Add RBAC for container remotes.

closes #7707
pulp · Dec 11, 2020 · d192e64 · d192e64
1 parent 4127de9
commit d192e64
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 1 deletion.
diff --git a/CHANGES/7707.feature b/CHANGES/7707.feature
@@ -0,0 +1 @@
+Added access policy and permission management to the container remotes.
diff --git a/pulp_container/app/models.py b/pulp_container/app/models.py
@@ -12,6 +12,8 @@
 
 from pulpcore.plugin.download import DownloaderFactory
 from pulpcore.plugin.models import (
+    AutoAddObjPermsMixin,
+    AutoDeleteObjPermsMixin,
     BaseModel,
     Content,
     ContentGuard,
@@ -249,7 +251,7 @@ def finalize_new_version(self, new_version):
         validate_repo_version(new_version)
 
 
-class ContainerRemote(Remote):
+class ContainerRemote(Remote, AutoAddObjPermsMixin, AutoDeleteObjPermsMixin):
     """
     A Remote for ContainerContent.
 
@@ -265,6 +267,7 @@ class ContainerRemote(Remote):
     exclude_tags = fields.ArrayField(models.CharField(max_length=255, null=True), null=True)
 
     TYPE = "container"
+    ACCESS_POLICY_VIEWSET_NAME = "remotes/container/container"
 
     @property
     def download_factory(self):

diff --git a/pulp_container/app/viewsets.py b/pulp_container/app/viewsets.py
@@ -11,6 +11,7 @@
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 
+from pulpcore.plugin.access_policy import AccessPolicyFromDB
 from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
     RepositorySyncURLSerializer,
@@ -143,6 +144,53 @@ class ContainerRemoteViewSet(RemoteViewSet):
     endpoint_name = "container"
     queryset = models.ContainerRemote.objects.all()
     serializer_class = serializers.ContainerRemoteSerializer
+    permission_classes = (AccessPolicyFromDB,)
+    queryset_filtering_required_permission = "container.view_containerremote"
+
+    DEFAULT_ACCESS_POLICY = {
+        "statements": [
+            {
+                "action": ["list"],
+                "principal": "authenticated",
+                "effect": "allow",
+            },
+            {
+                "action": ["create"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_model_perms:container.add_containerremote",
+            },
+            {
+                "action": ["retrieve"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_model_or_obj_perms:container.view_containerremote",
+            },
+            {
+                "action": ["update", "partial_update"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_model_or_obj_perms:container.change_containerremote",
+            },
+            {
+                "action": ["destroy"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_model_or_obj_perms:container.delete_containerremote",
+            },
+        ],
+        "permissions_assignment": [
+            {
+                "function": "add_for_object_creator",
+                "parameters": None,
+                "permissions": [
+                    "container.view_containerremote",
+                    "container.change_containerremote",
+                    "container.delete_containerremote",
+                ],
+            },
+        ],
+    }
 
 
 class ContainerRepositoryViewSet(RepositoryViewSet):