Pulp container RBAC #705
Pulp container RBAC #705
Conversation
newswangerd
force-pushed
the
feature/AAH-278-pulp-container-rbac
branch
from
48c1885
to
f84a6ba
Compare
newswangerd
requested review from
rochacbruno,
alikins,
awcrosby and
ZitaNemeckova
newswangerd
force-pushed
the
feature/AAH-278-pulp-container-rbac
branch
2 times, most recently
from
f950960
to
a37ee63
Compare
galaxy_ng/app/api/ui/urls.py
Outdated
| path( | ||
| "namespaces/<str:name>/", | ||
| viewsets.ContainerNamespaceViewSet.as_view({'get': 'retrieve', 'put': 'update'}), | ||
| name='container-repository-list'), |
There was a problem hiding this comment.
container-repository-detail?
galaxy_ng/app/api/ui/urls.py
Outdated
| path( | ||
| "namespaces/", | ||
| viewsets.ContainerNamespaceViewSet.as_view({'get': 'list'}), | ||
| name='container-repository-list'), |
There was a problem hiding this comment.
container-namespace-list ?
| @@ -73,6 +88,10 @@ def get_pulp(self, distro): | |||
| } | |||
| } | |||
|
|
|||
| def get_owners(self, distro): | |||
| name = f'container.distribution.owners.{distro.pulp_id}' | |||
| return [user.username for user in models.User.objects.filter(groups__name=name)] | |||
There was a problem hiding this comment.
Would something like
return models.User.objects.filter(groups__name=name).values_list('username', flat=True)
Work here? Not sure if it matters on a small object like User
There was a problem hiding this comment.
oh, this function should be removed. I must have missed that.
| @@ -36,6 +40,12 @@ class Meta: | |||
| 'description': ['exact', 'icontains', 'contains', 'startswith'], | |||
| } | |||
|
|
|||
| def has_permissions(self, queryset, name, value): | |||
There was a problem hiding this comment.
Maybe 'get_permissions'? has_permissions implies a boolean response to me.
There was a problem hiding this comment.
Though, I guess it is returning a queryset of ContainerNamepaces, so 'get_permissions' doesn't seem right either...
There was a problem hiding this comment.
would with_permissions make more sense?
There was a problem hiding this comment.
Looks like the django_filter docs tend to name them 'filter_whatever' (https://django-filter.readthedocs.io/en/master/ref/filters.html#method).
'filter_by_permission' ? 'filter_accesible_namespaces' ?
Your call ;->
galaxy_ng/app/migrations/0019_pulp_container_access_policies.py
Outdated
Show resolved
Hide resolved
galaxy_ng/app/migrations/0019_pulp_container_access_policies.py
Outdated
Show resolved
Hide resolved
|
I was asked to take a look at this and as far as i understood, almost everything looks sane to me. Especially the changes to the access_policy. |
| viewsets = { | ||
| # Note. This is the default Pulp Continer access policy with some modifications. | ||
| # Our changes have been marked with comments. | ||
| "distributions/container/container": { |
There was a problem hiding this comment.
The policy for container-push repos is omitted here (tag/untag/remove image) - this will be added later whenever image management will be enabled, correct?
There was a problem hiding this comment.
@ipanova are there things in the container push repo access policies that we should change? it looked like the defaults would work to me.
| ], | ||
| }, | ||
| { | ||
| "action": ["pull"], |
There was a problem hiding this comment.
there are 2 policies for pull operation - should you want to distinguish rules between private and public repo - it makes sense to keep this as it is proposed, otherwise it could be consolidated into one rule where the authentication is required regardless of the private/public repo type
{
"action": ["pull"],
"principal": "authenticated",
"effect": "allow",
},
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
- Add my permissions to repos and namespaces - Add my_permissions filter to repo list view. - Fix access policies. Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
newswangerd
force-pushed
the
feature/AAH-278-pulp-container-rbac
branch
from
3cd2dfe
to
fbdfe81
Compare
Issue: AAH-278
newswangerd
force-pushed
the
feature/AAH-278-pulp-container-rbac
branch
from
0190aaa
to
2ea72a3
Compare
UI PR for container model permissions: ansible/ansible-hub-ui#335
Changes
pulp_container access policies
create_containerdistributionpermissions to create a new container repo.Groups
Filtering pulp container groups turned out to be a real challenge, so I've opted to remove the pulp container groups entirely.
Container Repo endpoint
my_permsfilter that allows querying repos based on permissions that the user has. Ex:?my_perms=namespace_push_containerdistributionreturns all repos that the current user has push permissions on.my_permissions: returns the permissions my user has on the namespace object. Used for the UI to toggle edit buttons.owners: list of users who have permissions on the object outside of the assigned groups. This shows who created and owns the namespace.Additions
Container namespace endpoint
Add
/api/automation-hub/_ui/v1/execution-environments/namespaces/endpoint which allows viewing and updating permissions on container namespaces.Permissions for containers can be set at two levels: container distributions and container namespaces. Namespaces grant a user access to all containers in a namespace.
We are only going to allow users to set permissions at the namespace level for the following reasons: