RBAC Proof of Concept Requirements

tags: RBAC

Goals

Produce a basic, working example of Role Based Access Control. Although limited in scope it should include an example of each aspect of RBAC the final solution will require.

Aspects to be included

Users and Groups Outside of Pulp requirement A

  1. A user authenticated outside of Pulp
  2. A group with a user membership stored outside of Pulp

Permissions and Roles Defined by a Plugin requirement B

  1. At least one plugin-defined permission
  2. At least one plugin-defined role
  3. At least one "Model Permission" restricting the creation of a model of a certain type
  4. At least one "Object Permission" restricting access to a specific instance of a Model
  5. At least one list view showing only those objects you can Read

Administrator Configuration requirement C

  1. Administrator creates one or more users
  2. Administrator creates one or more groups
  3. Administrator assigns a permission to a user
  4. Administrator assigns a permission to a group
  5. Administrator assigns a role to a user
  6. Administrator assigns a role to a group

Enforcement Requirements requirement D

  1. Permissions checked in the viewset
  2. Two permissions required in the viewset for one operation
  3. Permissions checked in the task

Programmatic Permissions Assignment - requirement E

  1. Programmatic addition of a specific permission to a user
  2. Programmatic addition of a specific permission to a group

Scope of Work

Users and Groups outside of Pulp

  • Pulp configured for external Authorization - A1
  • Pulp configured for external group checking - A2

pulp_file Remote Permissions

  • CreateFileRemote - Required to create new FileRemotes - B1, B3
  • ReadFileRemote - Required to read a specific instance of a FileRemote - B1, B4
  • UpdateFileRemote - Required to update a specific instance of a FileRemote - B1, B4
  • DeleteFileRemote - Required to delete a specific instance of a FileRemote - B1, B4

pulp_file Repository Permissions

  • CreateFileRepository - Required to create new FileRepository - B1, B3
  • ReadFileRepository - Required to read a specific instance of a FileRepository - B1, B4
  • UpdateFileRepository - Required to update a specific instance of a FileRepository - B1, B4
  • DeleteFileRepository - Required to delete a specific instance of a FileRepository - B1, B4
  • ModifyFileRepositoryContent - Required to create or delete a RepositoryVersion for a specific instance of a FileRepository - B1, B4

pulp_file Roles

  • FileGlobalAdmin - A role allowing you to perform CRUD on all FileRemotes, all FileRepositories, and create/delete RepositoryVersions for all FileRepositories - B2

Remotes Viewset Enforcement

  • GET to /pulp/pulp/api/v3/remotes/file/file/ - Returns only FileRemotes where the user has ReadFileRemote or all FileRemotes if FileGlobalAdmin - B5
  • POST to /pulp/pulp/api/v3/remotes/file/file/ - Requires either CreateFileRemote permission or FileGlobalAdmin role - D1
  • GET to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either ReadFileRemote or FileGlobalAdmin role - D1
  • PUT/PATCH to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either UpdateFileRemote or FileGlobalAdmin role - D1
  • DELETE to /pulp/api/v3/remotes/file/file/:uuid/ - Requires either DeleteFileRemote or FileGlobalAdmin role - D1

Repositories Viewset Enforcement

  • GET to /pulp/pulp/api/v3/repositories/file/file/ - Returns only FileRepositories where the user has ReadFileRepository or all FileRepositories if FileGlobalAdmin - B5
  • POST to /pulp/pulp/api/v3/repositories/file/file/ - Requires either CreateFileRepository permission or FileGlobalAdmin role - D1
  • GET to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either ReadFileRepository or FileGlobalAdmin role - D1
  • PUT/PATCH to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either UpdateFileRepository or FileGlobalAdmin role - D1
  • DELETE to /pulp/api/v3/repositories/file/file/:uuid/ - Requires either DeleteFileRepository or FileGlobalAdmin role - D1

Repositories Viewset Enforcement

  • POST to /pulp/api/v3/repositories/file/file/:uuid/modify/ - Requires either ModifyFileRepositoryContent or FileGlobalAdmin role - D1
  • POST to /pulp/api/v3/repositories/file/file/:uuid/sync/ - Requires both ModifyFileRepositoryContent and ReadFileRemote or FileGlobalAdmin role - D2

Programmatic Permissions Assignment - Remotes

  • A user having the FileRemote permission directly automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E1
  • A user having the FileRemote permission via a group automatically receives the user ReadFileRemote, UpdateFileRemote, and DeleteFileRemote for a newly created FileRemote - E2

Programmatic Permissions Assignment - Repositories

  • A user having the FileRepository permission directly automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E1
  • A user having the FileRepository permission via a group automatically receives the user ReadFileRepository, UpdateFileRepository, DeleteFileRepository, and ModifyFileRepositoryContent for a newly created FileRepository - E2

Administrator role/permission Assignment

TBD

Select a repo