Project

Profile

Help

Task #9572

closed

Port the RBAC implementation to the pulpcore roles framework

Added by mdellweg over 2 years ago. Updated over 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_container/508":https://github.com/pulp/pulp_container/issues/508


Start with a PoC PR to get the pulpcore PR merged first.

Once that is done, we need to write a data migration that will look for the autogenerated groups and translate them into user_object_roles. To be discussed: Look if we can be clever with global permissions too.

Actions #1

Updated by newswangerd over 2 years ago

I've been thinking about this for galaxy_ng and I've come up with 3 potential solutions to this problem that we're considering.

Let's say I have group foo with model permissions for create-bar and update-bar.

  1. Create a role for each group that has the all of the permissions that the group used to have. In this scenario we'd, create role group-foo, assign create-bar and update-bar to the new role, and assign the new role to foo.

  2. Create a role for each permission. In this scenario we'd create a role called permission-create-bar and permission-update-bar and assign both of the new roles to foo.

  3. Attempt to match a group's permission matrix to a set of system roles. This would attempt to assign a system role that has permissions for create-bar and update-bar to foo.

Each approach has it's advantages and disadvantages. 3 would provide the best user experience, but would be buggy, and potentially impossible to implement since system roles are only created in a post migration hook. 1 and 2 will both create a lot of annoying default roles that will make it difficult to search for roles that user's might actually care about. 2 would likely created fewer roles, but also bypasses the purpose of roles in the first place.

Actions #2

Updated by rchan over 2 years ago

  • Sprint changed from Sprint 109 to Sprint 110
Actions #3

Updated by rchan over 2 years ago

  • Sprint changed from Sprint 110 to Sprint 111
Actions #4

Updated by pulpbot over 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF