From d192e6434ee212b909be3eadee7eb4a25015f15d Mon Sep 17 00:00:00 2001 From: Ina Panova Date: Mon, 7 Dec 2020 19:53:17 +0100 Subject: [PATCH] Add RBAC for container remotes. closes #7707 --- CHANGES/7707.feature | 1 + pulp_container/app/models.py | 5 +++- pulp_container/app/viewsets.py | 48 ++++++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 CHANGES/7707.feature diff --git a/CHANGES/7707.feature b/CHANGES/7707.feature new file mode 100644 index 000000000..24f04bc75 --- /dev/null +++ b/CHANGES/7707.feature @@ -0,0 +1 @@ +Added access policy and permission management to the container remotes. diff --git a/pulp_container/app/models.py b/pulp_container/app/models.py index 9283f6080..6476b324f 100644 --- a/pulp_container/app/models.py +++ b/pulp_container/app/models.py @@ -12,6 +12,8 @@ from pulpcore.plugin.download import DownloaderFactory from pulpcore.plugin.models import ( + AutoAddObjPermsMixin, + AutoDeleteObjPermsMixin, BaseModel, Content, ContentGuard, @@ -249,7 +251,7 @@ def finalize_new_version(self, new_version): validate_repo_version(new_version) -class ContainerRemote(Remote): +class ContainerRemote(Remote, AutoAddObjPermsMixin, AutoDeleteObjPermsMixin): """ A Remote for ContainerContent. @@ -265,6 +267,7 @@ class ContainerRemote(Remote): exclude_tags = fields.ArrayField(models.CharField(max_length=255, null=True), null=True) TYPE = "container" + ACCESS_POLICY_VIEWSET_NAME = "remotes/container/container" @property def download_factory(self): diff --git a/pulp_container/app/viewsets.py b/pulp_container/app/viewsets.py index 31bb9cef8..03a4c94e7 100644 --- a/pulp_container/app/viewsets.py +++ b/pulp_container/app/viewsets.py @@ -11,6 +11,7 @@ from drf_spectacular.utils import extend_schema from rest_framework import mixins +from pulpcore.plugin.access_policy import AccessPolicyFromDB from pulpcore.plugin.serializers import ( AsyncOperationResponseSerializer, RepositorySyncURLSerializer, @@ -143,6 +144,53 @@ class ContainerRemoteViewSet(RemoteViewSet): endpoint_name = "container" queryset = models.ContainerRemote.objects.all() serializer_class = serializers.ContainerRemoteSerializer + permission_classes = (AccessPolicyFromDB,) + queryset_filtering_required_permission = "container.view_containerremote" + + DEFAULT_ACCESS_POLICY = { + "statements": [ + { + "action": ["list"], + "principal": "authenticated", + "effect": "allow", + }, + { + "action": ["create"], + "principal": "authenticated", + "effect": "allow", + "condition": "has_model_perms:container.add_containerremote", + }, + { + "action": ["retrieve"], + "principal": "authenticated", + "effect": "allow", + "condition": "has_model_or_obj_perms:container.view_containerremote", + }, + { + "action": ["update", "partial_update"], + "principal": "authenticated", + "effect": "allow", + "condition": "has_model_or_obj_perms:container.change_containerremote", + }, + { + "action": ["destroy"], + "principal": "authenticated", + "effect": "allow", + "condition": "has_model_or_obj_perms:container.delete_containerremote", + }, + ], + "permissions_assignment": [ + { + "function": "add_for_object_creator", + "parameters": None, + "permissions": [ + "container.view_containerremote", + "container.change_containerremote", + "container.delete_containerremote", + ], + }, + ], + } class ContainerRepositoryViewSet(RepositoryViewSet):