owned this note
owned this note
Published
Linked with GitHub
# RBAC Proof of Concept -- Requirements
###### tags: `RBAC`
## Goals
Produce a basic, working example of Role Based Access Control. Although limited in scope it should include an example of each aspect of RBAC the final solution will require.
## Aspects to be included
#### Users and Groups Outside of Pulp -- requirement A
1. A user authenticated outside of Pulp
2. A group with a user membership stored outside of Pulp
#### Permissions and Roles Defined by a Plugin -- requirement B
1. At least one plugin-defined permission
2. At least one plugin-defined role
3. At least one "Model Permission" restricting the creation of a model of a certain type
4. At least one "Object Permission" restricting access to a specific instance of a Model
5. At least one list view showing only those objects you can Read
#### Administrator Configuration -- requirement C
1. Administrator creates one or more users
2. Administrator creates one or more groups
3. Administrator assigns a permission to a user
4. Administrator assigns a permission to a group
5. Administrator assigns a role to a user
6. Administrator assigns a role to a group
#### Enforcement Requirements -- requirement D
1. Permissions checked in the viewset
2. Two permissions required in the viewset for one operation
3. Permissions checked in the task
#### Programmatic Permissions Assignment - requirement E
1. Programmatic addition of a specific permission to a user
2. Programmatic addition of a specific permission to a group
## Scope of Work
#### Users and Groups outside of Pulp
* Pulp configured for external Authorization - A1
* Pulp configured for external group checking - A2
#### pulp_file Remote Permissions
* CreateFileRemote - Required to create new FileRemotes - B1, B3
* ReadFileRemote - Required to read a specific instance of a FileRemote - B1, B4
* UpdateFileRemote - Required to update a specific instance of a FileRemote - B1, B4
* DeleteFileRemote - Required to delete a specific instance of a FileRemote - B1, B4
#### pulp_file Repository Permissions
* CreateFileRepository - Required to create new FileRepository - B1, B3
* ReadFileRepository - Required to read a specific instance of a FileRepository - B1, B4
* UpdateFileRepository - Required to update a specific instance of a FileRepository - B1, B4
* DeleteFileRepository - Required to delete a specific instance of a FileRepository - B1, B4
* ModifyFileRepositoryContent - Required to create or delete a RepositoryVersion for a specific instance of a FileRepository - B1, B4
#### pulp_file Roles
* FileGlobalAdmin - A role allowing you to perform CRUD on all FileRemotes, all FileRepositories, and create/delete RepositoryVersions for all FileRepositories - B2
#### Remotes Viewset Enforcement
* GET to /pulp/pulp/api/v3/remotes/file/file/ - Returns only FileRemotes where the user has ReadFileRemote or all FileRemotes if FileGlobalAdmin - B5
* POST to /pulp/pulp/api/v3/remotes/file/file/ - Requires either CreateFileRemote permission or FileGlobalAdmin role - D1
* GET to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either ReadFileRemote or FileGlobalAdmin role - D1
* PUT/PATCH to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either UpdateFileRemote or FileGlobalAdmin role - D1
* DELETE to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either DeleteFileRemote or FileGlobalAdmin role - D1
#### Repositories Viewset Enforcement
* GET to /pulp/pulp/api/v3/repositories/file/file/ - Returns only FileRepositories where the user has ReadFileRepository or all FileRepositories if FileGlobalAdmin - B5
* POST to /pulp/pulp/api/v3/repositories/file/file/ - Requires either CreateFileRepository permission or FileGlobalAdmin role - D1
* GET to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either ReadFileRepository or FileGlobalAdmin role - D1
* PUT/PATCH to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either UpdateFileRepository or FileGlobalAdmin role - D1
* DELETE to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either DeleteFileRepository or FileGlobalAdmin role - D1
#### Repositories Viewset Enforcement
* POST to /pulp/api/v3/repositories/file/file/:uuid/modify/ - Requires either ModifyFileRepositoryContent or FileGlobalAdmin role - D1
* POST to /pulp/api/v3/repositories/file/file/:uuid/sync/ - Requires both ModifyFileRepositoryContent and ReadFileRemote or FileGlobalAdmin role - D2
#### Programmatic Permissions Assignment - Remotes
* A user having the FileRemote permission directly automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E1
* A user having the FileRemote permission via a group automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E2
#### Programmatic Permissions Assignment - Repositories
* A user having the FileRepository permission directly automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E1
* A user having the FileRepository permission via a group automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E2
#### Administrator role/permission Assignment
TBD