-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roles #1627
Roles #1627
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Adjusted the RBAC documentation for the roles framework. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
Added a role model to support RBAC and the utility functions ``assign_role`` and ``remove_role``. | ||
|
||
The field ``permissions_assignment`` of access policies has been renamed to ``creation_hooks``. A | ||
compatibility patch has been added to be removed with pulpcore=3.20. | ||
|
||
The ``permissions`` argument to ``creation_hooks`` has been deprecated to be removed with | ||
pulpcore=3.20. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Added views to assign model and object level roles to users and groups. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Rewrote existing access policies on viewsets to use roles. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
Added ``get_objects_for_user`` to support queryset filtering by roles. | ||
Added hooks in ``AutoAddObjPermsMixin`` to support auto-assignment of roles. | ||
|
||
Changed the lookup for creation hooks so hooks need to be registered in | ||
``REGISTERED_CREATION_HOOKS`` on the model to be used. The signature for creation hooks that are | ||
registered must match the exploded version of the dict parameters from the access policy. | ||
Unregistered creation hooks are deprecated and support will be dropped in pulpcore 3.20. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,54 +17,57 @@ are run. | |
Defining New Object Permission Behaviors | ||
---------------------------------------- | ||
|
||
The ``AccessPolicy.permissions_assignment`` attribute defines a set of callables that are intended | ||
to be run when new objects are created. These do not run automatically; your models should use the | ||
The ``AccessPolicy.creation_hooks`` attribute defines a set of callables that are intended to be | ||
run when new objects are created. These do not run automatically; your models should use the | ||
``pulpcore.plugin.models.AutoAddObjPermsMixin`` on the model as described in the | ||
:ref:`enabling_new_object_permission_creation` section. | ||
|
||
The ``AccessPolicy.permissions_assignment`` attribute is optional because not all AccessPolicy | ||
objects create objects. If no objects are created by an endpoint, there does not need to be a | ||
``permissions_assignment`` attribute. | ||
The ``AccessPolicy.creation_hooks`` attribute is optional because not all AccessPolicy objects | ||
create objects. If no objects are created by an endpoint, there does not need to be a | ||
``creation_hooks`` attribute. | ||
|
||
The most common auto-assignment of permissions is to the creator of an object themselves. Here is an | ||
example assigning the ``["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]`` | ||
permissions to the creator of an object: | ||
Permissions are associated to users via roles. | ||
|
||
The most common auto-assignment of roles is to the creator of an object themselves. Here is an | ||
example assigning the ``"core.task_owner"`` role to the creator of an object: | ||
|
||
.. code-block:: python | ||
|
||
{ | ||
"function": "add_for_object_creator", | ||
"parameters": null, | ||
"permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"] | ||
} | ||
"function": "add_roles_for_object_creator", | ||
"parameters": {"roles": ["core.task_owner"]}, | ||
} | ||
|
||
Another common auto-assignment of permissions is to assign to one or more users explicitly. Here is | ||
an example assigning the ``["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]`` | ||
permissions to the users ``["alice", "bob"]``. | ||
Another common auto-assignment of roles is to assign to one or more users explicitly. Here is an | ||
example assigning the ``"core.task_owner"`` role to the users ``["alice", "bob"]``. | ||
|
||
.. code-block:: python | ||
|
||
{ | ||
"function": "add_for_users", | ||
"parameters": ["alice", "bob"], | ||
"permissions": ["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"] | ||
"function": "add_roles_for_users", | ||
"parameters": { | ||
"roles": "core.task_owner", | ||
"users": ["alice", "bob"], | ||
}, | ||
} | ||
|
||
A third common auto-assignment of permissions is to assign to one or more groups explicitly. Here is | ||
an example assigning the ``"pulpcore.view_task"`` permission to the group ``"foo"``. | ||
A third common auto-assignment of roles is to assign to one or more groups explicitly. Here is an | ||
example assigning the ``"core.task_viewer"`` role to the group ``"foo"``. | ||
|
||
.. code-block:: python | ||
|
||
{ | ||
"function": "add_for_groups", | ||
"parameters": "foo", | ||
"permissions": "pulpcore.view_task" | ||
"parameters": { | ||
"roles": ["core.task_viewer"], | ||
"groups": "foo", | ||
}, | ||
} | ||
|
||
.. note:: | ||
|
||
Both the ``add_for_users`` and ``add_for_groups`` accept either a single item or list of items | ||
for both the ``parameters`` and ``permissions`` attributes. | ||
