Project

Profile

Help

Story #7210

closed

As a user, I can configure the permissions created at object creation time

Added by bmbouter over 3 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
No
Tags:
Sprint:
Sprint 79
Quarter:

Description

Problem

When a user creates an object, e.g. a Task, what permissions are assigned to it?

On some installation when object foo is created users X, groups Y, and permissions Z should receive object foo. On other installations they want users A, groups B, and permissions C to be assigned. How can we make this satisfy everyone?

Solution

Add a post_create_callable JSONField to the AccessPolicy model which will be a list of dictionaries. Each dictionary will have three allowed keys, see the example entry below.

[{
		"function": "add_for_users",
		"parameters": ["alice", "bob"],
		"permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]
	},
	{
		"function": "add_for_groups",
		"parameters": "foo",
		"permissions": "pulpcore.view_task"
	},
	{
		"function": "object_creator",
		"parameters": null,
		"permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]
	}
]

Each entry will be a function called at object creation time. These methods are callables on the AccessPolicy object linked to the ViewSet, not on the model itself.

All three keys are required. The function value is a single string which will be validated to be a callable on the AccessPolicy governing the policy. The parameters can either be null, a single string, or a list of strings. The permissions case can either be a single string or list of strings, and each entry is validated against a permission in the DB.

Built in callables

By default three callables will always be available, but plugin-writers can add more.

  • add_for_users will add the permissions for one or more users by name. This requires parameters to not be null.*
  • add_for_groups will add the permissions for one or more groups by name. This requires parameters to not be null.
  • object_creator will add the permissions to the creator of the object. This requires the parameters value to be `null.

The Default

Plugin writers are expected to ship a default like this one:

[{
	"function": "object_creator",
	"parameters": null,
	"permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]
}]

How Users Configure This

This will be available via the AccessPolicySerializer similar to how users read/set/adjust the statements part today as part of story https://pulp.plan.io/issues/7160. This JsonField will be named permissions_assignment.

Also available in: Atom PDF