Task #9572
closed
Port the RBAC implementation to the pulpcore roles framework
0%
Description
Ticket moved to GitHub: "pulp/pulp_container/508":https://github.com/pulp/pulp_container/issues/508
Start with a PoC PR to get the pulpcore PR merged first.
Once that is done, we need to write a data migration that will look for the autogenerated groups and translate them into user_object_roles. To be discussed: Look if we can be clever with global permissions too.
Updated by newswangerd about 3 years ago
I've been thinking about this for galaxy_ng and I've come up with 3 potential solutions to this problem that we're considering.
Let's say I have group foo with model permissions for create-bar and update-bar.
-
Create a role for each group that has the all of the permissions that the group used to have. In this scenario we'd, create role
group-foo, assigncreate-barandupdate-barto the new role, and assign the new role tofoo. -
Create a role for each permission. In this scenario we'd create a role called
permission-create-barandpermission-update-barand assign both of the new roles tofoo. -
Attempt to match a group's permission matrix to a set of system roles. This would attempt to assign a system role that has permissions for
create-barandupdate-bartofoo.
Each approach has it's advantages and disadvantages. 3 would provide the best user experience, but would be buggy, and potentially impossible to implement since system roles are only created in a post migration hook. 1 and 2 will both create a lot of annoying default roles that will make it difficult to search for roles that user's might actually care about. 2 would likely created fewer roles, but also bypasses the purpose of roles in the first place.
Updated by rchan almost 3 years ago
- Sprint changed from Sprint 110 to Sprint 111
Updated by pulpbot almost 3 years ago
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE
.