All the hooks shipped with pulpcore accept either a single item or list of items for their | ||
arguments like ``roles``, ``users`` or ``groups``. | ||
|
||
|
||
.. _enabling_new_object_permission_creation: | ||
|
@@ -92,27 +95,26 @@ See the docstring below for more information on this mixin. | |
Shipping a Default New Object Policy | ||
------------------------------------ | ||
|
||
In general, the default recommended is to use the ``add_for_object_creator`` to assign the view, | ||
change, and delete permissions for the object created. Here is an example of a default policy like | ||
this: | ||
In general, the default recommended is to use the ``add_roles_for_object_creator`` to assign the | ||
view, change, and delete permissions for the object created. Here is an example of a default policy | ||
like this: | ||
|
||
.. code-block:: python | ||
|
||
FILE_REMOTE_PERMISSIONS_ASSIGNMENT = [ | ||
{ | ||
"function": "add_for_object_creator", | ||
"parameters": None, | ||
"permissions": [ | ||
"file.change_fileremote", "file.change_fileremote", "file.delete_fileremote" | ||
] | ||
} | ||
] | ||
|
||
AccessPolicy.objects.create( | ||
viewset_name="remotes/file/file", | ||
statements=FILE_REMOTE_STATEMENTS, | ||
permissions_assignment=FILE_REMOTE_PERMISSIONS_ASSIGNMENT | ||
) | ||
DEFAULT_ACCESS_POLICY = { | ||
"statements": <...> | ||
"creation_hooks": [ | ||
{ | ||
"function": "add_roles_for_object_creator", | ||
"parameters": {"roles": "file.fileremote_owner"}, | ||
} | ||
], | ||
} | ||
LOCKED_ROLES = { | ||
"file.fileremote_owner": [ | ||
"file.view_fileremote", "file.change_fileremote", "file.delete_fileremote" | ||
], | ||
} | ||
|
||
This effectively creates a "user isolation" policy which aligns with the examples from | ||
:ref:`shipping_default_access_policy`. | ||
|
@@ -123,37 +125,53 @@ This effectively creates a "user isolation" policy which aligns with the example | |
Defining Custom New Object Permission Callables | ||
----------------------------------------------- | ||
|
||
Plugin writers can use more than the built-in callables such as ``add_for_object_creator`` or | ||
``add_for_users`` by defining additional methods on the model itself. The callables defined in the | ||
``function`` are method names on the Model with the following signature: | ||
Plugin writers can use more than the built-in callables such as ``add_roles_for_object_creator`` or | ||
``add_roles_for_users`` by defining additional methods on the model itself. The callables defined in | ||
the ``function`` are method names on the Model that need to be registered with | ||
``REGISTERED_CREATION_HOOKS``: | ||
|
||
.. code-block:: python | ||
|
||
class MyModel(BaseModel, AutoAddObjPermsMixin): | ||
|
||
def my_custom_callable(self, permissions, parameters): | ||
# NOTE: permissions and parameters can be either a single entity or a list of entities | ||
from guardian.shortcuts import assign_perm | ||
user_or_group = parameters | ||
for permission in permissions: | ||
assign_perm(permissions, user_or_group, self) # self is the object being assigned | ||
def __init__(self, *args, **kwargs): | ||
super().__init__(*args, **kwargs) | ||
self.REGISTERED_CREATION_HOOKS["my_custom_callable"] = self.my_custom_callable | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is it possible to assign this as an attribute to the class? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure how we can make it extendable on subclassing as a ClassVar, without writing a complicated meta class. |
||
|
||
def my_custom_callable(self, role, users, groups): | ||
from pulpcore.app.util import assign_role | ||
for user in users: | ||
assign_role(role, user, self) # self is the object being assigned | ||
for group in groups: | ||
assign_role(role, group, self) # self is the object being assigned | ||
|
||
This would be callable with a configuration like this one: | ||
|
||
.. code-block:: python | ||
|
||
{ | ||
"function": "my_custom_callable", | ||
"parameters": "asdf", | ||
"permissions": "pulpcore.view_task" | ||
"parameters": { | ||
"role": "pulpcore.task_viewer", | ||
"users": ["bob"], | ||
"groups": [], | ||
}, | ||
} | ||
|
||
.. note:: | ||
|
||
The ``parameters`` dict must actually match the creation hooks signature. | ||
|
||
|
||
.. _auto_removing_permissions_on_object_deletion: | ||
|
||
Auto Removing Permissions On Object Deletion | ||
-------------------------------------------- | ||
|
||
.. note:: | ||
|
||
This applies to the deprecated guardian framework. Role associations are automatically deleted. | ||
|
||
A mixin is provided for use on your models to automatically delete all object-level permissions when | ||
an object is deleted. This is provided by the ``pulpcore.plugin.models.AutoDeleteObjPermsMixin`` | ||
mixin. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exploded? not sure what is going kaboom here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like unpacked. The parameters dict is unpacked (
**parameters
) and takes more space now. Like an explosion.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💥