# RBAC Proof of Concept -- Requirements ###### tags: `RBAC` ## Goals Produce a basic, working example of Role Based Access Control. Although limited in scope it should include an example of each aspect of RBAC the final solution will require. ## Aspects to be included #### Users and Groups Outside of Pulp -- requirement A 1. A user authenticated outside of Pulp 2. A group with a user membership stored outside of Pulp #### Permissions and Roles Defined by a Plugin -- requirement B 1. At least one plugin-defined permission 2. At least one plugin-defined role 3. At least one "Model Permission" restricting the creation of a model of a certain type 4. At least one "Object Permission" restricting access to a specific instance of a Model 5. At least one list view showing only those objects you can Read #### Administrator Configuration -- requirement C 1. Administrator creates one or more users 2. Administrator creates one or more groups 3. Administrator assigns a permission to a user 4. Administrator assigns a permission to a group 5. Administrator assigns a role to a user 6. Administrator assigns a role to a group #### Enforcement Requirements -- requirement D 1. Permissions checked in the viewset 2. Two permissions required in the viewset for one operation 3. Permissions checked in the task #### Programmatic Permissions Assignment - requirement E 1. Programmatic addition of a specific permission to a user 2. Programmatic addition of a specific permission to a group ## Scope of Work #### Users and Groups outside of Pulp * Pulp configured for external Authorization - A1 * Pulp configured for external group checking - A2 #### pulp_file Remote Permissions * CreateFileRemote - Required to create new FileRemotes - B1, B3 * ReadFileRemote - Required to read a specific instance of a FileRemote - B1, B4 * UpdateFileRemote - Required to update a specific instance of a FileRemote - B1, B4 * DeleteFileRemote - Required to delete a specific instance of a FileRemote - B1, B4 #### pulp_file Repository Permissions * CreateFileRepository - Required to create new FileRepository - B1, B3 * ReadFileRepository - Required to read a specific instance of a FileRepository - B1, B4 * UpdateFileRepository - Required to update a specific instance of a FileRepository - B1, B4 * DeleteFileRepository - Required to delete a specific instance of a FileRepository - B1, B4 * ModifyFileRepositoryContent - Required to create or delete a RepositoryVersion for a specific instance of a FileRepository - B1, B4 #### pulp_file Roles * FileGlobalAdmin - A role allowing you to perform CRUD on all FileRemotes, all FileRepositories, and create/delete RepositoryVersions for all FileRepositories - B2 #### Remotes Viewset Enforcement * GET to /pulp/pulp/api/v3/remotes/file/file/ - Returns only FileRemotes where the user has ReadFileRemote or all FileRemotes if FileGlobalAdmin - B5 * POST to /pulp/pulp/api/v3/remotes/file/file/ - Requires either CreateFileRemote permission or FileGlobalAdmin role - D1 * GET to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either ReadFileRemote or FileGlobalAdmin role - D1 * PUT/PATCH to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either UpdateFileRemote or FileGlobalAdmin role - D1 * DELETE to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either DeleteFileRemote or FileGlobalAdmin role - D1 #### Repositories Viewset Enforcement * GET to /pulp/pulp/api/v3/repositories/file/file/ - Returns only FileRepositories where the user has ReadFileRepository or all FileRepositories if FileGlobalAdmin - B5 * POST to /pulp/pulp/api/v3/repositories/file/file/ - Requires either CreateFileRepository permission or FileGlobalAdmin role - D1 * GET to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either ReadFileRepository or FileGlobalAdmin role - D1 * PUT/PATCH to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either UpdateFileRepository or FileGlobalAdmin role - D1 * DELETE to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either DeleteFileRepository or FileGlobalAdmin role - D1 #### Repositories Viewset Enforcement * POST to /pulp/api/v3/repositories/file/file/:uuid/modify/ - Requires either ModifyFileRepositoryContent or FileGlobalAdmin role - D1 * POST to /pulp/api/v3/repositories/file/file/:uuid/sync/ - Requires both ModifyFileRepositoryContent and ReadFileRemote or FileGlobalAdmin role - D2 #### Programmatic Permissions Assignment - Remotes * A user having the FileRemote permission directly automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E1 * A user having the FileRemote permission via a group automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E2 #### Programmatic Permissions Assignment - Repositories * A user having the FileRepository permission directly automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E1 * A user having the FileRepository permission via a group automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E2 #### Administrator role/permission Assignment TBD