Actions
Story #7158
closedAs a plugin writer, I can load RBAC statements easily from the DB
Added by bmbouter over 4 years ago
Updated by pulpbot over 4 years ago
- Status changed from ASSIGNED to POST
Updated by bmbouter over 4 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|3adeff2cd62c057f1da19c455377089154606bc6.
Updated by pulpbot over 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
Role Based Access Control
This PR adds in user-manageable Access Policies rooted at the
/pulp/api/v3/access_policies/
endpint. This deifnes both statements of the policy as well as what permissions should be created for new objects.The
/pulp/api/v3/tasks/
endpoint is now protected by an AccessPolicy which by default provides user-isolation. This effectively limits a non-admin user to only view their own tasks.Plugins writers can enable role base access control easily using the
pulpcore.plugin.models.AccessPolicyFromDB
object and declaring with thepermission_classes
attribute.Plugin writers can use the
pulpcore.plugin.models.AutoAddObjPermsMixin
which provides user-configurable ways to create permissions for new objects. This includes three methodsobject_creator
,add_for_users
, andadd_for_groups
.Plugin writers can use the
pulpcore.plugin.models.AutoDeleteObjPermsMixin
which provides auto-removal of object level permissions during object deletion.pulpcore.plugin.models.BaseModel
now usesdjango-lifecycle
allowing subcalsses to use it instead of signalsPlugin writers can easily provide queryset scoping on ViewSets that inherit from the
pulpcore.plugin.viewsets.NamedModelViewSet
by declaring thequeryset_filtering_required_permission
class attribute naming the permission required to view an object.closes #7160 closes #7210 closes #7151 closes #7157 closes #7158 closes #7300 closes #7301