some changes

Author: fhennig

modules/contributor/pages/adr/ADRXXX-authorization-abstraction-layer.adoc

@@ -14,23 +14,13 @@ Technical Story: https://github.com/stackabletech/issues/issues/439
 How should we design the user facing part of an authorization layer for the platform?
 Do we create Custom Resources for some of this, or are ConfigMaps sufficient?
 How many, how are the rules split across resources?
+Where do users want to "hook in"?
+How are policies deployed?
 
 == Context
 
 What is the current state of authorization in the SDP, what do users want to define and which authorization models are widespread already?
 
-=== Terminology
-
-Resource:: A resource in the authorization context is commonly something that can be accessed, read, edited etc., like a DAG in Airflow, a Table in Trino or a file in a file system. Resources can also be grouped, like a folder in a file system containing multiple files. A resource is specific, so it does not refer to Trino tables in general, but to a specific Foo table (for example).
-Action:: An action is defined in context of a resource. Examples are "Viewing", "Editing", "Deleting", "Creating".
-Permission:: A permission is the combination of an action and a resource. Like "view table Foo". A permission can also be more general, like "view all tables" (i.e. no specific resource is specified, just a class/type of resource).
-Policy:: A policy is a generic term that does not only exist in authorization. It is a rule, like "The cluster should always have 10% free memory left" or "Only the HR team can access the employee database".
-RBAC:: Role-based access control.
-Role:: A role in RBAC generally means a collection of permissions. In RBAC, permissions are assigned to roles. For example, an _admin_ role might have the permission to view and edit all data. A _marketting-employee_ role grants viewing access to a specific set of tables.
-ReBAC:: Relation-based access control.
-Relation:: A relation is pretty generic, and refers to relations between object and and other objects (or resources), between resources and users or between users and other users or user groups. Examples: "Alice is a _reader_ of a table." "Bob is a _member_ of the data science team." "The `pictures` folder is the _parent_ of the `cat.jpg` file."
-Group:: A group is typically a collection of users. Groups can also be organized hierarchically. Groups can sometimes be used to attach roles to, so users can simply be grouped together and their permissions be managed as a whole.
-
 === Current state of authorization and policy in the SDP
 
 Currently the Stackable Data Platform supports authorization policies through OPA.
@@ -46,23 +36,6 @@ The products themselves also have access control models:
 * Kafka: RBAC, group based with LDAP, ACLs
 * Airflow: Uses roles to group permissions, and then assign roles to users. Roles can also be assigned to LDAP groups.
 
-
-=== Authorization settings that users might want to model
-
-Some use case examples:
-
-* rules for individuals: Alice needs one-of read access to a Trino Table
-* group based access control: Bob joins the company in the data science team and should get access to all the resources he needs to stark working
-* resource grouping and ad-hoc groups: A new data analysis task force is formed that needs access to specific resources. Resources should be grouped and then all task force members need access.
-* group hierarchies: there might be multiple data science teams that share access to some common resources, but also have specific resources that are only relevant to each team.
-* Class based permissions: Andy needs to be able to read _all_ Trino tables, and not just a pre-defined selection of tables.
-
-A common complaint seems to be that in RBAC systems, roles end up getting copy pasted. 
-A role might have many permissions attached to it, so if you want to modify a particular permission for just one user, you might end up copy-pasting the role.
-
-Also, users should be able to treat resources in general the same way across all supported products.
-I.e. there should be an abstraction over resources such as Trino tables, Superset dashboards and Kafka topics.
-
 === Different authorization models: RBAC, ABAC, ReBAC and more
 
 Out-of-the-box, OPA uses RegoRules to define policies. 
@@ -86,6 +59,34 @@ Learn more:
 * https://www.permit.io/blog/oparebac
 * https://www.permit.io/blog/policy-engines
 
+== Requirements
+
+The overall design should make it easy for the majority of users to define rules, without needing to write RegoRules.
+This should be done with CRDs that can deployed, and it works out of the Box.
+
+For the remaining users it should be possible to hook into various places of the system to write their own more specific rules.
+
+* 80% of users can use the CRDs that allow coarse access control in a unified way across the platform, possibly hiding some product specific things.
+* 10% of users can drop down one layer into specifying custom JSON data for the Stackable provided Rego rules, 
+  allowing a little bit more detailed access to product specific access control rules such as column masking in Trino.
+* 10% of users will want to write completely custom Rego rules, which is currently already possible and will still be supported.
+
+=== Authorization settings that users might want to model
+
+Some use case examples:
+
+* rules for individuals: Alice needs one-of read access to a Trino Table
+* group based access control: Bob joins the company in the data science team and should get access to all the resources he needs to stark working
+* resource grouping and ad-hoc groups: A new data analysis task force is formed that needs access to specific resources. Resources should be grouped and then all task force members need access.
+* group hierarchies: there might be multiple data science teams that share access to some common resources, but also have specific resources that are only relevant to each team.
+* Class based permissions: Andy needs to be able to read _all_ Trino tables, and not just a pre-defined selection of tables.
+
+A common complaint seems to be that in RBAC systems, roles end up getting copy pasted. 
+A role might have many permissions attached to it, so if you want to modify a particular permission for just one user, you might end up copy-pasting the role.
+
+Also, users should be able to treat resources in general the same way across all supported products.
+I.e. there should be an abstraction over resources such as Trino tables, Superset dashboards and Kafka topics.
+
 == Decision Drivers
 
 * The design should be flexible to allow to easily represent various organizational structures.
@@ -236,3 +237,17 @@ TSA? OCM?
 
 "TSA ist OPA, unser Authr. ist OPA, aber bauen wir oder TSA dinge drumherum, die die Integration schwer machen?"
 
+== Appendix
+
+=== Terminology
+
+Resource:: A resource in the authorization context is commonly something that can be accessed, read, edited etc., like a DAG in Airflow, a Table in Trino or a file in a file system. Resources can also be grouped, like a folder in a file system containing multiple files. A resource is specific, so it does not refer to Trino tables in general, but to a specific Foo table (for example).
+Action:: An action is defined in context of a resource. Examples are "Viewing", "Editing", "Deleting", "Creating".
+Permission:: A permission is the combination of an action and a resource. Like "view table Foo". A permission can also be more general, like "view all tables" (i.e. no specific resource is specified, just a class/type of resource).
+Policy:: A policy is a generic term that does not only exist in authorization. It is a rule, like "The cluster should always have 10% free memory left" or "Only the HR team can access the employee database".
+RBAC:: Role-based access control.
+Role:: A role in RBAC generally means a collection of permissions. In RBAC, permissions are assigned to roles. For example, an _admin_ role might have the permission to view and edit all data. A _marketting-employee_ role grants viewing access to a specific set of tables.
+ReBAC:: Relation-based access control.
+ABAC:: Attribute-based access control.
+Relation:: A relation is pretty generic, and refers to relations between object and and other objects (or resources), between resources and users or between users and other users or user groups. Examples: "Alice is a _reader_ of a table." "Bob is a _member_ of the data science team." "The `pictures` folder is the _parent_ of the `cat.jpg` file."
+Group:: A group is typically a collection of users. Groups can also be organized hierarchically. Groups can sometimes be used to attach roles to, so users can simply be grouped together and their permissions be managed as a whole.