A proxy companion that adds SSO login and Dagster-aware role-based access control to self-hosted Dagster OSS deployments

Self-hosted Dagster OSS ships with no authentication layer and no RBAC. Every person who can reach the webserver can trigger any job, wipe partitions, and read every asset. Dagster Cloud solves this but costs enterprise pricing; the open-source issue tracking it has been open since 2020 with 396 thumbs and no ship date. This tool is a sidecar proxy that sits in front of the Dagster webserver and enforces SSO login (OIDC/SAML, connecting to Okta, Google Workspace, Azure AD, or any IdP) plus Dagster-specific RBAC: read-only viewers, job launchers scoped to specific code locations, asset-materialisation approvers, and admin-only partition wipes. It intercepts GraphQL and REST calls from the Dagster UI, parses the operation names and resource identifiers, and enforces a declarative role policy defined in a single YAML config file. No changes to the Dagster codebase or dagster.yaml are required. The companion ships as a Docker image and a Helm chart and emits structured JSON audit logs (user, action, asset key or job name, timestamp) to stdout or a configurable sink.