Project

Profile

Help

Task #9604

closed

As a developer, I can easily add add/remove/list Roles to my viewsets

Added by bmbouter over 2 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:

Description

Problem

Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions.

Design

Create the following API calls that would be nested under any given viewset, e.g. TaskViewset.

  • add_role - If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected.

  • remove_role - If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected.

  • list_roles - List the roles that could have at least one permission that is meaningful for this object type.

  • my_permissions - If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership.

Create a RoleMixin that allows developers to add ^ endpoint to any Viewset easily.

Authorization details

  • The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example, core.manage_roles_task would be a reasonable name for managing the permissions of a Task.

  • The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to list_roles, add_roles, and remove_role. For example for core.manage_roles_task that would look like:

            {
                "action": ["list_roles", "add_role", "remove_role"],
                "principal": "authenticated",
                "effect": "allow",
                "condition": "has_model_or_obj_perms:core.manage_roles_task",
            },

It is expected the drf-access-policy would allow any authenticated user to list my_permissions.

Actions #1

Updated by bmbouter over 2 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter over 2 years ago

  • Sprint/Milestone set to 3.17.0
Actions #3

Updated by pulpbot over 2 years ago

  • Status changed from NEW to POST
Actions #5

Updated by bmbouter over 2 years ago

  • Assignee set to mdellweg
  • Sprint set to Sprint 111

Added by mdellweg over 2 years ago

Revision e785f56d | View on GitHub

Fix up Group proxy model

  • Added Group to plugin api.
  • Adjusted missed "auth.*" permissions.
  • Added migration to move the existing permissions assignments.

re #9604

Added by mdellweg over 2 years ago

Revision c1b2f39e | View on GitHub

Add RolesMixin for viewsets

This mixin provides endpoints to assign and revoke roles on objects to users or groups.

fixes #9604

Added by mdellweg over 2 years ago

Revision 1e8203f0 | View on GitHub

Add RolesMixin to group view set

re #9604

Actions #7

Updated by mdellweg over 2 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by mdellweg over 2 years ago

Revision d559a8e2 | View on GitHub

Fix erroneous permission in group access policy

re #9604

Actions #9

Updated by pulpbot over 2 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF