Epic: Foundations for Fine Grained Authorization

[easyCZ]

Summary

This epic captures the work to improve the existing Gitpod Authorization and enable the capability to support fine grained authorization.

Context

Historically, the authorization model of gitpod is modelled around users and their team membership. In order to support Gitpod admins with finer-grained permissions, we also need to improve on our existing system.

Value

The Authorization Model is central to Gitpod operations. Without it, we cannot answer questions such as:

• Does user X, have the ability to list workspaces of all members in a team?
• Can user X setup billing for team T?

Tasks

Initial setup

• Design document for fine grained authorization #15633
• Assess performance characteristics of OpenFGA #15634
• Deploy SpiceDB into preview environments #15951
• Deploy SpiceDB into production #15952
• Deploy Global CloudSQL Proxy #16039

Populating SpiceDB

• Start writing Organisation relationships into SpiceDB #16102
• Perform permission check in parallel with existing system, report stats #16103
• Model service accounts/tokens in SpiceDB #16239
• Identify strategy for backfilling SpiceDB relationships #16240