Task #8974
closedChange default permission classes to AccessPolicyFromDB
100%
Description
https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy
If we set DEFAULT_PERMISSION_CLASSES
to AccessPolicyFromDB
we can remove the need to specify permission_classes
on viewsets wanting to add RBAC. Also, by having the permissions set by this setting users who want to use their own custom permission_classes won't have to subclass, monkey-patch, chain-load their classes for our viewsets with Pulp RBAC.
TODO:
- Remove
permission_classes
from any RBAC viewset so they can use the default setting. - Remove part of RBAC plugin writers docs saying to add
AccessPolicyFromDB
to their viewset'spermission_classes
- Add a default access policy to
AccessPolicyFromDB
here https://github.com/pulp/pulpcore/blob/354383883032277e7a1f7dc7ddf2dc0a5bc40fad/pulpcore/app/access_policy.py#L33 for viewsets that won't have access policies yet. Default would probably be just an admin user check.
*For step 3 we could instead create a new permissions class that is an or ( | ) combination of AccessPolicyFromDB
and IsAdminUser
and have that become the new default permissions class. e.g.
from rest_framework.permissions import IsAdminUser
from pulpcore.app.access_policy import AccessPolicyFromDB
AdminOrPolicyFromDB = IsAdminUser | AcessPolicyFromDB
Updated by bmbouter over 3 years ago
- Sprint/Milestone set to 3.15.0
Note, we need to account for some of the viewsets that override this default, e.g. the StatusAPI, and maybe Artifact endpoints (I heard stated on the call).
Updated by pulpbot over 3 years ago
- Status changed from ASSIGNED to POST
Added by bmbouter over 3 years ago
Updated by bmbouter over 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|3b637c0faabd7c93c9aef0bab92d2e0a949b5025.
Updated by pulpbot over 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
AccessPolicyFromDB
is now used by defaultThe
AccessPolicyFromDB
object is now declared by default in the settings file, and it provides a fallback behavior to theIsAdmin
functionality that was there before.closes #8974