Issue #8048
closed
Object permissions endpoint breaks for objects with unknown viewsets
Description
When I visit http://localhost:5001/pulp/api/v3/groups/1/object_permissions/ I get the error bellow.
It appears as though the object_permissions/ viewset is trying to look up a ViewSet name on the galaxy_ng Namepsace model, which doesn't exist. I think this is happening because we don't link models and viewsets together in the galaxy_ng plugin. Is there a way to make this work when a viewset can't be determined for a model?
Environment:
Request Method: GET
Request URL: http://localhost:5001/pulp/api/v3/groups/1/object_permissions/
Django Version: 2.2.16
Python Version: 3.6.8
Installed Applications:
<BoxList: ['django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'import_export', 'django_filters', 'drf_spectacular', 'guardian', 'rest_framework', 'pulpcore.app', 'django_cleanup.apps.CleanupConfig', 'pulp_container.app.PulpContainerPluginAppConfig', 'pulp_ansible.app.PulpAnsiblePluginAppConfig', 'galaxy_ng.app.PulpGalaxyPluginAppConfig', 'rest_framework.authtoken']>
Installed Middleware:
<BoxList: ['django_prometheus.middleware.PrometheusBeforeMiddleware', 'django.middleware.security.SecurityMiddleware', 'whitenoise.middleware.WhiteNoiseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django_prometheus.middleware.PrometheusAfterMiddleware', 'django_currentuser.middleware.ThreadLocalUserMiddleware']>
Traceback:
File "/venv/lib64/python3.6/site-packages/django/core/handlers/exception.py" in inner
34. response = get_response(request)
File "/venv/lib64/python3.6/site-packages/django/core/handlers/base.py" in _get_response
115. response = self.process_exception_by_middleware(e, request)
File "/venv/lib64/python3.6/site-packages/django/core/handlers/base.py" in _get_response
113. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/venv/lib64/python3.6/site-packages/django/views/decorators/csrf.py" in wrapped_view
54. return view_func(*args, **kwargs)
File "/venv/lib64/python3.6/site-packages/rest_framework/viewsets.py" in view
114. return self.dispatch(request, *args, **kwargs)
File "/venv/lib64/python3.6/site-packages/rest_framework/views.py" in dispatch
505. response = self.handle_exception(exc)
File "/venv/lib64/python3.6/site-packages/rest_framework/views.py" in handle_exception
465. self.raise_uncaught_exception(exc)
File "/venv/lib64/python3.6/site-packages/rest_framework/views.py" in raise_uncaught_exception
476. raise exc
File "/venv/lib64/python3.6/site-packages/rest_framework/views.py" in dispatch
502. response = handler(request, *args, **kwargs)
File "/venv/lib64/python3.6/site-packages/pulpcore/app/viewsets/user.py" in list
224. return self.get_paginated_response(serializer.data)
File "/venv/lib64/python3.6/site-packages/rest_framework/serializers.py" in data
760. ret = super().data
File "/venv/lib64/python3.6/site-packages/rest_framework/serializers.py" in data
260. self._data = self.to_representation(self.instance)
File "/venv/lib64/python3.6/site-packages/rest_framework/serializers.py" in to_representation
678. self.child.to_representation(item) for item in iterable
File "/venv/lib64/python3.6/site-packages/rest_framework/serializers.py" in <listcomp>
678. self.child.to_representation(item) for item in iterable
File "/venv/lib64/python3.6/site-packages/pulpcore/app/serializers/user.py" in to_representation
55. representation = super().to_representation(obj)
File "/venv/lib64/python3.6/site-packages/rest_framework/serializers.py" in to_representation
529. ret[field.field_name] = field.to_representation(attribute)
File "/venv/lib64/python3.6/site-packages/pulpcore/app/serializers/user.py" in to_representation
27. viewset = get_viewset_for_model(obj.content_object)
File "/venv/lib64/python3.6/site-packages/pulpcore/app/util.py" in get_viewset_for_model
42. raise LookupError("Could not determine ViewSet base name for model {}".format(model_class))
Exception Type: LookupError at /pulp/api/v3/groups/1/object_permissions/
Exception Value: Could not determine ViewSet base name for model <class 'galaxy_ng.app.models.namespace.Namespace'>
Updated by newswangerd over 3 years ago
This is using pulpcore 3.7.1 with pulp-ansible 0.5.5 by the way
Updated by fao89 over 3 years ago
- Triaged changed from No to Yes
- Sprint set to Sprint 88
Updated by mdellweg over 3 years ago
I believe, the rule here is, that something needs to have a pulp api href (starting pulp/api/v3/) in order to be assigned permissions.
So for now, it should be sufficient to add a view set derived from NamedModelViewset together with a suitable serializer.
The result should be somwhere between similar and identical to https://github.com/pulp/pulp_container/blob/master/pulp_container/app/viewsets.py#L551 and https://github.com/pulp/pulp_container/blob/master/pulp_container/app/serializers.py#L138 .
Updated by newswangerd over 3 years ago
mellweg, it's fine if we can't access the permissions for our viewsets under the object permissions api we have our own system for setting permissions for galaxy_ng. Part of the problem here is that the presence of our viewsets is breaking the whole permissions api, so I can't set permissions for other plugins such as pulp_container or pulp_ansible.
Updated by bmbouter over 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by mdellweg about 3 years ago
- Assignee changed from bmbouter to mdellweg
Updated by bmbouter about 3 years ago
Oh here's the trivial diff I was using for testing. I eventually found it. ^-^
+
+
+from rest_framework.response import Response
+from rest_framework.views import APIView
+from pulpcore.app.access_policy import AccessPolicyFromDB
+
+class TestView(APIView):
+ permission_classes = (AccessPolicyFromDB,)
+
+ DEFAULT_ACCESS_POLICY = {
+ "statements": [
+ {"action": ["list"], "principal": "authenticated", "effect": "allow"},
+ ],
+ "permissions_assignment": [
+ {
+ "function": "add_for_object_creator",
+ "parameters": None,
+ "permissions": ["core.view_task", "core.change_task", "core.delete_task"],
+ }
+ ],
+ }
+
+ def get(self, request):
+ """Handles GET requests for the /token/ endpoint."""
+ return Response(data='okok')
+
+urlpatterns.append(url(r"^testview/$", TestView.as_view()))
Updated by bmbouter about 3 years ago
- Sprint/Milestone changed from 3.10.0 to 3.11.0
Moving to 3.11 per IRC convo
Updated by mdellweg about 3 years ago
The problem described by the stacktrace is around the line:
https://github.com/pulp/pulpcore/blob/master/pulpcore/app/serializers/user.py#L26
This serializer field is supposed to transform an object into its pulp_href. But objects without a NamedViewset do not have anything that resembles a pulp_href as far as a understand.
So one way to stop it from exploding would be to provide some other information, but i do not see which one, or how to obtain it. Returning None would make an ObjectPermission look like a ModelPermission and is imho not an option.
Updated by pulpbot about 3 years ago
- Status changed from ASSIGNED to POST
Updated by newswangerd about 3 years ago
We don't have an immediate need to get this fixed in 3.11 for galaxy_ng.
Updated by ipanova@redhat.com about 3 years ago
- Sprint/Milestone changed from 3.11.0 to 3.12.0
Updated by ipanova@redhat.com about 3 years ago
- Sprint/Milestone deleted (
3.12.0)
Updated by daviddavis about 3 years ago
- Status changed from POST to CLOSED - WONTFIX
We decided to close this as WONTFIX. Plugins should use NamedModelViewSet to avoid this problem. Please reopen if you disagree.
.