Change default permission classes to AccessPolicyFromDB
If we set
AccessPolicyFromDB we can remove the need to specify
permission_classes on viewsets wanting to add RBAC. Also, by having the permissions set by this setting users who want to use their own custom permission_classes won't have to subclass, monkey-patch, chain-load their classes for our viewsets with Pulp RBAC.
permission_classesfrom any RBAC viewset so they can use the default setting.
- Remove part of RBAC plugin writers docs saying to add
AccessPolicyFromDBto their viewset's
- Add a default access policy to
AccessPolicyFromDBhere https://github.com/pulp/pulpcore/blob/354383883032277e7a1f7dc7ddf2dc0a5bc40fad/pulpcore/app/access_policy.py#L33 for viewsets that won't have access policies yet. Default would probably be just an admin user check.
*For step 3 we could instead create a new permissions class that is an or ( | ) combination of
IsAdminUser and have that become the new default permissions class. e.g.
from rest_framework.permissions import IsAdminUser from pulpcore.app.access_policy import AccessPolicyFromDB AdminOrPolicyFromDB = IsAdminUser | AcessPolicyFromDB