Project

Profile

Help

Story #8940

closed

Add RBAC content guard to pulpcore

Added by gerrod over 3 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Background

Content guards are added to distributions and are used to protect who can download (and view) content available in that distribution from the content app. Users create content guard instances with specific settings for each distribution they want to protect. RBAC in Pulp is provided by Django and DRF and currently has no relation to content guards, so users can protect who can manage content in Pulp using RBAC, but not who can download it. There is a need for an RBAC enabled content guard that protects content based on RBAC permissions.

Implementation

Add a new RBAC content guard that would ship by default in pulpcore. The access policy for these content guard instances should be customizable by the user and if not set should default to the policy used by the distribution. Some requests go through a plugin's extended REST API first and then redirect to the content app, so an option to authorized requests based on redirection origin should be added to the content guard.


Related issues

Related to Pulp - Story #8951: Add authentication to content appCLOSED - CURRENTRELEASEgerrod

Actions
Actions #1

Updated by bmbouter over 3 years ago

AccessPolicies are global, but allow for object level permissions to be checked. So what if the permission was named can_download or dowload and it had object-level permissions relating an instance of a distribution with a ContentGuard? Or maybe it should be on the content guard itself ..... ?

Actions #2

Updated by daviddavis over 3 years ago

  • Sprint/Milestone set to 3.15.0
Actions #3

Updated by gerrod over 3 years ago

Talking it over with bmbouter, I think the best implementation would be to add a new permission called can_download to the RBAC content guard that will determine if a user can download content from a distribution. When creating an RBAC content guard you would specify the users and groups to receive the can_download permission for that instance of the guard. Then that content guard can be added to any distribution where you want those set of users to be able to download from.

The RBAC content guard would preform authentication and authorization for requests to the content app. It would create a 'fake' DRF view that would convert the aiohttp request to a django request and use the view's authentication and authorization methods defined by DRF settings. Example from container plugin (https://github.com/pulp/pulp_container/blob/master/pulp_container/app/authorization.py#L158) The authentication check will go through each authentication class one by one till the user is found. Then authorization will do a permission check on the user to see if they have the can_download permission for that content guard.

Additional fields that could be added to content guard:

Actions #4

Updated by gerrod over 3 years ago

  • Related to Story #8951: Add authentication to content app added
Actions #5

Updated by gerrod over 3 years ago

With #8951 this content-guard should only do the permission check and use the authentication coming from the middleware.

Actions #6

Updated by gerrod over 3 years ago

  • Status changed from NEW to ASSIGNED
Actions #7

Updated by pulpbot over 3 years ago

  • Status changed from ASSIGNED to POST

Added by gerrod over 3 years ago

Revision 19234ff6 | View on GitHub

Add RBAC content guard

fixes: #8940

Actions #8

Updated by gerrod over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #9

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF