I'm thinking about multitenancy and trying to understand how users are given authorization to projects and domains, and the permissions model in general, eg viewing workflows and runs for a particular domain or project. Perhaps I'm not looking in the right place in the docs and code. Is there a user and permission UI/API or an authorization module?

Yeah, I don't think it's supported... would be a great addition. https://flyte-org.slack.com/archives/CP2HDHKE1/p1676057126947849

@Björn thanks. Do you know how project, domain, and user management works? I'm missing something. Looks like projects and domains are k8s objects, maybe?

as for project management I've only used flytectl: https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_create_project.html

Thanks. I mostly agree. Projects and namespaces should have corresponding k8s namespaces on different clusters, and service accounts that turn into oauth tokens or certs from a vault for accesssing external data stores and services, etc. Lots of different ways to handle authz. It might need to be as complicated as having a policy engine - user B may only access these resources between 8 and 6 in the time zone in which they are based - or whatever.

the external idp is authentication you are right. but we do not want to be in the business of storing roles etc. this is way more complicated than it sounds, as this has availability, scalability and security constraints.

I understand the potential complexity, but for many companies, this is a deal breaker. One could do a very lightweight implementation with something like a session token that encodes the user's current project and domain and role. Then each service can implement the business logic of what that role allows.