resource ownership in Athenz

[havetisyan]

The following are the use cases that we’re trying to solve with the introduction of resource ownership in Athenz:

• The domain administrator is using TF to manage domain data (could be using a personal account or some service identity).

  • The administrator wants to block access to those resources to be modified using Athenz UI and/or zms-cli since that will create a drift in TF state.

  • The administrator should have the capability to override the ownership and make changes in case of emergency situations (e.g. TF deleted a service identity from a role but it needs to be re-added asap).

  • This capability must be available using zms-cli and preferably from Athenz UI as well.

  • In Athenz UI I should be prompted that the user should not proceed with the move unless explicitly specified.

• The roles/policies are created and managed by another service built on-top of Athenz.

  • The operator wants those resources not to be visible in Athenz UI based on the ownership state and only make them available in their respective solution UIs.

• Resource ownership should support partial ownership. For example, with roles and groups, TF can manage either members or meta so the server must support and enforce ownership at that level and not just at the object level.

  • This indicates that there might be multiple owners of the same resources

[havetisyan]

https://github.com/AthenZ/athenz/blob/master/docs/design/resource_ownership.md