Project

Profile

Help

Story #7157

closed

As a plugin writer, I have an easy way to clean up all object-level permissions

Added by bmbouter over 3 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 79
Quarter:

Description

This is a very common need. The plugin API should provide a way to do it.

Actions #1

Updated by bmbouter over 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter
Actions #2

Updated by bmbouter over 3 years ago

  • Status changed from ASSIGNED to POST
  • Sprint set to Sprint 79

Added by bmbouter over 3 years ago

Revision 3adeff2c | View on GitHub

Role Based Access Control

This PR adds in user-manageable Access Policies rooted at the /pulp/api/v3/access_policies/ endpint. This deifnes both statements of the policy as well as what permissions should be created for new objects.

The /pulp/api/v3/tasks/ endpoint is now protected by an AccessPolicy which by default provides user-isolation. This effectively limits a non-admin user to only view their own tasks.

Plugins writers can enable role base access control easily using the pulpcore.plugin.models.AccessPolicyFromDB object and declaring with the permission_classes attribute.

Plugin writers can use the pulpcore.plugin.models.AutoAddObjPermsMixin which provides user-configurable ways to create permissions for new objects. This includes three methods object_creator, add_for_users, and add_for_groups.

Plugin writers can use the pulpcore.plugin.models.AutoDeleteObjPermsMixin which provides auto-removal of object level permissions during object deletion.

pulpcore.plugin.models.BaseModel now uses django-lifecycle allowing subcalsses to use it instead of signals

Plugin writers can easily provide queryset scoping on ViewSets that inherit from the pulpcore.plugin.viewsets.NamedModelViewSet by declaring the queryset_filtering_required_permission class attribute naming the permission required to view an object.

closes #7160 closes #7210 closes #7151 closes #7157 closes #7158 closes #7300 closes #7301

Actions #4

Updated by bmbouter over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #5

Updated by dkliban@redhat.com over 3 years ago

  • Sprint/Milestone set to 3.6.0
Actions #6

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF