Skip to content

feat: Add RBAC blog post to website #5861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
franciscojavierarceo merged 3 commits into from
Jan 16, 2026
Merged

feat: Add RBAC blog post to website #5861

franciscojavierarceo merged 3 commits into from
Jan 16, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

What this PR does / why we need it:

Adds comprehensive blog post announcing Feast's RBAC capabilities. Post covers:

  • Permission model fundamentals: Resources, actions, and role-based policies
  • Security architecture: Kubernetes RBAC and OIDC integration for distributed deployments
  • Configuration examples: Python code snippets demonstrating Permission objects with name patterns, tags, and role assignments
  • Operational guidance: CLI commands for inspecting and troubleshooting permissions

Example permission configuration from the post:

from feast.permissions.action import AuthzedAction, READ

# Grant lab team access to their feature views
Permission(
   name="lab-reader",
   types=[FeatureView],
   name_patterns="lab.*",  # Regex pattern matching
   policy=RoleBasedPolicy(roles=["lab"]),
   actions=[AuthzedAction.DESCRIBE, READ],
)

# Restrict high-risk data source writes to admin roles
Permission(
   name="data-writer",
   types=[DataSource],
   required_tags={"risk_level": "high"},
   policy=RoleBasedPolicy(roles=["admin", "data_team"]),
   actions=[WRITE],
)

Post includes architecture diagram showing the four-layer distributed model (management, data, service, security/client layers) and clarifies that RBAC enforcement only applies when using remote Feast services.

Which issue(s) this PR fixes:

Addresses documentation request for RBAC feature announcement.

Misc

Authors: Danielle Martinoli and Francisco Javier Arceo

Original prompt

This section details on the original issue you should resolve

<issue_title>Add blog post on RBAC</issue_title>
<issue_description>Please make a blog post to the website about our RBAC capabilities.

Feast Launches RBAC! 🚀

What is the Feast Permission Model?

Feast now supports Role Based Access Controls (RBAC) so you can secure and govern your data.

If you ever wanted to securely partition your feature store across different teams, the new Feast permissions model is here to make that possible!

This powerful feature allows administrators to configure granular authorization policies, letting them decide which users and groups can access specific resources and what operations they can perform.

The default implementation is based on Role-Based Access Control (RBAC): user roles determine whether a user has permission to perform specific functions on registered resources.

Why is RBAC important for Feast?

Feature stores often operate on sensitive, proprietary data and we want to make sure teams are able to govern the access and control of that data thoughtfully, while benefiting from transparent code and an open source community like Feast.

That’s why we built RBAC using Kubernetes RBAC and OpenID Connect protocol (OIDC), ensuring secure, fine-grained access control in Feast.

What are the Benefits of using Feast Permissions?

Using the Feast Permissions Model offers two key benefits:

  1. Securely share and partition your feature store: grant each team only the minimum privileges necessary to access and manage the relevant resources.
  2. Adopt a Service-Oriented Architecture and leverage the benefits of a distributed system.

How Feast Uses RBAC

Permissions as Feast resources

The RBAC configuration is defined using a new Feast object type called “Permission”. Permissions are registered in the Feast registry and are defined and applied like all the other registry objects, using Python code.

A permission is defined by these three components:

  • A resource: a Feast object that we want to secure against unauthorized access. It's identified by the matching type(s), a possibly empty list of name patterns and a dictionary of required tags.
  • An action: a logical operation performed on the secured resource, such as managing the resource state with CREATE, DESCRIBE, UPDATE or DELETE, or accessing the resource data with READ and WRITE (differentiated by ONLINE and OFFLINE store types)
  • A policy: the rule to enforce authorization decisions based on the current user. The default implementation uses role-based policies.

The resource types supported by the permission framework are those defining the customer feature store:

  • Project
  • Entity
  • FeatureView
  • OnDemandFeatureView
  • BatchFeatureView
  • StreamFeatureView
  • FeatureService
  • DataSource
  • ValidationReference
  • SavedDataset
  • Permission

TIP: Check out the Permission APIs in the Feast Python API Documentation to learn more!

# This configuration grants users with the 'owner' role permissions 
# to fetch resource status and read data from all the feature views 
from feast.permissions.action import AuthzedAction, READ
# Note: READ is a global list including both READ_OFFLINE and
# READ_ONLINE values from AuthzedAction enum

# You do not have to specify `name_patterns`
Permission(
   name="fv-owner",
   types=[FeatureView],
   policy=RoleBasedPolicy(roles=["owner"]),
   actions=[AuthzedAction.DESCRIBE, READ],
)

# This configuration grants users with the 'lab' role permissions 
# to fetch resource status and read data from all feature views 
# named 'lab_stream_feature_view' or 'lab_feature_view'
from feast.permissions.action import AuthzedAction, READ

Permission(
   name="lab-reader",
   types=[FeatureView],
   name_patterns=["lab_stream_feature_view", "lab_feature_view"],
   policy=RoleBasedPolicy(roles=["lab"]),
   actions=[AuthzedAction.DESCRIBE, READ],
)

