[Pulp-dev] RBAC Status Thread
Brian Bouterse
bmbouter at redhat.com
Wed Jun 3 21:35:19 UTC 2020
Today I got basic object-level permissions experimentally working with
django-guardian. The current plan is to use a django-guardian to provide
object-level permissions and drf-access-policy to provide the actual
authorization checks in the viewset. Django-guardian could provide the
permission checks in the viewset code itself with decorators, but we
wouldn't be getting the benefits drf-access-policy provides. It's easy to
stitch them together to make something great I think. That's what I'll be
making.
I also talked with @wibbit in the channel yesterday who expressed interest
in testing the pulp_file PoC. They also confirmed it's basic scope would
meet their needs.
Also, I got the non standard CRUD permission for "modify_content" working
for FileRepository using django-guardian.
Lastly I focused on understanding the external users and groups use cases.
Django has nothing built in for this. This article below suggests to have
the webserver do it and send along the group info as headers. There are
third-party libraries ( https://djangopackages.org/grids/g/authentication/
) but those are authN specific, so we need to think carefully about what to
do here.
https://www.adelton.com/django/external-authentication-for-django-projects
On Tue, Jun 2, 2020 at 5:07 PM Brian Bouterse <bmbouter at redhat.com> wrote:
> I've started experimenting with the basic drf-access-policy example and
> django-guardian and adapting it to be a RemoteAccessPolicy
>
>
> https://github.com/pulp/pulp_file/compare/master...bmbouter:rbac-PoC?expand=1
>
> https://github.com/pulp/pulpcore/compare/master...bmbouter:rbac-PoC?expand=1
>
> On Mon, Jun 1, 2020 at 5:30 PM Brian Bouterse <bmbouter at redhat.com> wrote:
>
>> This thread is where progress made on the RBAC design/implementation from
>> anyone can be posted. This is designed to bring both transparency and
>> inclusivity so anyone can get involved on a daily basis.
>>
>> Today I outlined a scope of work document -
>> https://hackmd.io/kZ1oYp8TTkeuC5KL_ffjGQ
>>
>> Next tasks:
>> * test out django-guardian to bring object-level permissions outlined in
>> SoW doc
>> * test out drf-access-policy to allow viewset-level permissions
>> enforcement in SoW
>>
>> Feedback and collaboration is welcome.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200603/d9bc105d/attachment.htm>
More information about the Pulp-dev
mailing list