Story #7158: As a plugin writer, I can load RBAC statements easily from the DB - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Story #7158

closed

As a plugin writer, I can load RBAC statements easily from the DB

Added by bmbouter over 4 years ago. Updated over 4 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

bmbouter

Category:

Sprint/Milestone:

3.6.0

Start date:

Due date:

% Done:

100%

Estimated time:

Platform Release:

Groomed:

Sprint Candidate:

Tags:

Sprint:

Quarter:

History
Notes
Property changes
Associated revisions

Added by bmbouter over 4 years ago

Revision 3adeff2c | View on GitHub

Role Based Access Control

This PR adds in user-manageable Access Policies rooted at the /pulp/api/v3/access_policies/ endpint. This deifnes both statements of the policy as well as what permissions should be created for new objects.

The /pulp/api/v3/tasks/ endpoint is now protected by an AccessPolicy which by default provides user-isolation. This effectively limits a non-admin user to only view their own tasks.

Plugins writers can enable role base access control easily using the pulpcore.plugin.models.AccessPolicyFromDB object and declaring with the permission_classes attribute.

Plugin writers can use the pulpcore.plugin.models.AutoAddObjPermsMixin which provides user-configurable ways to create permissions for new objects. This includes three methods object_creator, add_for_users, and add_for_groups.

Plugin writers can use the pulpcore.plugin.models.AutoDeleteObjPermsMixin which provides auto-removal of object level permissions during object deletion.

pulpcore.plugin.models.BaseModel now uses django-lifecycle allowing subcalsses to use it instead of signals

Plugin writers can easily provide queryset scoping on ViewSets that inherit from the pulpcore.plugin.viewsets.NamedModelViewSet by declaring the queryset_filtering_required_permission class attribute naming the permission required to view an object.

closes #7160 closes #7210 closes #7151 closes #7157 closes #7158 closes #7300 closes #7301