# As an alternative, we can use Python regular expression patterns
# to grant the same permission to all feature views whose name
# starts by 'lab'
from feast.permissions.action import AuthzedAction, READ

Permission(
   name="lab-reader",
   types=[FeatureView],
   name_patterns="lab.*", # Accepts both 'str' and 'list[str]' types
   policy=RoleBasedPolicy(roles=["lab"]),
   actions=[AuthzedAction.DESCRIBE, READ],
)

# This configuration grants users with the 'prod' role permissions 
# to fetch resource status and read data from all feature views 
# whose names include the '_prod_' word
from feast.permissions.action import AuthzedAction, READ

Permission(
   name="prod-reader",
   types=[FeatureView, FeatureService],
   name_patterns=".*_prod_.*",
   policy=RoleBasedPolicy(roles=["prod"]),
   actions=[AuthzedAction.DESCRIBE, READ],
)

# This ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes feast-dev/feast#5860

<!-- START COPILOT CODING AGENT TIPS -->
---Let Copilot coding agent [set things up for you](https://github.com/feast-dev/feast/issues/new?title=+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

@franciscojavierarceo
Add RBAC blog post to website
d05f132 
Co-authored-by: franciscojavierarceo <4163062+franciscojavierarceo@users.noreply.github.com>
Copilot AI changed the title [WIP] Add blog post on RBAC capabilities feat: Add RBAC blog post to website Jan 15, 2026
franciscojavierarceo
franciscojavierarceo reviewed Jan 16, 2026
View reviewed changes
@franciscojavierarceo franciscojavierarceo marked this pull request as ready for review January 16, 2026 13:19
@franciscojavierarceo franciscojavierarceo requested a review from a team as a code owner January 16, 2026 13:19
@franciscojavierarceo franciscojavierarceo merged commit b1844a3 into master Jan 16, 2026
21 checks passed
franciscojavierarceo pushed a commit that referenced this pull request Jan 16, 2026
@feast-ci-bot
chore(release): release 0.59.0
6214d05 
# [0.59.0](v0.58.0...v0.59.0) (2026-01-16)

### Bug Fixes

* Add get_table_query_string_with_alias() for PostgreSQL subquery aliasing ([#5811](#5811)) ([11122ce](11122ce))
* Add hybrid online store to ONLINE_STORE_CLASS_FOR_TYPE mapping ([#5810](#5810)) ([678589b](678589b))
* Add possibility to overwrite send_receive_timeout for clickhouse offline store ([#5792](#5792)) ([59dbb33](59dbb33))
* Denial by default to all resources when no permissions set  ([#5663](#5663)) ([1524f1c](1524f1c))
* Make operator include full OIDC secret in repo config ([#5676](#5676)) ([#5809](#5809)) ([a536bc2](a536bc2))
* Populate Postgres `registry.path` during `feast init` ([#5785](#5785)) ([f293ae8](f293ae8))
* **redis:** Preserve millisecond timestamp precision for Redis online store ([#5807](#5807)) ([9e3f213](9e3f213))
* Search API to return all matching tags in matched_tags field ([#5843](#5843)) ([de37f66](de37f66))
* Spark Materialization Engine Cannot Infer Schema ([#5806](#5806)) ([58d0325](58d0325)), closes [#5594](#5594) [#5594](#5594)
* Support arro3 table schema with newer deltalake packages ([#5799](#5799)) ([103c5e9](103c5e9))
* Timestamp formatting and lakehouse-type connector for trino_offline_store. ([#5846](#5846)) ([c2ea7e9](c2ea7e9))
* Update model_validator to use instance method signature (Pydantic v2.12 deprecation) ([#5825](#5825)) ([3c10b6e](3c10b6e))

### Features

* Add dbt integration for importing models as FeatureViews ([#5827](#5827)) ([b997361](b997361)), closes [#3335](#3335) [#3335](#3335) [#3335](#3335)
* Add GCS registry store in Go feature server ([#5818](#5818)) ([1dc2be5](1dc2be5))
* Add progress bar to CLI from feast apply ([#5867](#5867)) ([ab3562b](ab3562b))
* Add RBAC blog post to website ([#5861](#5861)) ([b1844a3](b1844a3))
* Add skip_feature_view_validation parameter to FeatureStore.apply() and plan() ([#5859](#5859)) ([5482a0e](5482a0e))
* Added batching to feature server /push to offline store ([#5683](#5683)) ([#5729](#5729)) ([ce35ce6](ce35ce6))
* Enable static artifacts for feature server that can be used in Feature Transformations ([#5787](#5787)) ([edefc3f](edefc3f))
* Improve lambda materialization engine ([#5829](#5829)) ([f6116f9](f6116f9))
* Offline Store historical features retrieval based on datetime range in Ray ([#5738](#5738)) ([e484c12](e484c12))
* Read, Save docs and chat fixes ([#5865](#5865)) ([2081b55](2081b55))
* Resolve pyarrow >21 installation with ibis-framework ([#5847](#5847)) ([8b9bb50](8b9bb50))
* Support staging for spark materialization ([#5671](#5671)) ([#5797](#5797)) ([5b787af](5b787af))
kyledepasquale pushed a commit to kyledepasquale/feast that referenced this pull request Jan 21, 2026
@feast-ci-bot @kyledepasquale
chore(release): release 0.59.0
b52f528 
# [0.59.0](feast-dev/feast@v0.58.0...v0.59.0) (2026-01-16)

### Bug Fixes

* Add get_table_query_string_with_alias() for PostgreSQL subquery aliasing ([feast-dev#5811](feast-dev#5811)) ([11122ce](feast-dev@11122ce))
* Add hybrid online store to ONLINE_STORE_CLASS_FOR_TYPE mapping ([feast-dev#5810](feast-dev#5810)) ([678589b](feast-dev@678589b))
* Add possibility to overwrite send_receive_timeout for clickhouse offline store ([feast-dev#5792](feast-dev#5792)) ([59dbb33](feast-dev@59dbb33))
* Denial by default to all resources when no permissions set  ([feast-dev#5663](feast-dev#5663)) ([1524f1c](feast-dev@1524f1c))
* Make operator include full OIDC secret in repo config ([feast-dev#5676](feast-dev#5676)) ([feast-dev#5809](feast-dev#5809)) ([a536bc2](feast-dev@a536bc2))
* Populate Postgres `registry.path` during `feast init` ([feast-dev#5785](feast-dev#5785)) ([f293ae8](feast-dev@f293ae8))
* **redis:** Preserve millisecond timestamp precision for Redis online store ([feast-dev#5807](feast-dev#5807)) ([9e3f213](feast-dev@9e3f213))
* Search API to return all matching tags in matched_tags field ([feast-dev#5843](feast-dev#5843)) ([de37f66](feast-dev@de37f66))
* Spark Materialization Engine Cannot Infer Schema ([feast-dev#5806](feast-dev#5806)) ([58d0325](feast-dev@58d0325)), closes [feast-dev#5594](feast-dev#5594) [feast-dev#5594](feast-dev#5594)
* Support arro3 table schema with newer deltalake packages ([feast-dev#5799](feast-dev#5799)) ([103c5e9](feast-dev@103c5e9))
* Timestamp formatting and lakehouse-type connector for trino_offline_store. ([feast-dev#5846](feast-dev#5846)) ([c2ea7e9](feast-dev@c2ea7e9))
* Update model_validator to use instance method signature (Pydantic v2.12 deprecation) ([feast-dev#5825](feast-dev#5825)) ([3c10b6e](feast-dev@3c10b6e))

### Features

* Add dbt integration for importing models as FeatureViews ([feast-dev#5827](feast-dev#5827)) ([b997361](feast-dev@b997361)), closes [feast-dev#3335](feast-dev#3335) [feast-dev#3335](feast-dev#3335) [feast-dev#3335](feast-dev#3335)
* Add GCS registry store in Go feature server ([feast-dev#5818](feast-dev#5818)) ([1dc2be5](feast-dev@1dc2be5))
* Add progress bar to CLI from feast apply ([feast-dev#5867](feast-dev#5867)) ([ab3562b](feast-dev@ab3562b))
* Add RBAC blog post to website ([feast-dev#5861](feast-dev#5861)) ([b1844a3](feast-dev@b1844a3))
* Add skip_feature_view_validation parameter to FeatureStore.apply() and plan() ([feast-dev#5859](feast-dev#5859)) ([5482a0e](feast-dev@5482a0e))
* Added batching to feature server /push to offline store ([feast-dev#5683](feast-dev#5683)) ([feast-dev#5729](feast-dev#5729)) ([ce35ce6](feast-dev@ce35ce6))
* Enable static artifacts for feature server that can be used in Feature Transformations ([feast-dev#5787](feast-dev#5787)) ([edefc3f](feast-dev@edefc3f))
* Improve lambda materialization engine ([feast-dev#5829](feast-dev#5829)) ([f6116f9](feast-dev@f6116f9))
* Offline Store historical features retrieval based on datetime range in Ray ([feast-dev#5738](feast-dev#5738)) ([e484c12](feast-dev@e484c12))
* Read, Save docs and chat fixes ([feast-dev#5865](feast-dev#5865)) ([2081b55](feast-dev@2081b55))
* Resolve pyarrow >21 installation with ibis-framework ([feast-dev#5847](feast-dev#5847)) ([8b9bb50](feast-dev@8b9bb50))
* Support staging for spark materialization ([feast-dev#5671](feast-dev#5671)) ([feast-dev#5797](feast-dev#5797)) ([5b787af](feast-dev@5b787af))

Signed-off-by: Kyle DePasquale <kyle@kiddom.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@franciscojavierarceo franciscojavierarceo franciscojavierarceo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@franciscojavierarceo franciscojavierarceo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franciscojavierarceo