Fixes #17962 - extend core roles #6703
Conversation
|
@ares, thanks for your PR! By analyzing the history of the files in this pull request, we identified @ehelms, @waldenraines and @jlsherrill to be potential reviewers. |
|
I highly recommend getting this in before next release. The test failures seems to be related to theforeman/foreman-packaging#1573 EDIT: nope, just the error is similar |
|
Should be fixed in core now [test] |
|
@ares can you explain a bit more why we have to pile all the permissions into a single file? You mentioned to ensure correct order, but it's not obvious to me why ordering is required to load in permissions. |
|
Being in a single file by itself would be better than putting it in plugin.rb IMHO. plugin.rb is getting quite crowded with lots of little things, sticking all the perms in it makes it a bit unwieldy |
|
I'm not sure how to do it right. If I extract it to a file and I use require, I need to hook into plugin context somehow. The plugin is not registered yet at that point. I could use Honestly I'd recommend trying to avoid diverging from how other plugins do permissions definition. That's the way Katello can avoid breakage by Foreman changes in future. The way Katello defined permissions so far is a good example. I understand the list is huge. I'd encourage to raising an issue in Foreman or send a patch to core that would address Katello needs, instead of workarounding it. Maybe by introducing PermissionCreator that would only receive data required to define permissions. Core would make sure it would be defined at the right time. Anyway, let me know if you find this better and want me to squash. |
lib/katello/permission_creator.rb
Outdated
| :resource_type => 'Katello::KTEnvironment' | ||
| end | ||
|
|
||
| def product_permissions |
There was a problem hiding this comment.
Method has too many lines. [76/30]
Katello used to find the registered plugin and run security_block on it. We need to call Note that plugin register also defines some order, e.g. after_intialize block run just after the register block is evaluated, therefore if some after_initialize code relied on permission to exist, it would fail. |
|
@ares Could the require be at the bottom of the plugin definition? I feel like being able to organize your code the way ruby is designed to allow you shouldn't be classified as diverging from other plugins :) Code should just work. If it doesn't, then we will just accept this as is and let's file a bug. |
|
@ehelms I don't think that require helps. Let's assume this is how other plugin defines it. Not perfect since extend_roles_with_defined_permissions needs to be run after define_permission and both needs to be run withing plugin registration block. But that's the way core currently allows to add permissions. What Katello did before the patch was something like and an external file was doing the definition like this The main difference is that it defined permissions outside of register block. Note that the register method ensures other stuff is run before/after the block. So far it worked for Katello but it there was another after initialize code in core that would rely on all permissions being defined, it would not find Katello permissions. Now the change I'm proposing needs to run |
lib/katello/permission_creator.rb
Outdated
| :resource_type => "SmartProxy" | ||
| end | ||
|
|
||
| def content_view_permissions |
There was a problem hiding this comment.
Method has too many lines. [78/30]
ares
force-pushed
the
fix/17962
branch
2 times, most recently
from
fe000ec
to
614e891
Compare
|
Is there something I should explain better or I could do to get this moving? |
lib/katello/permission_creator.rb
Outdated
| @@ -0,0 +1,359 @@ | |||
| class PermissionCreator | |||
There was a problem hiding this comment.
Can we wrap this in module Katello for safety?
lib/katello/engine.rb
Outdated
| @@ -90,6 +90,7 @@ def find_assets(args = {}) | |||
| # hook so that the resumed Dynflow tasks can rely on everything ready. | |||
| initializer 'katello.register_plugin', :before => :finisher_hook do | |||
| require 'katello/plugin' | |||
| # extend buildin permissions from core with new actions | |||
|
I think the compromise is a good one and appreciated @ares Two minor comments |
lib/katello/permission_creator.rb
Outdated
| }, | ||
| :resource_type => 'Katello::SyncPlan' | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| }, | ||
| :resource_type => 'Katello::Subscription' | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| }, | ||
| :resource_type => 'Katello::Product' | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| {}, | ||
| :resource_type => 'Katello::KTEnvironment' | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| 'katello/api/v2/environments' => [:destroy] | ||
| }, | ||
| :resource_type => 'Katello::KTEnvironment' | ||
|
|
lib/katello/permission_creator.rb
Outdated
| }, | ||
| :resource_type => "SmartProxy" | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| 'katello/api/v2/capsules' => [:index, :show] | ||
| }, | ||
| :resource_type => 'SmartProxy' | ||
|
|
lib/katello/permission_creator.rb
Outdated
| }, | ||
| :resource_type => 'Katello::ActivationKey' | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| sync_plan_permissions | ||
| user_permissions | ||
| end | ||
|
|
lib/katello/permission_creator.rb
Outdated
| def initialize(plugin) | ||
| @plugin = plugin | ||
| end | ||
|
|
|
I updated the PR and squashed commits. Hopefully it will remain green :-) |
|
🍏 :-) |
|
Thanks @ares !!! |
Most of this PR is moving permissions definition to plugin so it's executed in right order. Then I added
add_all_permissions_to_default_rolesat the end of plugin registration block that extends core Manager and Viewer role. This bumps Foreman dependency to 1.15.