Project

Profile

Help

Task #9572

Port the RBAC implementation to the pulpcore roles framework

Added by mdellweg 22 days ago. Updated 5 days ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:

Description

Start with a PoC PR to get the pulpcore PR merged first.

Once that is done, we need to write a data migration that will look for the autogenerated groups and translate them into user_object_roles. To be discussed: Look if we can be clever with global permissions too.

History

#1 Updated by newswangerd 22 days ago

I've been thinking about this for galaxy_ng and I've come up with 3 potential solutions to this problem that we're considering.

Let's say I have group foo with model permissions for create-bar and update-bar.

  1. Create a role for each group that has the all of the permissions that the group used to have. In this scenario we'd, create role group-foo, assign create-bar and update-bar to the new role, and assign the new role to foo.

  2. Create a role for each permission. In this scenario we'd create a role called permission-create-bar and permission-update-bar and assign both of the new roles to foo.

  3. Attempt to match a group's permission matrix to a set of system roles. This would attempt to assign a system role that has permissions for create-bar and update-bar to foo.

Each approach has it's advantages and disadvantages. 3 would provide the best user experience, but would be buggy, and potentially impossible to implement since system roles are only created in a post migration hook. 1 and 2 will both create a lot of annoying default roles that will make it difficult to search for roles that user's might actually care about. 2 would likely created fewer roles, but also bypasses the purpose of roles in the first place.

#2 Updated by rchan 19 days ago

  • Sprint changed from Sprint 109 to Sprint 110

#3 Updated by rchan 5 days ago

  • Sprint changed from Sprint 110 to Sprint 111

Please register to edit this issue

Also available in: Atom PDF