Skip to content

Commit 59af5bb

Browse files
jyejarejyejare
committed
Denial by default to all resources when no permissions set
Signed-off-by: jyejare <jyejare@redhat.com> filter only for named patterns No matching permissions are handled
1 parent 39c243e commit 59af5bb

File tree

1 file changed

+39
-9
lines changed

1 file changed

+39
-9
lines changed

sdk/python/feast/permissions/enforcer.py

Lines changed: 39 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,9 @@ def enforce_policy(
4343
# If no permissions are defined, deny access to all resources
4444
# This is a security measure to prevent unauthorized access
4545
logger.warning("No permissions defined - denying access to all resources")
46-
if not filter_only:
47-
raise FeastPermissionError("No permissions defined - access denied")
48-
return []
46+
raise FeastPermissionError(
47+
"Permissions are not defined - access denied for all resources"
48+
)
4949

5050
_permitted_resources: list[FeastObject] = []
5151
for resource in resources:
@@ -71,17 +71,47 @@ def enforce_policy(
7171

7272
if evaluator.is_decided():
7373
grant, explanations = evaluator.grant()
74-
if not grant and not filter_only:
75-
logger.error(f"Permission denied: {','.join(explanations)}")
76-
raise FeastPermissionError(",".join(explanations))
74+
if not grant:
75+
if not filter_only:
76+
logger.error(f"Permission denied: {','.join(explanations)}")
77+
raise FeastPermissionError(",".join(explanations))
78+
elif filter_only and not p.name_patterns:
79+
logger.error(f"Permission denied: {','.join(explanations)}")
80+
raise FeastPermissionError(",".join(explanations))
81+
else:
82+
continue
7783
if grant:
7884
logger.debug(
7985
f"Permission granted for {type(resource).__name__}:{resource.name}"
8086
)
8187
_permitted_resources.append(resource)
8288
break
8389
else:
84-
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
85-
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
86-
raise FeastPermissionError(message)
90+
if not filter_only:
91+
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
92+
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
93+
raise FeastPermissionError(message)
94+
else:
95+
# filter_only=True: Check if there are permissions for this resource type
96+
resource_type_permissions = [
97+
p
98+
for p in permissions
99+
if any(isinstance(resource, t) for t in p.types) # type: ignore
100+
]
101+
if not resource_type_permissions:
102+
# No permissions exist for this resource type - should raise error
103+
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
104+
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
105+
raise FeastPermissionError(message)
106+
elif not any(p.name_patterns for p in resource_type_permissions):
107+
# Permissions exist for this resource type but no name_patterns - should raise error
108+
message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
109+
logger.exception(f"**PERMISSION NOT GRANTED**: {message}")
110+
raise FeastPermissionError(message)
111+
else:
112+
# Permissions exist for this resource type with name_patterns - filter out this resource
113+
logger.debug(
114+
f"Filtering out {type(resource).__name__}:{resource.name} - no matching permissions"
115+
)
116+
continue
87117
return _permitted_resources

0 commit comments

Comments
 (0)