-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulp container RBAC #705
Pulp container RBAC #705
Conversation
48c1885
to
f84a6ba
Compare
f950960
to
a37ee63
Compare
galaxy_ng/app/api/ui/urls.py
Outdated
path( | ||
"namespaces/<str:name>/", | ||
viewsets.ContainerNamespaceViewSet.as_view({'get': 'retrieve', 'put': 'update'}), | ||
name='container-repository-list'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
container-repository-detail?
galaxy_ng/app/api/ui/urls.py
Outdated
path( | ||
"namespaces/", | ||
viewsets.ContainerNamespaceViewSet.as_view({'get': 'list'}), | ||
name='container-repository-list'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
container-namespace-list ?
@@ -73,6 +88,10 @@ def get_pulp(self, distro): | |||
} | |||
} | |||
|
|||
def get_owners(self, distro): | |||
name = f'container.distribution.owners.{distro.pulp_id}' | |||
return [user.username for user in models.User.objects.filter(groups__name=name)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would something like
return models.User.objects.filter(groups__name=name).values_list('username', flat=True)
Work here? Not sure if it matters on a small object like User
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, this function should be removed. I must have missed that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One or two requested changes (or really, verifications). Most of the rest are vague suggestions you can take or leave.
@@ -36,6 +40,12 @@ class Meta: | |||
'description': ['exact', 'icontains', 'contains', 'startswith'], | |||
} | |||
|
|||
def has_permissions(self, queryset, name, value): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe 'get_permissions'? has_permissions
implies a boolean response to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though, I guess it is returning a queryset of ContainerNamepaces, so 'get_permissions' doesn't seem right either...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would with_permissions
make more sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the django_filter docs tend to name them 'filter_whatever' (https://django-filter.readthedocs.io/en/master/ref/filters.html#method).
'filter_by_permission' ? 'filter_accesible_namespaces' ?
Your call ;->
galaxy_ng/app/migrations/0019_pulp_container_access_policies.py
Outdated
Show resolved
Hide resolved
galaxy_ng/app/migrations/0019_pulp_container_access_policies.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I was asked to take a look at this and as far as i understood, almost everything looks sane to me. Especially the changes to the access_policy. |
viewsets = { | ||
# Note. This is the default Pulp Continer access policy with some modifications. | ||
# Our changes have been marked with comments. | ||
"distributions/container/container": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policy for container-push repos is omitted here (tag/untag/remove image) - this will be added later whenever image management will be enabled, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ipanova are there things in the container push repo access policies that we should change? it looked like the defaults would work to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clarified on the irc, resolved.
], | ||
}, | ||
{ | ||
"action": ["pull"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are 2 policies for pull operation - should you want to distinguish rules between private and public repo - it makes sense to keep this as it is proposed, otherwise it could be consolidated into one rule where the authentication is required regardless of the private/public repo type
{
"action": ["pull"],
"principal": "authenticated",
"effect": "allow",
},
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
- Add my permissions to repos and namespaces - Add my_permissions filter to repo list view. - Fix access policies. Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
Issue: AAH-278
3cd2dfe
to
fbdfe81
Compare
Issue: AAH-278
0190aaa
to
2ea72a3
Compare
UI PR for container model permissions: ansible/ansible-hub-ui#335
Changes
pulp_container access policies
create_containerdistribution
permissions to create a new container repo.Groups
Filtering pulp container groups turned out to be a real challenge, so I've opted to remove the pulp container groups entirely.
Container Repo endpoint
my_perms
filter that allows querying repos based on permissions that the user has. Ex:?my_perms=namespace_push_containerdistribution
returns all repos that the current user has push permissions on.my_permissions
: returns the permissions my user has on the namespace object. Used for the UI to toggle edit buttons.owners
: list of users who have permissions on the object outside of the assigned groups. This shows who created and owns the namespace.Additions
Container namespace endpoint
Add
/api/automation-hub/_ui/v1/execution-environments/namespaces/
endpoint which allows viewing and updating permissions on container namespaces.Permissions for containers can be set at two levels: container distributions and container namespaces. Namespaces grant a user access to all containers in a namespace.
We are only going to allow users to set permissions at the namespace level for the following reasons: