Inside Authorized Workspaces, A New Feature in Astro
Astronomer is excited to announce Authorized Workspaces, a new Astro feature that allows customers to isolate teams or projects by authorizing workspaces to specific clusters in their data planes.
Authorized Workspaces extend one of Astro’s most useful features, Workspaces. A Workspace is a collection of Astro deployments that can be accessed and updated by a specific group of users. Authorized Workspaces add control over the creation of new Astro deployments by limiting Workspace users to the cluster(s) for which that Workspace is authorized.
The most common use for this new feature is to isolate your production Astro deployments from your non-production deployments. However, when you combine this feature with other benefits — like ensuring that sensitive Astro deployments are accessible only to specific users and teams — you’ve got a lot more flexibility to manage and control access to your Astro resources. Authorized Workspaces also give you a way to expose Astro’s cloud-native orchestration capabilities to data engineers, data scientists, and other self-service users, while ensuring that untested code doesn’t run on production resources.
Authorized Workspaces: What the Feature Does and How it Works
You can use this feature to create workspaces for individual business function areas or teams, or ensure that sensitive workloads run only in authorized and isolated Astro deployments. It makes it easier (and safer) to manage and scale your Astro resources, and it’s a great way to accommodate decentralized approaches, like data mesh.
For example, with Authorized Workspaces, your decentralized teams have access only to the Astro resources they need to create and maintain their own data products. Teams can create production Astro deployments on clusters that have been preconfigured for connectivity to the external data services they require. They can bring up their dev or testing deployments on clusters that have been preconfigured for access to external data systems such as databases, data lakes, or data applications. With Authorized Workspaces, your DevOps and security teams can rest assured your data-pipeline authors are using approved clusters for their data pipelines.
This feature makes it easier for your organization to federate Airflow — creating multiple team-based or use-case-specific deployments — while abstracting almost all of this complexity from users.
Authorizing a workspace for a cluster is straightforward enough. From your Astro account, clicking a button in the Astro UI opens a wizard you can use to authorize any of your existing workspaces for use with one or more clusters. When you provision new Astro cluster resources, you can use the same wizard to authorize them, too. Once you do this, any user with sufficient privileges can create Astro deployments on the cluster(s) for which that workspace is authorized.
Figure 1. A data plane cluster with no configured Workspace Authorizations, allowing existing and net-new Workspaces to create Astro Runtime deployments on it.
Figure 2. A data plane cluster with three Workspace Authorizations configured. Privileged users and API tokens of these three workspaces can create Astro Runtime deployments on this cluster.
You can assign as many clusters as you want or need to each workspace. The same cluster can be authorized across multiple workspaces, too.
The Takeaway
Authorized Workspaces give you the ability to scale your orchestration services while adhering to security standards and best practices, as well as complying with regulations and statutes.
The immediate benefit is that users can’t accidentally run dev or testing workloads on a production system. Aside from the danger of information leakage — i.e, the potential for data loss or accidental data breach — there’s the risk that running untested data pipelines in a production environment could degrade the performance of critical production workloads.
But Authorized Workspaces are also helpful if you’re pursuing a decentralization initiative, like data mesh, because this feature makes it easier, and safer, to implement a federated data layer that can be shared across teams. In the same way, and for the same reasons, it allows you to securely integrate Astro’s orchestration capabilities into different kinds of cloud-native architectures.
Get Started with Authorized Workspaces
If you're an Astro customer, contact your account executive to learn more. And if you’re not yet using Astro, we’d be happy to show you a product demo.