# RBAC Meeting Minutes - July 2, 2020 ###### tags: `RBAC`, `meeting`, `Minutes` ## Agenda * Architecture Overview * Quick Tour of pulp_file * Goal of RBAC: A Highly Customizable Policy * How to Implement a Policy * Question: To include in Pulpcore 3.5 or not? * Currently aimed at pulpcore 3.6 (early Aug) ## Notes * [Slides](https://hackmd.io/@pulp/SJrjjX8RI#/) * [django-guardian](https://github.com/django-guardian/django-guardian) * [drf-access-policy](https://github.com/rsinger86/drf-access-policy) * django-guardian reuses django model permissions and adds object / instance permissions * django-admin webUI enabled as part of this (currently) * drf-access-policy applied / enforced as drf permission_class * AccessPolicy is list of access control predicates evaluated by the drf-access-policy permission_classhttps://github.com/django-guardian/django-guardian/issues/603 * If multiple rules apply to a given user attempting a given action, if **any** rule's effect is 'deny', the user action is denied ## Action Items/Questions * Upload: need to add perms to Content/Repository to have 'modify' perms * break up perms between modify/sync when we do this 'for reals' * "I want to allow a user to affect Remotes in some namespaces and not others - how would that work?" * object-level, asigned to specific namespaces * pulp_container plans/needs to have a Namespace object (that can scope permissions) * What about a set of "standard" roles provided by Pulp3 for default installations? * POC policy is in code - needs to be in DB to give control back to pulp-admin * What debug/audit tooling is available? * need to experiment w/debug-mode in drf-access-policy * Pulp needs to add lots of logging