Task #9572
closed
Port the RBAC implementation to the pulpcore roles framework
Status:
CLOSED - DUPLICATE
Description
Ticket moved to GitHub: "pulp/pulp_container/508":https://github.com/pulp/pulp_container/issues/508
Start with a PoC PR to get the pulpcore PR merged first.
Once that is done, we need to write a data migration that will look for the autogenerated groups and translate them into user_object_roles.
To be discussed: Look if we can be clever with global permissions too.
I've been thinking about this for galaxy_ng and I've come up with 3 potential solutions to this problem that we're considering.
Let's say I have group foo with model permissions for create-bar and update-bar.
-
Create a role for each group that has the all of the permissions that the group used to have. In this scenario we'd, create role group-foo, assign create-bar and update-bar to the new role, and assign the new role to foo.
-
Create a role for each permission. In this scenario we'd create a role called permission-create-bar and permission-update-bar and assign both of the new roles to foo.
-
Attempt to match a group's permission matrix to a set of system roles. This would attempt to assign a system role that has permissions for create-bar and update-bar to foo.
Each approach has it's advantages and disadvantages. 3 would provide the best user experience, but would be buggy, and potentially impossible to implement since system roles are only created in a post migration hook. 1 and 2 will both create a lot of annoying default roles that will make it difficult to search for roles that user's might actually care about. 2 would likely created fewer roles, but also bypasses the purpose of roles in the first place.
- Sprint changed from Sprint 109 to Sprint 110
- Sprint changed from Sprint 110 to Sprint 111
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE
Also available in: Atom
PDF
.