Project

Profile

Help

Task #8974

closed

Change default permission classes to AccessPolicyFromDB

Added by gerrod over 1 year ago. Updated about 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

If we set DEFAULT_PERMISSION_CLASSES to AccessPolicyFromDB we can remove the need to specify permission_classes on viewsets wanting to add RBAC. Also, by having the permissions set by this setting users who want to use their own custom permission_classes won't have to subclass, monkey-patch, chain-load their classes for our viewsets with Pulp RBAC.

TODO:

  1. Remove permission_classes from any RBAC viewset so they can use the default setting.
  2. Remove part of RBAC plugin writers docs saying to add AccessPolicyFromDB to their viewset's permission_classes
  3. Add a default access policy to AccessPolicyFromDB here https://github.com/pulp/pulpcore/blob/354383883032277e7a1f7dc7ddf2dc0a5bc40fad/pulpcore/app/access_policy.py#L33 for viewsets that won't have access policies yet. Default would probably be just an admin user check.

*For step 3 we could instead create a new permissions class that is an or ( | ) combination of AccessPolicyFromDB and IsAdminUser and have that become the new default permissions class. e.g.

from rest_framework.permissions import IsAdminUser
from pulpcore.app.access_policy import AccessPolicyFromDB

AdminOrPolicyFromDB = IsAdminUser | AcessPolicyFromDB
Actions #1

Updated by bmbouter over 1 year ago

  • Sprint/Milestone set to 3.15.0

Note, we need to account for some of the viewsets that override this default, e.g. the StatusAPI, and maybe Artifact endpoints (I heard stated on the call).

Actions #2

Updated by bmbouter about 1 year ago

  • Status changed from NEW to ASSIGNED
Actions #3

Updated by bmbouter about 1 year ago

  • Assignee set to bmbouter
Actions #4

Updated by pulpbot about 1 year ago

  • Status changed from ASSIGNED to POST

Added by bmbouter about 1 year ago

Revision 3b637c0f

AccessPolicyFromDB is now used by default

The AccessPolicyFromDB object is now declared by default in the settings file, and it provides a fallback behavior to the IsAdmin functionality that was there before.

closes #8974

Actions #5

Updated by bmbouter about 1 year ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #6

Updated by pulpbot about 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF