-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuthenticationMap role #407
Conversation
e3427d0
to
0969d02
Compare
0969d02
to
0574814
Compare
e74490c
to
daf46fb
Compare
My very-fast gut reaction to this is: organization = models.CharField(
max_length=512,
null=True,
default=None,
blank=True, A related However, we need to talk more about the proposal for a secondary identifier for role definitions, before we commit to using names. Upstream discussion I started is in #408, which doesn't get into custom roles, but that needs to be a part of this too. |
@AlanCoding if I'm correct, we need to make this compatible with hub, which uses pulp rbac atm. So both RoleDefinition and ManagedRoleDefinition introduces the same issue, which is RBAC dependency. Thus using the role as a name is not a question for this version. Anyway I need to clarify the 2nd paragraph of your previous comment, what does it mean |
daf46fb
to
6eb9c3b
Compare
eb402ab
to
ce86cb5
Compare
test_app/tests/authentication/serializers/test_authententicator_map.py
Outdated
Show resolved
Hide resolved
7b4dbe1
to
3563eb6
Compare
test_app/tests/authentication/serializers/test_authententicator_map.py
Outdated
Show resolved
Hide resolved
test_app/tests/authentication/serializers/test_authententicator_map.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the final bit for functionality is planned after this to fully apply the permissions. So I'm on board with the plan finally.
I left some minor comments unresolved that are minor organizational or aesthetic suggestions.
6f384f7
to
59fb0b8
Compare
59fb0b8
to
be94028
Compare
Quality Gate passedIssues Measures |
Signed-off-by: Rick Elrod <rick@elrod.me>
Signed-off-by: Rick Elrod <rick@elrod.me>
- **depends on** #407 This PR applies AuthenticationMap RBAC roles to the Reconcile User Claims. The AuthenticatorMap.remove_users = True now removes all role_user_assignments (it used to removed only Team Member, Organization Member)
This PR adds a `role` field to AuthenticationMap and `map_type == 'role'` Role field is relation to RBAC's RoleDefinition through name (it's a CharField), so it's not a real foreign key Conditions: --- - If map_type is `organization`, `team`, or `role` - `role` field is mandatory --- - if map_type is `organization` - role's content type must be 'organization' - if map_type is `team` - role's content type must be 'team' - if map_type is `role` - role's content type can be any or blank --- - If role's content type is `organization`: - fields `organization` can't be blank - If role's content type is `team`: - fields `team` and `organization` can't be blank
Signed-off-by: Rick Elrod <rick@elrod.me>
- **depends on** ansible#407 This PR applies AuthenticationMap RBAC roles to the Reconcile User Claims. The AuthenticatorMap.remove_users = True now removes all role_user_assignments (it used to removed only Team Member, Organization Member)
This PR adds a
role
field to AuthenticationMap andmap_type == 'role'
Role field is relation to RBAC's RoleDefinition through name (it's a CharField), so it's not a real foreign key
Conditions:
organization
,team
, orrole
role
field is mandatoryorganization
team
role
organization
:organization
can't be blankteam
:team
andorganization
can't be blank