Pulp

This would be good for a team of 2-3 people to work together.

Criteria¶

The field should be read_only if it's not supposed to be set or updated by users via any REST API calls.
When unsure, set field to read_only (we can make it writable later. Due to semver we can't do it the other way around).
UPD (from comment#9): If a field should be set by user but should remain immutable, this can be adjusted at the viewset level.

Ways for a field to be a read-only one¶

• a field can only be a read-only one

• any IdentityFields
• ManyToManyFields with Through model https://www.django-rest-framework.org/api-guide/relations/#manytomanyfields-with-a-through-model
• StringRelatedField

• nested serializers are read-only by default
• explicitly set on a serializer read_only=True
• editable=False or auto_now=True or auto_now=True or any AutoField on a model
• read_only_fields are specified in Meta class for a serializer

Just to be complete, `read_only` is a little different from immutable. Some fields may need to be set, but only during creation time. For one case, ContentUnits are not read-only, but are immutable because their ViewSets do not have have the Update mixin. https://github.com/pulp/pulp/blob/cf30f2e9a77f7ad935184c5cbe58dfad788febc3/pulpcore/app/viewsets/content.py#L90-L93

Another hypothetical case (I don't know of any in our code base) is that some fields may need to be set at creation time, but other fields are update-able. If this is necessary, some custom update code can be created on the ViewSet and/or Serializer to enforce it.

The important takeaway from this comment is that we need to audit more than just the serializers. We need to also check the ViewSets to get the real picture for what is/isn't mutable.

Current state which looks good to me. Any concerns/thoughts are welcome.

All resources have the following read-only attributes:

• _ href
• _created
• _last_updated

Content¶

read-only:

• _type

read-write (can be set once, can't be updated - restricted in a viewset):

• _artifacts

Artifact¶

read-write:

• file
• size
• all checksums

ContentGuard¶

read-only:

• _type

read-write (as per serializer; create/update are not provided by pulpcore, should be done in plugins):

• name
• description

Repository¶

read-only:

• _versions_href
• _latest_version_href

read-write:

• name
• description

Remote¶

read-only:

• _type

read-write:

• name
• url
• validate
• ssl_validation
• proxy_url
• download_concurrency
• policy

write-only (aka not shown in API responses):

• ssl_ca_certificate
• ssl_client_certificate
• ssl_client_key
• username
• password

Publisher¶

read-only:

• _type
• distributions

read-write:

• name

Exporter¶

read-only:

• _type
• last_export

read-write:

• name

Distribution¶

read-only:

• last_export
• base_url

read-write:

• name
• base_path
• publisher
• content_guard
• publication
• repository

Publication¶

read-only:

• distributions
• repository_version

read-write:

• pass_through
• publisher

RepositoryVersion¶

read-only:

• number
• content_hrefs
• content_added_hrefs
• content_removed_hrefs
• content_summary
• content_added_summary
• content_removed_summary

read-write:

• base_version

write-only:

• add_content_units
• remove_content_units

Task/Worker¶

• no create/update are allowed
• all fields are read_only

User¶

read-write:

• username

write-only:

• password