[Pulp-dev] RBAC: Secure by default?
Ina Panova
ipanova at redhat.com
Wed Jan 6 13:26:15 UTC 2021
+1 to the change.
--------
Regards,
Ina Panova
Senior Software Engineer| Pulp| Red Hat Inc.
"Do not go where the path may lead,
go instead where there is no path and leave a trail."
On Wed, Dec 16, 2020 at 8:14 PM Tanya Tereshchenko <ttereshc at redhat.com>
wrote:
> It sounds like a good idea, and additional +1 that it doesn't break
> things.
>
> On Tue, Dec 15, 2020 at 5:57 PM Matthias Dellweg <mdellweg at redhat.com>
> wrote:
>
>> In today's pulpcore meeting, we discussed that any endpoint that is not
>> aware of RBAC yet will be open to every authenticated user.
>>
>> The suggestion that was given, is that we change that default. So all
>> endpoints will raise permission errors unless RBAC opens them up.
>> This would not affect any existing installation, where we only allowed
>> the use of a single admin user. And by circumventing the permission
>> framework this special user will remain to be able to talk to all available
>> endpoints without restrictions.
>> On the other hand it should smooth out the transition period until we
>> have RBAC in all places. Since you could start giving permissions to users
>> for viewsets that have an access_policy, while not risking to give them
>> access to other sensitive parts that don't have it yet.
>>
>> What do you all think?
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210106/7568d1ed/attachment.htm>
More information about the Pulp-dev
mailing list