[Pulp-dev] RBAC: Secure by default?
Tanya Tereshchenko
ttereshc at redhat.com
Wed Dec 16 19:13:35 UTC 2020
It sounds like a good idea, and additional +1 that it doesn't break
things.
On Tue, Dec 15, 2020 at 5:57 PM Matthias Dellweg <mdellweg at redhat.com>
wrote:
> In today's pulpcore meeting, we discussed that any endpoint that is not
> aware of RBAC yet will be open to every authenticated user.
>
> The suggestion that was given, is that we change that default. So all
> endpoints will raise permission errors unless RBAC opens them up.
> This would not affect any existing installation, where we only allowed the
> use of a single admin user. And by circumventing the permission framework
> this special user will remain to be able to talk to all available endpoints
> without restrictions.
> On the other hand it should smooth out the transition period until we have
> RBAC in all places. Since you could start giving permissions to users for
> viewsets that have an access_policy, while not risking to give them access
> to other sensitive parts that don't have it yet.
>
> What do you all think?
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20201216/2e464285/attachment.htm>
More information about the Pulp-dev
mailing list