Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RBAC to repository versions #212

Merged
merged 1 commit into from Feb 3, 2021
Merged

Add RBAC to repository versions #212

merged 1 commit into from Feb 3, 2021

Conversation

goosemania
Copy link
Member

@pulpbot
Copy link
Member

pulpbot commented Jan 25, 2021

Attached issue: https://pulp.plan.io/issues/8017

@goosemania goosemania force-pushed the story8017 branch 2 times, most recently from 26bf50e to 89b2d7b Compare January 26, 2021 18:59
Comment on lines 569 to 596
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.delete_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.sync_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.build_image_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.modify_content_containerrepository",
# },
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is option two.
A default policy can't be changed easily and there are many statements for the same action/principal/effect.
A good thing is that a user will see those perms in detail if they try to read the access policy via API.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option three is to put all conditions in one loooong string and have one item for a destroy action.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option 4:

            {
                "action": ["destroy"],
                "principal": "authenticated",
                "effect": "allow",
                "condition":
                    "has_repo_attr_model_or_obj_perms:container.delete_containerrepository"
                    " or has_repo_attr_model_or_obj_perms:container.delete_version_containerrepository",
            },

@goosemania
Copy link
Member Author

@ipanova , @dkliban , @mdellweg , please choose which option out of three is a preference for the container team and I will go with that.

In no particular order, the options (see details in my other comments) are:

  1. custom check
  2. many items for a destroy action with one condition
  3. one item for a destroy action with a many conditions put in one string

pulp_container/app/access_policy.py Outdated Show resolved Hide resolved
Comment on lines 569 to 596
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.delete_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.sync_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.build_image_containerrepository",
# },
# {
# "action": ["destroy"],
# "principal": "authenticated",
# "effect": "allow",
# "condition":
# "has_repo_attr_model_or_obj_perms:container.modify_content_containerrepository",
# },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Option 4:

            {
                "action": ["destroy"],
                "principal": "authenticated",
                "effect": "allow",
                "condition":
                    "has_repo_attr_model_or_obj_perms:container.delete_containerrepository"
                    " or has_repo_attr_model_or_obj_perms:container.delete_version_containerrepository",
            },

pulp_container/app/viewsets.py Show resolved Hide resolved
@goosemania goosemania force-pushed the story8017 branch 6 times, most recently from 8161903 to b286cb8 Compare February 1, 2021 22:14
@goosemania
Copy link
Member Author

Needs a rebase, waiting on rbac branch to be fixed

monitor_task(response.task)


class PushRepoVersionTestCase(unittest.TestCase):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if I should move push tests to the module where push content tests are, to reduce the setup time for tests.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

push content tests are already quite long, i believe eventually we goona split those.
My personal preference would be to keep tests organized by 'topic' even though we are going to sacrifice on the setup time.

@goosemania
Copy link
Member Author

Rebased. Green.

Copy link
Member

@mdellweg mdellweg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

repo = repo_version.repository.cast()
if not (self.request.user.has_perm(perm) or self.request.user.has_perm(perm, repo)):
raise Http404(_("detail not found"))
return qs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

"condition": [
"has_repo_attr_model_or_obj_perms:container.delete_containerrepository_versions", # noqa
"has_repo_attr_model_or_obj_perms:container.view_containerrepository",
],
Copy link
Member

@ipanova ipanova Feb 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

del_user(cls.user_helpless)

@classmethod
def _pull(cls, image_path, user=None):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but i was thinking to move this into the registry base test so we do not copy paste them every time when we write a new module with pull/push tests.

Copy link
Member

@ipanova ipanova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! 🍰 🚀

@dkliban dkliban merged commit 9c148dc into pulp:rbac Feb 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants