Pulp

Problem¶

Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions.

Design¶

Create the following API calls that would be nested under any given viewset, e.g. TaskViewset.

• add_role - If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected.

• remove_role - If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected.

• list_roles - List the roles that could have at least one permission that is meaningful for this object type.

• my_permissions - If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership.

Create a RoleMixin that allows developers to add ^ endpoint to any Viewset easily.

Authorization details¶

• The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example, core.manage_roles_task would be a reasonable name for managing the permissions of a Task.

• The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to list_roles, add_roles, and remove_role. For example for core.manage_roles_task that would look like:

            {
                "action": ["list_roles", "add_role", "remove_role"],
                "principal": "authenticated",
                "effect": "allow",
                "condition": "has_model_or_obj_perms:core.manage_roles_task",
            },

It is expected the drf-access-policy would allow any authenticated user to list my_permissions.