Re: [Pulp-dev] RBAC Status Thread

[Brian Bouterse]

Here's another push to the branch (it includes the following additions):
https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1

* A FileRepositoryAccessPolicy which provides RBAC for Repositories (not
yet sync)
* A new Mixin allowing the two policies to share some common components

Next up:
* have the pup_file define the fileContentAdmin group programmatically
* Extend the FileRepositoryAccessPolicy to restrict sync operations
* Write up and organize the PoC into a clear, organized format

Also of interest today @ttereshc and I had a great convo asking what to do
about potential problems when we use Django groups to be a "role". My write
up will address this in more detail than I can go into here. We are also
looking at what the django-role-permissions project could offer us:
https://django-role-permissions.readthedocs.io/en/stable/utils.html

I expect the PoC to be done by tomorrow and write-up by Monday, so I'm
going to schedule the public review meeting for next week towards the end
of the week.


On Wed, Jun 24, 2020 at 5:49 PM Brian Bouterse  wrote:

> Moar progress! Today the following things got done: Today's changes are
> available here:
> https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1
>
> * Got scoped querysets working! This restricts list views to only show
> objects a user has permissions to view. A db reset was all that was needed
> I think I didn't have all the changes in when I applied my earlier
> migrations
> * Added "detail view" restriction, and while it's in the policy and
> working DRF does a strange thing on "retrieve" where if it's not in the
> queryset (due to scoping ^) the user receives a 404, not a permission denied
> * Got permissions cleaning up on resource deletion now too
>
> Next up:
> * have the pup_file define the fileContentAdmin group programmatically
> * Make similar policies for FileRepository which governs itself and the
> "sync" action
> * Write up and organize the PoC into a clear, organized format
>
> Questions and feedback are welcome!
>
> On Tue, Jun 23, 2020 at 5:54 PM Brian Bouterse 
> wrote:
>
>> Lots of progress today! I have a mostly-complete policy for RBAC for
>> FileRemote. It's surprising how little code all of this ended up being.
>>
>> Here's the actual RBAC stuff, it's all in pulp_file:
>> https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1
>> Here's the parts that go in core. Note the LDAP stuff is all optional,
>> the only real requirement are two lines 1) enabling guardian in
>> INSTALLED_APPS and 2) adding it as an AuthenticationBackend:
>> https://github.com/pulp/pulpcore/compare/master...bmbouter:rbac-PoC
>>
>> I have some "how to use notes" here:
>> https://hackmd.io/DRqGFyRsSDmN7E4TtOPf-w  The idea is that it implements
>> the FileRemote portions of this requirements docs:
>> https://hackmd.io/kZ1oYp8TTkeuC5KL_ffjGQ
>>
>> Here is the short list of things for FileRemote that still don't work.
>> This is mainly so I remember what to do next. :)
>> * The get_objects_for_user
>> 
>> from DjangoGuardian I don't think it likes Master/Detail or maybe it's
>> how/where I'm using it. I haven't yet debugged this. For this reason it
>> doesn't provide list restriction
>> * It still needs "detail view" restriction. This is straightforward.
>> * The group should be programmatically defined, in this case it was
>> "defined in LDAP". It could *also* live in LDAP (or other external group
>> definition system) but the plugin builds permissions off of it so it should
>> also define it. This is easy.
>>
>> Feedback is welcome. I'm going to continue building this and then
>> schedule a public review of FileRemote, Content modification for file
>> repos, and sync restriction next week.
>>
>>
>>
>> On Mon, Jun 22, 2020 at 5:14 PM Brian Bouterse 
>> wrote:
>>
>>> # ldap PoC updates
>>> Now users, groups, and group membership are populating from ldap
>>> automatically on login (with auth backed by ldap also)! I'll be sharing my
>>> configs for both ldap and how to configure django-auth-ldap
>>>  here
>>> soon in an organized way. This was done with django-auth-ldap and 0
>>> customization to pulp code. It's 100% enabled through settings so this work
>>> is more of an approach we can document for users that they can enable and
>>> not a feature Pulp ships itself.
>>>
>>> # django-admin progress
>>> Thanks to @alikins existing PRs, I got django admin enabled and able to
>>> view/edit users, groups, group membership, and permissions at both the user
>>> and group levels. This is important because this will be the primary
>>> mechanism of administrators. This part is looking good.
>>>
>>> # new resources to help us out
>>> Through collaboration with @ttereshc and someone off list named @adelton
>>> (who actually authored this refer

[Pulp-dev] RPM plugin meeting notes

[Tatiana Tereshchenko]

Pulp 3:

   -

   Kickstarts copy issue https://pulp.plan.io/issues/7046
   -

  Lots of discussion
  -

  AI: dkliban will add commentary to issue
  -

 https://pulp.plan.io/issues/7046#note-3
 -

   Retain old count
   -

  Basically done - writing a test, might rename the field
  -

 https://github.com/pulp/pulp_rpm/pull/1752
 -

AI: feedback is needed for the naming of user facing
configuration parameter
-

  Need to do a little more thinking about whether we can share an
  install of the extension with Katello or if we should just dump
the entire
  extension into the database ourselves with raw SQL
  -

 Katello has an RPM that provides it
 -

 If install custom-type via rpm, still need migration to take
 advantage of it
 -

Django can note existence/lack-thereof of a plugin
-

   Comps.xml relations removal and recursive copy
   -

  Copy is in progress, looks good so far
  -

  It’s preferable if all changes go together into one Y release
  -

   Mirrored metadata 
   -

  No time to move this forward
  -

  ttereshc will try to move it forward, had a knowledge/ideas dump from
  dkliban earlier today


Pulp 2:

   -

   2.21.3 - dev freeze today, beta - on Tuesday


Open PRs:

   -

   https://github.com/pulp/pulp_rpm/pulls


Triage:

   -

   Un-triaged bugs https://pulp.plan.io/projects/pulp_rpm/issues?query_id=30
___
Pulp-dev mailing list
Pulp-dev@redhat.com
https://www.redhat.com/mailman/listinfo/pulp-dev