rbac.BypassMethodPatterns, "List of regex patterns to match against method names to bypass RBAC.")
	cmdFlags.VisitAll(func(f *pflag.Flag) {
	if f.Name == fmt.Sprintf("%v%v", prefix, "rbac.bypassMethodPatterns") {
	f.Validate = func(val string) error {
	_, err := regexp.Compile(val)
	return err
	}
	}
	})
	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenScopeRoleResolver.enabled"), DefaultConfig.Rbac.TokenScopeRoleResolver.Enabled, "Enables token scope based role resolution.")
	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenClaimRoleResolver.enabled"), DefaultConfig.Rbac.TokenClaimRoleResolver.Enabled, "Enables token claim based role resolution.")

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Context propagation in new db session

Consider using tx.WithContext(ctx) when creating a new session to ensure context propagation. The current implementation may lose context information when creating a new session.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	cleanSession := tx.Session(&gorm.Session{NewDB: true})
	tx = tx.Where(cleanSession.Scopes(isolationFilter.GetScopes()...))
	cleanSession := tx.Session(&gorm.Session{NewDB: true}).WithContext(ctx)
	tx = tx.Where(cleanSession.Scopes(isolationFilter.GetScopes()...))

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Consider adding regex pattern validation

Consider adding error handling for invalid regex patterns in ruleMatchesRequest. The current implementation could panic if rule.MethodPattern contains an invalid regex pattern.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	func ruleMatchesRequest(rule config.Rule, info *grpc.UnaryServerInfo) (bool, error) {
	pattern, err := regexp.Compile(rule.MethodPattern)
	func ruleMatchesRequest(rule config.Rule, info *grpc.UnaryServerInfo) (bool, error) {
	if rule.MethodPattern == "" {
	return false, fmt.Errorf("empty method pattern in rule %s", rule.Name)
	}
	pattern, err := regexp.Compile(rule.MethodPattern)

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Consider adding nil check for Options

Consider adding error handling for the case when authCtx.Options() returns nil. The current code assumes authCtx.Options() always returns a valid value, which could lead to a nil pointer dereference if it doesn't.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	if authCtx.Options().Rbac.Enabled {
	opts := authCtx.Options()
	if opts == nil {
	return nil, fmt.Errorf("auth context options not initialized")
	}
	if opts.Rbac.Enabled {

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Consider adding error handling for isolation

Consider adding error handling for GetIsolationFilter(). The function could potentially return errors that should be handled before passing the filter to applyFilters().

Code suggestion

Check the AI-generated fix before applying

Suggested change

	isolationFilter := util.GetIsolationFilter(ctx, isolation.DomainTargetResourceScopeDepth, descriptionEntityResourceColumns)
	tx, err = applyFilters(tx, filters, nil, isolationFilter)
	isolationFilter, err := util.GetIsolationFilter(ctx, isolation.DomainTargetResourceScopeDepth, descriptionEntityResourceColumns)
	if err != nil {
	return models.DescriptionEntity{}, err
	}
	tx, err = applyFilters(tx, filters, nil, isolationFilter)

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Missing error handling for isolation filter

Consider adding error handling for GetIsolationFilter() call. The function may return nil but there's no validation of the error case before using the filter.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	isolationFilter := util.GetIsolationFilter(ctx, isolation.ProjectTargetResourceScopeDepth, projectResourceColumns)
	isolationFilter, err := util.GetIsolationFilter(ctx, isolation.ProjectTargetResourceScopeDepth, projectResourceColumns)
	if err != nil {
	return models.Project{}, r.errorTransformer.ToFlyteAdminError(err)
	}

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Context propagation in new DB session

Consider using tx.WithContext(ctx) before creating a new session to ensure context propagation. The current implementation may lose context information when creating a new session.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	cleanSession := tx.Session(&gorm.Session{NewDB: true})
	tx = tx.Where(cleanSession.Scopes(isolationFilter.GetScopes()...))
	cleanSession := tx.WithContext(ctx).Session(&gorm.Session{NewDB: true})
	tx = tx.WithContext(ctx).Where(cleanSession.Scopes(isolationFilter.GetScopes()...))

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Incorrect JSON unmarshaling implementation

The UnmarshalJSON method for AuthorizationPolicy appears to be unmarshaling into a local variable ap rather than the receiver. Consider using a pointer receiver to modify the actual struct.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	func (ap AuthorizationPolicy) UnmarshalJSON(b []byte) error {
	err := json.Unmarshal(b, &ap)
	func (ap *AuthorizationPolicy) UnmarshalJSON(b []byte) error {
	err := json.Unmarshal(b, ap)

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Incorrect TokenClaim JSON unmarshaling

Similar to the AuthorizationPolicy issue, the UnmarshalJSON method for TokenClaim has the same problem with using a value receiver instead of a pointer receiver.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	func (tc TokenClaim) UnmarshalJSON(b []byte) error {
	err := json.Unmarshal(b, &tc)
	func (tc *TokenClaim) UnmarshalJSON(b []byte) error {
	err := json.Unmarshal(b, tc)

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[flyte-bot]

Consider context propagation in new session

Consider using tx.WithContext(ctx) when creating a new session to ensure context propagation. The current implementation with cleanSession may lose the context information.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	cleanSession := tx.Session(&gorm.Session{NewDB: true})
	tx = tx.Where(cleanSession.Scopes(isolationFilter.GetScopes()...))
	cleanSession := tx.Session(&gorm.Session{NewDB: true}).WithContext(ctx)
	tx = tx.Where(cleanSession.Scopes(isolationFilter.GetScopes()...))

Code Review Run #c2b01c

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them