Project

Profile

Help

Story #7227

Permission checking

Added by newswangerd 15 days ago. Updated 12 days ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

We need a way to check the permissions that a user has before they perform a given action. This is necessary for building UIs where some elements on the page (such as administrator functions) need to be turned off if a user.

The current RBAC implementation can provide a list of permissions for the current user and the current access policy, but this is insufficient for applications such as UIs because DRF Access Policy contains conditionals that are evaluated on the backend and can't be evaluated on the UI.

My proposed solution for this problem is to create an endpoint where the user can pass in an API path and a set of actions, and get back a whether or not the user has permission to perform the given actions. So, for example:

Request:

{
  "url": "/api/automation-hub/v3/namespaces/"
  "actions": [
      "delete",
      "update",
      "create",
      "view"
  ]
}

Response:

{
  "permissions": {
    "delete": false,
    "create": true,
    "view": true,
    "update": true
  }
}

History

#1 Updated by bmbouter 15 days ago

This is a needed story, here are some questions to help with the planning.

  1. What URL will this API be offered at? Maybe this just a fancy filtering spec on the user object like /pulp/api/v3/users/:uuid/ from https://pulp.plan.io/issues/7231
  2. Do you imagine the example like delete would really be pulpcore.deletetask (to use an actual permission name)?

#2 Updated by bmbouter 15 days ago

Also what about asking for multiple urls with one call? I suspect that may be required also in cases when multiple objects are being listed on a page.

#3 Updated by newswangerd 15 days ago

bmbouter wrote:

This is a needed story, here are some questions to help with the planning.

  1. What URL will this API be offered at? Maybe this just a fancy filtering spec on the user object like /pulp/api/v3/users/:uuid/ from https://pulp.plan.io/issues/7231
  2. Do you imagine the example like delete would really be pulpcore.deletetask (to use an actual permission name)?
  1. I'm not sure which API this should be offered at. For galaxy_ng I imagined it would be something like api/galaxy/v3/me/permissions, but I don't know how that maps onto the pulp APIs.

  2. The API isn't requesting specific permissions, so it wouldn't use the permission name. Instead I envisioned it as a list of DRF Access Policy actions (https://rsinger86.github.io/drf-access-policy/statement_elements/#action)

bmbouter wrote:

Also what about asking for multiple urls with one call? I suspect that may be required also in cases when multiple objects are being listed on a page.

That would be great. It would lower the number of calls we have to make to the API by a lot when the UI first loads. Something like this would also be great:

Request:

[
  {
    "url": "/api/automation-hub/v3/namespaces/",
    "actions": ["delete", "update", "create", "view"]
  },
  {
    "url": "/api/automation-hub/v3/users/",
    "actions": ["delete", "update", "create", "view"]
  }
]

Response

[
  {
    "url": "/api/automation-hub/v3/namespaces/",
    "permissions": {
      "delete": false,
      "create": true,
      "view": true,
      "update": true
    }
  },
  {
    "url": "/api/automation-hub/v3/users/",
    "permissions": {
      "delete": false,
      "create": true,
      "view": true,
      "update": true
    }
  }
]

#4 Updated by fao89 12 days ago

  • Tracker changed from Issue to Story
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)

Please register to edit this issue

Also available in: Atom PDF