Add Domain and/or RBAC (multi-tenancy) support #860
Comments
|
This is a perfectly reasonable feature request that we don't currently have on our roadmap. This goes for both RBAC and Domains. What would help us to get this process of the ground, is if you could describe some concrete example workflows/use cases, that you would like to see in pulp_deb. Something like: "In pulp_file/rpm we have user A with permissions B taking action x on repo y, but also user C with permissions D who should only be able to take action z." Currently the pulp_deb plugin maintainers have no experience working with RBAC or Domains, either for pulp_deb or any other plugins. We would like to support this feature at some point, but we don't currently need it for our own use cases. As a result, a detailed description of someone else's use case, who would like to see this feature, would be very valuable for us. |
|
Currently we have for each of our customer a separate pulp instance, to build the packages for our customers and distribute the packages to them. This is because we have to separate the packages so that the customers don't see packages of other customers. To simplify our infrastructure, we would like to consolidate all the customer pulp server to one centralized pulp server. |
Now here's an important question: How much separation is desired? Or: What is shared. With domains, each domain will have a separate namespace for all these objects, and the artifact storage will be separated. Deduplication will only happen within the same domain, so the storage requirements will roughly match your current setup. Bonus: You can configure the storage backend separately for each domain. "Bring your own storage bucket." Not, you can still use RBAC within a domain. In comparison to your current setup, the infrastructure will be shared between domains, users and groups can be granted to operate in multiple domains (not in a single request) and access policies and roles are global too. |
quba42
changed the title
|
Duplicates #392 |
quba42
added
the
Looking_for_Contributor
|
Hello, a colleague to @maggu here, to fill in on our preferred use cases. Our main use case is with CI pipelines, where a user exists which has the necessary permissions to see and upload content to a given set of repositories, and only those repositories. (Seeing other repositories is acceptable) We would also like to be able to let the CI user copy content from the upload repository to a secondary set of repositories, to allow tiered rollout of changes. As an alternative, this could be done through a regular upload to the secondary set of repositories. The described user should not have the ability to modify any other repositories than those assigned to it, nor modify the definitions for its assigned upload repositories. |
Is your feature request related to a problem? Please describe.
As a user, I'd like to have application level multi-tenancy, like pulp_file and pulp_rpm has.
Describe the solution you'd like
Enable domain support: https://docs.pulpproject.org/pulpcore//workflows/domains-multi-tenancy.html
Additional context
The text was updated successfully, but these errors were encountered: