Project

Profile

Help

Task #8974

closed

Change default permission classes to AccessPolicyFromDB

Added by gerrod over 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

If we set DEFAULT_PERMISSION_CLASSES to AccessPolicyFromDB we can remove the need to specify permission_classes on viewsets wanting to add RBAC. Also, by having the permissions set by this setting users who want to use their own custom permission_classes won't have to subclass, monkey-patch, chain-load their classes for our viewsets with Pulp RBAC.

TODO:

  1. Remove permission_classes from any RBAC viewset so they can use the default setting.
  2. Remove part of RBAC plugin writers docs saying to add AccessPolicyFromDB to their viewset's permission_classes
  3. Add a default access policy to AccessPolicyFromDB here https://github.com/pulp/pulpcore/blob/354383883032277e7a1f7dc7ddf2dc0a5bc40fad/pulpcore/app/access_policy.py#L33 for viewsets that won't have access policies yet. Default would probably be just an admin user check.

*For step 3 we could instead create a new permissions class that is an or ( | ) combination of AccessPolicyFromDB and IsAdminUser and have that become the new default permissions class. e.g.

from rest_framework.permissions import IsAdminUser
from pulpcore.app.access_policy import AccessPolicyFromDB

AdminOrPolicyFromDB = IsAdminUser | AcessPolicyFromDB

Also available in: Atom PDF