Since the original launch of Polar Signals Cloud, it had a very simple authentication and authorization model. Human users (authenticated through OIDC) could either be an owner or a viewer of an organization and therefore either perform all actions in all projects of that organization or just query data. Machines on the other hand had project-tokens, bound to a specific project with the ability to upload and query profiling data.
Enterprise needs
While this approach was simple enough to get us off the ground, this approach has struggled to cope with the needs of enterprise customers. Some require users just to be able to manage billing, some need access to a subset of projects, some needed machines to be able to provision new projects, and so on. The point is, the system needed to be much more flexible and allow an organization to map their organizational structure onto Polar Signals Cloud, and not the other way around.
What we built
At its core, the system is very simple, there are identities, and permissions. Every action in Polar Signals now has a distinct permission. Permissions are bundled in roles, and roles can be bound to an identity. Additionally role bindings can be scoped to a project. If not scoped, a role-binding is organization-wide and thus the permissions are available to the identity for all projects of the organization. In this new system, humans and machines are both identities, humans through OIDC, and machines through service accounts, and authenticated through service account tokens.
Here is a simplified version of the entities and their relationships:
There is a set of pre-defined system roles, representing what we have so far found to be the most common uses.
Documentation
The fully detailed documentation, up to date permissions and default roles can be found here.
Migration
As of publishing this blog post, all previous permissions have been migrated to the new system, and creating new roles and tokens from the old system is disabled.
We are asking users to please migrate existing project tokens to serviceaccount tokens. We have prepared 4 migration guides for the most common uses:
For the moment there is no EOL date yet for rejecting previously project tokens, however, we will be reaching out to customers using these and asking to upgrade.
Should you believe there to have been an issue with the migration, please reach out to support@polarsignals.com.
Acknowledgements
Special thanks to Turbopuffer for testing the preview of this feature and working out several rough edges with the approach. Also shout out to Eric Chiang from Oblique for reviewing and advising us on several topic related to this system.