Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RBAC to repository versions #212

Merged
merged 1 commit into from Feb 3, 2021
Merged

Add RBAC to repository versions #212

merged 1 commit into from Feb 3, 2021

Conversation

goosemania
Copy link
Member

@pulpbot
Copy link
Member

pulpbot commented Jan 25, 2021

Attached issue: https://pulp.plan.io/issues/8017

@goosemania goosemania force-pushed the story8017 branch 2 times, most recently from 26bf50e to 89b2d7b Compare January 26, 2021 18:59
goosemania
goosemania commented Jan 26, 2021
View reviewed changes
pulp_container/app/viewsets.py Outdated
Comment on lines 569 to 596
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.delete_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.sync_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.build_image_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.modify_content_containerrepository",
# },
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is option two.
A default policy can't be changed easily and there are many statements for the same action/principal/effect.
A good thing is that a user will see those perms in detail if they try to read the access policy via API.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option three is to put all conditions in one loooong string and have one item for a destroy action.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option 4:

            {
                "action": ["destroy"],
                "principal": "authenticated",
                "effect": "allow",
                "condition":
                    "has_repo_attr_model_or_obj_perms:container.delete_containerrepository"
                    " or has_repo_attr_model_or_obj_perms:container.delete_version_containerrepository",
            },

@goosemania
Copy link
Member Author

@ipanova , @dkliban , @mdellweg , please choose which option out of three is a preference for the container team and I will go with that.

In no particular order, the options (see details in my other comments) are:

  1. custom check
  2. many items for a destroy action with one condition
  3. one item for a destroy action with a many conditions put in one string

mdellweg
mdellweg reviewed Jan 27, 2021
View reviewed changes
pulp_container/app/access_policy.py Outdated Show resolved Hide resolved
pulp_container/app/viewsets.py Outdated
Comment on lines 569 to 596
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.delete_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.sync_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.build_image_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.modify_content_containerrepository",
# },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option 4:

            {
                "action": ["destroy"],
                "principal": "authenticated",
                "effect": "allow",
                "condition":
                    "has_repo_attr_model_or_obj_perms:container.delete_containerrepository"
                    " or has_repo_attr_model_or_obj_perms:container.delete_version_containerrepository",
            },

pulp_container/app/viewsets.py Show resolved Hide resolved
@goosemania goosemania marked this pull request as ready for review January 28, 2021 19:37
@goosemania goosemania force-pushed the story8017 branch 6 times, most recently from 8161903 to b286cb8 Compare February 1, 2021 22:14
@goosemania
Copy link
Member Author

Needs a rebase, waiting on rbac branch to be fixed

goosemania
goosemania commented Feb 2, 2021
View reviewed changes
pulp_container/tests/functional/api/test_rbac_repo_versions.py
monitor_task(response.task)


class PushRepoVersionTestCase(unittest.TestCase):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if I should move push tests to the module where push content tests are, to reduce the setup time for tests.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

push content tests are already quite long, i believe eventually we goona split those.
My personal preference would be to keep tests organized by 'topic' even though we are going to sacrifice on the setup time.

@goosemania
Copy link
Member Author

Rebased. Green.

mdellweg
mdellweg approved these changes Feb 3, 2021
View reviewed changes
Copy link
Member

@mdellweg mdellweg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

pulp_container/app/viewsets.py
repo = repo_version.repository.cast()
if not (self.request.user.has_perm(perm) or self.request.user.has_perm(perm, repo)):
raise Http404(_("detail not found"))
return qs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

ipanova
ipanova reviewed Feb 3, 2021
View reviewed changes
pulp_container/app/viewsets.py
"condition": [
"has_repo_attr_model_or_obj_perms:container.delete_containerrepository_versions", # noqa
"has_repo_attr_model_or_obj_perms:container.view_containerrepository",
],
Copy link
Member

@ipanova ipanova Feb 3, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

ipanova
ipanova reviewed Feb 3, 2021
View reviewed changes
pulp_container/tests/functional/api/test_rbac_repo_versions.py
del_user(cls.user_helpless)

@classmethod
def _pull(cls, image_path, user=None):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but i was thinking to move this into the registry base test so we do not copy paste them every time when we write a new module with pull/push tests.

ipanova
ipanova approved these changes Feb 3, 2021
View reviewed changes
Copy link
Member

@ipanova ipanova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! 🍰 🚀

@dkliban dkliban merged commit 9c148dc into pulp:rbac Feb 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ipanova ipanova ipanova approved these changes

@mdellweg mdellweg mdellweg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@goosemania @pulpbot @ipanova @mdellweg @dkliban