Skip to content

Enabling User Context in Ingestion, Google Cloud approach

User impersonation approach

To address the highlighted security concerns in the related ADR we make user impersonation the responsibility of the Entitlements service. To have this we do the following:

  • Limit Airflow SA with single role to impersonate users (group: users.datalake.delegation)
  • Add special group (users.datalake.impersonation) to the users, which MAY be impersonated (in general - workflow service users)
  • Implement the following authorisation flow:

Flow diagram

user_impersonation_flow.drawio

  1. User initiates DAG execution through the Workflow service API request

  2. Workflow service makes state record in database and stores user id as workflow run id (submittedBy)

  3. DAG obtains user id from workflow db record by Workflow service API request (implemented in Python SDK)

  4. DAG performs a call to some OSDU service, Python SDK library code injects all outgoing requests with the Airflow service account token and the special "on-behalf-of" header. The "on-behalf-of" header value is equal to the user id obtained at the previous step

  5. OSDU service passes incoming request headers to the Entitlements service to authorise user request

  6. Entitlements service performs the following flow:

  • Only /group endpoint will support impersonation flow, Entitlements management endpoints like add member, create group, etc will ignore "on-behalf-of" header.

  • If request to Entitlements endpont /groups contains special "on-behalf-of" header and the user (Airflow SA) that is willing to act on behalf is NOT a member of the special group to impersonate users (group: users.datalake.delegation) then service returns HTTP 403 Forbidden status

  • If request contains special "on-behalf-of" header and the user (Airflow SA) that is willing to act on behalf belongs to special group to impersonate users (group: users.datalake.delegation) then it collects groups for the impersonated user specified in this header.

  • If the impersonated user (that initially triggered workflow, and should be acknowledged as an owner/creator of ongoing changes) group list does NOT contain special group (users.datalake.impersonation) then Entitlements service returns HTTP 403 Forbidden. 

  • Else the impersonated user group list returned to the calling OSDU service 

  1. OSDU service performs usual check of the returned groups list for the presence of specific rights to make the call.
  • Entitlements service response should NOT be cached due to security reasons in the case of "on-behalf-of" request header presence

See also: Entitlements service documentation

Edited by Andrei Dalhikh [EPAM/GC]
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information