Re: [Pulp-dev] RBAC Status Thread

# Update: django-lifecycle merged + released, and all tests are passing on Travis now https://github.com/pulp/pulpcore/pull/815/files # Regarding assigning permissions to objects created prior to RBAC... I now believe we do not need to apply permissions for the 'admin' user, and that is the on

Re: [Pulp-dev] RBAC Status Thread

Alright we're close to the end of pulpcore's RBAC additions for 3.6, but there are still some challanges! Here's what's been accomplished: * The tests are now passing locally * We are waiting on django-lifecycle to merge my PR and release it https://github.com/rsinger86/django-lifecycle/pull/58

Re: [Pulp-dev] RBAC Status Thread

A lot of plugin writer docs about adding RBAC support have been added to the newly opened WIP PR: https://github.com/pulp/pulpcore/pull/815/files Please come review the WIP PR. Code-wise it's 90% there, with just a few polish things I still need to finish. From a high level I still need to: * fini

Re: [Pulp-dev] RBAC Status Thread

I've gotten various feedback and I want to relay some of the changes based on that. 1) Pulp should ship a "user isolation" policy by default. If users want other things they can configure it further. This is a change from my original proposal of Pulp shipping an "RBAC is off" policy. This will wor

Re: [Pulp-dev] RBAC Status Thread

On Wed, Jul 8, 2020 at 4:54 PM Brian Bouterse wrote: > My next goal is to have object-level permissions assigned through signals > so that anywhere you save the model the permissions are correctly created. > To do this I need to get a few things working: > > 1) Move the permissions creation to th

Re: [Pulp-dev] RBAC Status Thread

On Thu, Jul 9, 2020 at 11:20 PM Brian Bouterse wrote: > > This is all done. I've pushed my code to the links below. You can now use > get_current_authenticated_user in both viewsets and tasks and it will give > you the user, which lets you use signals to automatically add object-level > permiss

Re: [Pulp-dev] RBAC Status Thread

This is all done. I've pushed my code to the links below. You can now use get_current_authenticated_user in both viewsets and tasks and it will give you the user, which lets you use signals to automatically add object-level permissions anywhere automatically. Also tasks have RBAC themselves (includ

Re: [Pulp-dev] RBAC Status Thread

My next goal is to have object-level permissions assigned through signals so that anywhere you save the model the permissions are correctly created. To do this I need to get a few things working: 1) Move the permissions creation to the signals [done] 2) Have the user be well-known, this is accompl

Re: [Pulp-dev] RBAC Status Thread

Another productive RBAC day! See the latest code at the links below. Here's what's new: * policy is now shorter thanks to machinery checking both model-level and object-level permissions with one call. The other two are also available * sync is now restricted on both 'modify_repo_content' permissi

Re: [Pulp-dev] RBAC Status Thread

The demo advertisement for tomorrow is here: https://www.redhat.com/archives/pulp-dev/2020-June/msg00076.html On Wed, Jul 1, 2020 at 6:41 PM Brian Bouterse wrote: > Another productive RBAC day! See the latest code at the links below. > Here's what's new: > > * policy is now shorter thanks to mac

Re: [Pulp-dev] RBAC Status Thread

Today I accomplished a few more things: * finished my ldap notes: https://hackmd.io/ED9UpscNSRW86Le3xNzVeg * moving the checks from a mixin to be "global checks" so they are available everywhere, this is a feature from drf-access-policy: https://rsinger86.github.io/drf-access-policy/reusable_condi

Re: [Pulp-dev] RBAC Status Thread

Today I got the "sync" RBAC working, but I need to give it some more thought. The extra challenge with this parts is that "having permission to read a Remote" is already defined in one place, on FileRemoteAccessPolicy, yet the AccessPolicy that needs to perform the enforcement is FileRepositoryAcce

Re: [Pulp-dev] RBAC Status Thread

Here's another push to the branch (it includes the following additions): https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1 * A FileRepositoryAccessPolicy which provides RBAC for Repositories (not yet sync) * A new Mixin allowing the two policies to share some common com

Re: [Pulp-dev] RBAC Status Thread

Moar progress! Today the following things got done: Today's changes are available here: https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1 * Got scoped querysets working! This restricts list views to only show objects a user has permissions to view. A db reset was all th

Re: [Pulp-dev] RBAC Status Thread

Lots of progress today! I have a mostly-complete policy for RBAC for FileRemote. It's surprising how little code all of this ended up being. Here's the actual RBAC stuff, it's all in pulp_file: https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1 Here's the parts that go i

Re: [Pulp-dev] RBAC Status Thread

# ldap PoC updates Now users, groups, and group membership are populating from ldap automatically on login (with auth backed by ldap also)! I'll be sharing my configs for both ldap and how to configure django-auth-ldap here soon in an

Re: [Pulp-dev] RBAC Status Thread

I got the LDAP users both authenticating and importing into Pulp! Next I'll do the groups and then I think the ldap parts will be done. FYI: I'm going to write up the implementation design and have that come with this proof of concept code . This will let us know what choices it makes, why it make

Re: [Pulp-dev] RBAC Status Thread

I got a lot further on this today. I have the test ldap setup with several test users and groups. I have django-auth-ldap configured mostly authenticating username/password against ldap instead of the internal database first. Once that is fully working the users will auto-populate into django and t

Re: [Pulp-dev] RBAC Status Thread

I got the ldap reference implementation performing auth really nicely against a test ldap with this guide: https://www.nginx.com/blog/nginx-plus-authenticate-users/ Now there are some new challenges though: * Great that we can auth users, but we need nginx to extract-and-forward the group informat

Re: [Pulp-dev] RBAC Status Thread

On Fri, Jun 5, 2020 at 8:23 PM Brian Bouterse wrote: > > 1) django admin (the built in django UI) will be the mechanism > administrators use to assign permissions to users and groups. This means > the use of django admin with pulp is very likely (to me). > > Hopefully https://github.com/pulp/pulp

Re: [Pulp-dev] RBAC Status Thread

Today my RBAC work led me to a few conclusions: 1) django admin (the built in django UI) will be the mechanism administrators use to assign permissions to users and groups. This means the use of django admin with pulp is very likely (to me). 2) externally defined users and groups will need to be

Re: [Pulp-dev] RBAC Status Thread

Today I got basic object-level permissions experimentally working with django-guardian. The current plan is to use a django-guardian to provide object-level permissions and drf-access-policy to provide the actual authorization checks in the viewset. Django-guardian could provide the permission chec

Re: [Pulp-dev] RBAC Status Thread

I've started experimenting with the basic drf-access-policy example and django-guardian and adapting it to be a RemoteAccessPolicy https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1 https://github.com/pulp/pulpcore/compare/master...bmbouter:rbac-PoC?expand=1 On Mon, Jun