-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial RBAC support #1062
base: main
Are you sure you want to change the base?
Add initial RBAC support #1062
Conversation
bb25db7
to
b76d7e6
Compare
The |
[noissue]
@hstct Okay. Done now. |
@maggu First of all thanks for this work. Since this is an entirely new feature for pulp_deb and I don't have any experience how RBAC works for other Pulp plugins, I am somewhat unsure how to go about reviewing this. One thing that would really help us, is any amount of write up of use cases how you want to use RBAC in pulp_deb that you can do. Perhaps a post in https://discourse.pulpproject.org/c/development/8 to accompany this PR would be a good place to start. Alternatively a post on the accompanying issue might also work: #860. I am trying to understand what the goal and scope for "initial RBAC support" in pulp_deb should be. Does this request make any sense to you? |
@quba42 Absolutely. I'll delegate that task to colleagues who have a clearer view of our use cases than I do. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR looks pretty good. Are you thinking of adding any tests?
@@ -294,6 +354,17 @@ class ReleaseFileViewSet(ContentViewSet): | |||
serializer_class = serializers.ReleaseFileSerializer | |||
filterset_class = ReleaseFileFilter | |||
|
|||
DEFAULT_ACCESS_POLICY = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you suppose to be able to create these contents with upload? ContentViewSet
has POST
support for create. (https://github.com/pulp/pulpcore/blob/main/pulpcore/app/viewsets/content.py#L183) If yes then the create
action should be added to the statements list, else the base-class viewset should be changed to ReadOnlyContentViewSet
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My intention has been only to add RBAC and not to make other changes (which also ought to be a separate PR if they are to be made), so yes, I believe the create
action should be added then.
"condition": [ | ||
"has_required_repo_perms_on_upload:deb.modify_content_aptrepository", | ||
"has_required_repo_perms_on_upload:deb.view_aptrepository", | ||
], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this content supports creation from an upload object then I think you should also add has_upload_param_model_or_domain_or_obj_perms:core.change_upload
to be consistent with other plugins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I was quite uncertain about what to use here, and perhaps should have delved deeper into it. I admit I don't fully understand why core.change_upload
should be added, so suggestions and explanations are more than welcome.
"effect": "allow", | ||
"condition": [ | ||
"has_model_or_domain_perms:deb.add_aptdistribution", | ||
"has_publication_param_model_or_domain_or_obj_perms:deb.view_aptpublication", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need another one this condition, but for verbatim publications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
"principal": "authenticated", | ||
"effect": "allow", | ||
"condition": [ | ||
"has_repository_model_or_domain_or_obj_perms:deb.delete_aptrepository", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the deb.delete_aptrepository_version
permission also be required since you added it to the AptRepository model? We don't use that permission in pulp_file, we just use the repository's delete permission, so if you don't need a separate permission specifically I would remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. My mistake. Yes, the intention was to use deb.delete_aptrepository_version
here. Most likely I copied and pasted from the previous class and forgot to change it. I notice pulp_rpm has a separate permission for it, so figured it would probably be useful here as well. But if you prefer to just use the regular delete permission that's perfectly fine with me.
Thank you for review and valuable feedback! Sorry it's taken me quite some time to reply. For now my purpose has been to resolve our most urgent business needs, but tests should obviously be added and hopefully we can help out with that as well. |
I'm going on vacation now, so won't work on this for some time. I'm planning on making it a priority once I get back though. In the meantime, please feel free to make edits if you want to. |
Add RBAC support for APT repositories. Partially fixes #860.