feat: Groups and Namespaces based authorization, for Users and Service Accounts #5619

jyejare · 2025-09-16T19:16:27Z

Implementation of Groups and Namespaces Based Authorization support

Overview

This PR implements groups and namespaces extraction support in Feast for user authentication (along with existing service account) in Pull Request #5619.

Changes Made

1. Enhanced User Model (`sdk/python/feast/permissions/user.py`)

Extended User class to include groups and namespaces attributes
Added methods:
- has_matching_group(): Check if user has required groups
- has_matching_namespace(): Check if user has required namespaces
Maintained backward compatibility with existing role-based functionality

2. New Policy Types (`sdk/python/feast/permissions/policy.py`)

GroupBasedPolicy: Grants access based on user group membership
NamespaceBasedPolicy: Grants access based on user namespace association
CombinedGroupNamespacePolicy: Requires both group OR namespace match
Updated Policy.from_proto() to handle new policy types
Maintained backward compatibility with existing RoleBasedPolicy

3. Protobuf Definitions (`protos/feast/core/Policy.proto`)

Added GroupBasedPolicy message with groups field
Added NamespaceBasedPolicy message with namespaces field
Extended Policy message to include new policy types in oneof
[Love] Regenerated Python protobuf files using make compile-protos-python

4. Token Access Review Integration (`sdk/python/feast/permissions/auth/kubernetes_token_parser.py`)

Added AuthenticationV1Api client for Token Access Review
Implemented _extract_groups_and_namespaces_from_token():
- Uses Kubernetes Token Access Review API
- Extracts groups and namespaces from token response
- Handles both service accounts and regular users
Updated user_details_from_access_token() to include groups and namespaces

5. Client SDK Updates (`sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py`)

Extended KubernetesAuthConfig to support user tokens
Updated get_token() method to check for user_token in config
Maintained backward compatibility with service account tokens

6. Configuration Model (`sdk/python/feast/permissions/auth_model.py`)

Added user_token field to KubernetesAuthConfig for external users
Maintained backward compatibility with existing configurations

7. Comprehensive Tests (`sdk/python/tests/permissions/test_groups_namespaces_auth.py`)

15 test cases covering all new functionality
Tests for:
- User creation with groups/namespaces
- Group matching functionality
- Namespace matching functionality
- All new policy types
- Backward compatibility

8. Documentation (`docs/getting-started/components/groups_namespaces_auth.md`)

Usage examples and configuration guides
Security considerations and best practices
Troubleshooting guide and migration instructions

Key Features Implemented

✅ Token Access Review Integration

Uses Kubernetes Token Access Review API to extract user details
Handles both service accounts and external users

✅ Groups and Namespaces Extraction

Extracts groups and namespaces from token response
Supports both service account and regular user tokens

✅ New Policy Types

GroupBasedPolicy: Access based on group membership
NamespaceBasedPolicy: Access based on namespace association
CombinedGroupNamespacePolicy: Requires either group OR namespace

✅ Client SDK Support

Extended to support user tokens for external users
Maintains backward compatibility with service account tokens
New parameter in KubernetesAuthConfig for user tokens

Usage Examples

Basic Group-Based Permission

from feast.permissions.policy import GroupBasedPolicy
from feast.permissions.permission import Permission

policy = GroupBasedPolicy(groups=["data-team", "ml-engineers"])
permission = Permission(
    name="data_team_access",
    types=ALL_RESOURCE_TYPES,
    policy=policy,
    actions=[AuthzedAction.DESCRIBE] + READ
)

Basic Namespace-Based Permission

from feast.permissions.policy import NamespaceBasedPolicy
from feast.permissions.permission import Permission

policy = NamespaceBasedPolicy(namespaces=["de-dsp", "ml-dsp"])
permission = Permission(
    name="data_team_access",
    types=ALL_RESOURCE_TYPES,
    policy=policy,
    actions=[AuthzedAction.DESCRIBE] + READ
)

Combined Group + Namespace Permission

from feast.permissions.policy import CombinedGroupNamespacePolicy

policy = CombinedGroupNamespacePolicy(
    groups=["data-team"],
    namespaces=["production"]
)

Client Configuration with User Token

from feast.permissions.auth_model import KubernetesAuthConfig

auth_config = KubernetesAuthConfig(
    type="kubernetes",
    user_token="your-kubernetes-user-token"  # For external users
)

Signed-off-by: jyejare <[email protected]>

…namespace Signed-off-by: jyejare <[email protected]>

Signed-off-by: jyejare <[email protected]>

docs/changelogs/Groups_Namespaces_Auth_implmentation_summary.md

docs/reference/auth/groups_namespaces_auth.md

infra/scripts/feature_store_client_configs_gen.py

sdk/python/feast/permissions/auth/kubernetes_token_parser.py

docs/reference/auth/kubernetes_auth_setup.md

Signed-off-by: jyejare <[email protected]>

ntkathole

Looks good, Thank you @jyejare . This is nice improvement to kubernetes authentication.

# [0.55.0](v0.54.0...v0.55.0) (2025-10-14) ### Bug Fixes * Added unix_timestamp_val in _serialize_val ([#5659](#5659)) ([35a8423](35a8423)) * BatchFeatureView transformation should persist in Registry Ser/Deserialization ([3364bad](3364bad)) * Check if DynamoDB table exists before create ([#5658](#5658)) ([e7fd506](e7fd506)) * Fix the link to Expedia in the Go Feature Server readme. ([3ed0163](3ed0163)) ### Features * Add Claude instructions ([#5651](#5651)) ([4807a52](4807a52)) * Groups and Namespaces based authorization, for Users and Service Accounts ([#5619](#5619)) ([da6257c](da6257c))

jyejare requested a review from a team as a code owner September 16, 2025 19:16

jyejare marked this pull request as draft September 16, 2025 19:16

jyejare changed the title ~~feat: Groups and Namespaces authorization along with roles, for user as well~~ feat: Groups and Namespaces authorization, for user as well Sep 17, 2025

jyejare force-pushed the groups_nss_roles branch 5 times, most recently from 4b9f9fc to 2b8e653 Compare September 19, 2025 08:04

jyejare force-pushed the groups_nss_roles branch 5 times, most recently from 3e90d71 to 9c913b9 Compare September 27, 2025 11:14

jyejare force-pushed the groups_nss_roles branch 3 times, most recently from 0d9e32e to 61704dd Compare October 8, 2025 16:02

jyejare added 2 commits October 8, 2025 21:34

Groups and Namespaces authorization

64ab0c5

Signed-off-by: jyejare <[email protected]>

Role binding for token access review and groups identifications from …

12e2587

…namespace Signed-off-by: jyejare <[email protected]>

jyejare force-pushed the groups_nss_roles branch from 61704dd to 95f6489 Compare October 8, 2025 16:07

jyejare marked this pull request as ready for review October 8, 2025 16:16

jyejare added 3 commits October 8, 2025 21:58

Fixing unit tests

940183a

Signed-off-by: jyejare <[email protected]>

TLS Path automatic setup

83c94e5

Signed-off-by: jyejare <[email protected]>

Documentation added along with some Makefile additions

65ca1b1

Signed-off-by: jyejare <[email protected]>

jyejare force-pushed the groups_nss_roles branch from 95f6489 to 65ca1b1 Compare October 8, 2025 16:29

jyejare changed the title ~~feat: Groups and Namespaces authorization, for user as well~~ feat: Groups and Namespaces based authorization, for Users and Service Accounts Oct 8, 2025

ntkathole added the ok-to-test label Oct 8, 2025