https://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-06-21T17:56:09ZPulpPulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=721862021-06-21T17:56:09Zbmbouterbmbouter@redhat.com
<ul></ul><p>AccessPolicies are global, but allow for object level permissions to be checked. So what if the permission was named <code>can_download</code> or <code>dowload</code> and it had object-level permissions relating an instance of a distribution with a ContentGuard? Or maybe it should be on the content guard itself ..... ?</p> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=721902021-06-21T18:13:06Zdaviddavis
<ul><li><strong>Sprint/Milestone</strong> set to <i>3.15.0</i></li></ul> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=721952021-06-22T03:54:00Zgerrod
<ul></ul><p>Talking it over with <a class="user active" href="https://pulp.plan.io/users/1">bmbouter</a>, I think the best implementation would be to add a new permission called <code>can_download</code> to the RBAC content guard that will determine if a user can download content from a distribution. When creating an RBAC content guard you would specify the users and groups to receive the <code>can_download</code> permission for that instance of the guard. Then that content guard can be added to any distribution where you want those set of users to be able to download from.</p>
<p>The RBAC content guard would preform authentication and authorization for requests to the content app. It would create a 'fake' DRF view that would convert the aiohttp request to a django request and use the view's authentication and authorization methods defined by DRF settings. Example from container plugin (<a href="https://github.com/pulp/pulp_container/blob/master/pulp_container/app/authorization.py#L158" class="external">https://github.com/pulp/pulp_container/blob/master/pulp_container/app/authorization.py#L158</a>) The authentication check will go through each authentication class one by one till the user is found. Then authorization will do a permission check on the user to see if they have the <code>can_download</code> permission for that content guard.</p>
<p>Additional fields that could be added to content guard:</p>
<ul>
<li>
<code>authentication_classes</code> - a string array listing all the auth classes to use for authenticating the user for the content guard, possible values would come from this setting <a href="https://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme" class="external">https://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme</a>. Default empty list would use all classes listed in that setting.</li>
<li>
<code>permission_classes</code> - a string array listing all the permission classes to use for authorization, possible values would be the default permissions in DRF(<a href="https://www.django-rest-framework.org/api-guide/permissions/#api-reference" class="external">https://www.django-rest-framework.org/api-guide/permissions/#api-reference</a>) and <code>AccessPolicyFromDB</code> (<a href="https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/access_policy.html#viewset-enforcement" class="external">https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/access_policy.html#viewset-enforcement</a>). Default would be <code>[AccessPolicyFromDB]</code>
</li>
<li>
<code>additional_permissions</code> - a string array listing additional permission checks needed on top of <code>can_download</code> permission. These permissions would use the objects associated with this content guard (the distribution for the request, the repository of the distribution, the publication of the distribution). This field's behavior might not be easy to define with all the permissions available in Pulp.</li>
</ul> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=722322021-06-22T15:40:17Zgerrod
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-11 priority-6 priority-default closed" href="/issues/8951">Story #8951</a>: Add authentication to content app</i> added</li></ul> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=722342021-06-22T15:43:18Zgerrod
<ul></ul><p>With <a class="issue tracker-3 status-11 priority-6 priority-default closed" title="Story: Add authentication to content app (CLOSED - CURRENTRELEASE)" href="https://pulp.plan.io/issues/8951">#8951</a> this content-guard should only do the permission check and use the authentication coming from the middleware.</p> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=735192021-07-21T13:54:40Zgerrod
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>ASSIGNED</i></li></ul> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=737262021-07-23T22:19:38Zpulpbot
<ul><li><strong>Status</strong> changed from <i>ASSIGNED</i> to <i>POST</i></li></ul><p>PR: <a href="https://github.com/pulp/pulpcore/pull/1518" class="external">https://github.com/pulp/pulpcore/pull/1518</a></p> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=748432021-08-26T09:24:36Zgerrod
<ul><li><strong>Status</strong> changed from <i>POST</i> to <i>MODIFIED</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Add RBAC content guard fixes: #8940" href="https://pulp.plan.io/projects/pulp/repository/pulpcore/revisions/19234ff6ec50bfa8e968d157b52c838899c968ff">pulpcore|19234ff6ec50bfa8e968d157b52c838899c968ff</a>.</p> Pulp - Story #8940: Add RBAC content guard to pulpcorehttps://pulp.plan.io/issues/8940?journal_id=748912021-08-26T12:36:11Zpulpbot
<ul><li><strong>Status</strong> changed from <i>MODIFIED</i> to <i>CLOSED - CURRENTRELEASE</i></li></ul>