Project

Profile

Help

Task #8974

Change default permission classes to AccessPolicyFromDB

Added by gerrod 3 months ago. Updated 21 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

If we set DEFAULT_PERMISSION_CLASSES to AccessPolicyFromDB we can remove the need to specify permission_classes on viewsets wanting to add RBAC. Also, by having the permissions set by this setting users who want to use their own custom permission_classes won't have to subclass, monkey-patch, chain-load their classes for our viewsets with Pulp RBAC.

TODO:

  1. Remove permission_classes from any RBAC viewset so they can use the default setting.
  2. Remove part of RBAC plugin writers docs saying to add AccessPolicyFromDB to their viewset's permission_classes
  3. Add a default access policy to AccessPolicyFromDB here https://github.com/pulp/pulpcore/blob/354383883032277e7a1f7dc7ddf2dc0a5bc40fad/pulpcore/app/access_policy.py#L33 for viewsets that won't have access policies yet. Default would probably be just an admin user check.

*For step 3 we could instead create a new permissions class that is an or ( | ) combination of AccessPolicyFromDB and IsAdminUser and have that become the new default permissions class. e.g.

from rest_framework.permissions import IsAdminUser
from pulpcore.app.access_policy import AccessPolicyFromDB

AdminOrPolicyFromDB = IsAdminUser | AcessPolicyFromDB

Associated revisions

Revision 3b637c0f View on GitHub
Added by bmbouter about 2 months ago

AccessPolicyFromDB is now used by default

The AccessPolicyFromDB object is now declared by default in the settings file, and it provides a fallback behavior to the IsAdmin functionality that was there before.

closes #8974

History

#1 Updated by bmbouter 3 months ago

  • Sprint/Milestone set to 3.15.0

Note, we need to account for some of the viewsets that override this default, e.g. the StatusAPI, and maybe Artifact endpoints (I heard stated on the call).

#2 Updated by bmbouter about 2 months ago

  • Status changed from NEW to ASSIGNED

#3 Updated by bmbouter about 2 months ago

  • Assignee set to bmbouter

#4 Updated by pulpbot about 2 months ago

  • Status changed from ASSIGNED to POST

#5 Updated by bmbouter about 2 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#6 Updated by pulpbot 21 days ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF