Add initial RBAC support #1062
Add initial RBAC support #1062
Conversation
maggu
force-pushed
the
main
branch
3 times, most recently
from
bb25db7
to
b76d7e6
Compare
|
The |
[noissue]
|
@hstct Okay. Done now. |
|
@maggu First of all thanks for this work. Since this is an entirely new feature for pulp_deb and I don't have any experience how RBAC works for other Pulp plugins, I am somewhat unsure how to go about reviewing this. One thing that would really help us, is any amount of write up of use cases how you want to use RBAC in pulp_deb that you can do. Perhaps a post in https://discourse.pulpproject.org/c/development/8 to accompany this PR would be a good place to start. Alternatively a post on the accompanying issue might also work: #860. I am trying to understand what the goal and scope for "initial RBAC support" in pulp_deb should be. Does this request make any sense to you? |
|
@quba42 Absolutely. I'll delegate that task to colleagues who have a clearer view of our use cases than I do. Thanks. |
| @@ -294,6 +354,17 @@ class ReleaseFileViewSet(ContentViewSet): | |||
| serializer_class = serializers.ReleaseFileSerializer | |||
| filterset_class = ReleaseFileFilter | |||
|
|
|||
| DEFAULT_ACCESS_POLICY = { | |||
There was a problem hiding this comment.
Are you suppose to be able to create these contents with upload? ContentViewSet has POST support for create. (https://github.com/pulp/pulpcore/blob/main/pulpcore/app/viewsets/content.py#L183) If yes then the create action should be added to the statements list, else the base-class viewset should be changed to ReadOnlyContentViewSet.
There was a problem hiding this comment.
My intention has been only to add RBAC and not to make other changes (which also ought to be a separate PR if they are to be made), so yes, I believe the create action should be added then.
| "condition": [ | ||
| "has_required_repo_perms_on_upload:deb.modify_content_aptrepository", | ||
| "has_required_repo_perms_on_upload:deb.view_aptrepository", | ||
| ], |
There was a problem hiding this comment.
If this content supports creation from an upload object then I think you should also add has_upload_param_model_or_domain_or_obj_perms:core.change_upload to be consistent with other plugins.
There was a problem hiding this comment.
I believe I was quite uncertain about what to use here, and perhaps should have delved deeper into it. I admit I don't fully understand why core.change_upload should be added, so suggestions and explanations are more than welcome.
| "effect": "allow", | ||
| "condition": [ | ||
| "has_model_or_domain_perms:deb.add_aptdistribution", | ||
| "has_publication_param_model_or_domain_or_obj_perms:deb.view_aptpublication", |
There was a problem hiding this comment.
You need another one this condition, but for verbatim publications.
| "principal": "authenticated", | ||
| "effect": "allow", | ||
| "condition": [ | ||
| "has_repository_model_or_domain_or_obj_perms:deb.delete_aptrepository", |
There was a problem hiding this comment.
Should the deb.delete_aptrepository_version permission also be required since you added it to the AptRepository model? We don't use that permission in pulp_file, we just use the repository's delete permission, so if you don't need a separate permission specifically I would remove it.
There was a problem hiding this comment.
Ah. My mistake. Yes, the intention was to use deb.delete_aptrepository_version here. Most likely I copied and pasted from the previous class and forgot to change it. I notice pulp_rpm has a separate permission for it, so figured it would probably be useful here as well. But if you prefer to just use the regular delete permission that's perfectly fine with me.
Thank you for review and valuable feedback! Sorry it's taken me quite some time to reply. For now my purpose has been to resolve our most urgent business needs, but tests should obviously be added and hopefully we can help out with that as well. |
|
I'm going on vacation now, so won't work on this for some time. I'm planning on making it a priority once I get back though. In the meantime, please feel free to make edits if you want to. |
Add RBAC support for APT repositories. Partially fixes #860.