[Pulp-dev] RBAC: Secure by default?

Daniel Alley dalley at redhat.com
Wed Jan 6 15:10:38 UTC 2021 

+1

What happens if a new account is created on an existing Pulp installation
(if that is possible)?  Would it then start following the deny-by-default
pattern?

On Wed, Jan 6, 2021 at 8:57 AM David Davis <daviddavis at redhat.com> wrote:

> +1 from me.
>
> David
>
>
> On Wed, Jan 6, 2021 at 8:28 AM Ina Panova <ipanova at redhat.com> wrote:
>
>> +1 to the change.
>>
>>
>> --------
>> Regards,
>>
>> Ina Panova
>> Senior Software Engineer| Pulp| Red Hat Inc.
>>
>> "Do not go where the path may lead,
>>  go instead where there is no path and leave a trail."
>>
>>
>> On Wed, Dec 16, 2020 at 8:14 PM Tanya Tereshchenko <ttereshc at redhat.com>
>> wrote:
>>
>>> It sounds like a good idea,  and additional +1 that it doesn't break
>>> things.
>>>
>>> On Tue, Dec 15, 2020 at 5:57 PM Matthias Dellweg <mdellweg at redhat.com>
>>> wrote:
>>>
>>>> In today's pulpcore meeting, we discussed that any endpoint that is not
>>>> aware of RBAC yet will be open to every authenticated user.
>>>>
>>>> The suggestion that was given, is that we change that default. So all
>>>> endpoints will raise permission errors unless RBAC opens them up.
>>>> This would not affect any existing installation, where we only allowed
>>>> the use of a single admin user. And by circumventing the permission
>>>> framework this special user will remain to be able to talk to all available
>>>> endpoints without restrictions.
>>>> On the other hand it should smooth out the transition period until we
>>>> have RBAC in all places. Since you could start giving permissions to users
>>>> for viewsets that have an access_policy, while not risking to give them
>>>> access to other sensitive parts that don't have it yet.
>>>>
>>>> What do you all think?
>>>> _______________________________________________
>>>> Pulp-dev mailing list
>>>> Pulp-dev at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>
>>> _______________________________________________
>>> Pulp-dev mailing list
>>> Pulp-dev at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210106/f42093e5/attachment.htm>

More information about the Pulp-dev mailing list