Story #7210: As a user, I can configure the permissions created at object creation time

Story #7210

## Problem 

 When a user creates an object, e.g. a Task, what permissions are assigned to it? 

 On some installation when object `foo` is created users X, groups Y, and permissions Z should receive object `foo`. On other installations they want users A, groups B, and permissions C to be assigned. How can we make this satisfy everyone? 

 ## Solution 

 Add a `post_create_callable` JSONField to the AccessPolicy model which will be a list of dictionaries. Each dictionary will have three allowed keys, see the example entry below. 

 ``` 
 [{ 
		 "function": "add_for_users", 
		 "parameters": ["alice", "bob"], 
		 "permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"] 
	 }, 
	 { 
		 "function": "add_for_groups", 
		 "parameters": "foo", 
		 "permissions": "pulpcore.view_task" 
	 }, 
	 { 
		 "function": "object_creator", 
		 "parameters": null, 
		 "permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"] 
	 } 
 ] 
 ``` 

 Each entry will be a function called at object creation time. These methods are callables on the AccessPolicy object linked to the ViewSet, not on the model itself. 

 All three keys are required. The `function` value is a single string which will be validated to be a callable on the AccessPolicy governing the policy. The `parameters` can either be `null`, a single string, or a list of strings. The `permissions` case can either be a single string or list of strings, and each entry is validated against a permission in the DB. 

 ## Built in callables 

 By default three callables will always be available, but plugin-writers can add more. 

 * `add_for_users` will add the `permissions` for one or more users by name. This requires `parameters` to not be `null`.* 
 * `add_for_groups` will add `the permissions` for one or more groups by name. This requires `parameters` to not be `null`. 
 * `object_creator` will add `the permissions` to the creator of the object. This requires the `parameters` value to be `null. 

 ## The Default 

 Plugin writers are expected to ship a default like this one: 

 ``` 
 [{ 
	 "function": "object_creator", 
	 "parameters": null, 
	 "permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"] 
 }] 
 ``` 

 ## How Users Configure This 

 This will be available via the `AccessPolicySerializer` similar to how users read/set/adjust the `statements` part today as part of story https://pulp.plan.io/issues/7160. This JsonField will be named `permissions_assignment`.
Back
Project

Profile

Help

Pulp

Story #7210
