Pulp is changing the way that RBAC works: https://discourse.pulpproject.org/t/roles-in-pulpcore/148. In summary, we’re moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (NOTE cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems:
API
- Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. (
AAH-1093) - Existing permission grants need to be migrated to roles. (
AAH-1128) - We need to define the set of system roles that will ship by default with Hub. (
AAH-1092)
UI
- Update the UI for assigning object permissions (
AAH-1129) - Update UI for assigning global permissions (
AAH-1130) - Create UI for creating and managing custom roles (
AAH-1131)
Notes
- Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem"
- We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022.
- A subset of what dnewswan has in mind for the scope of this work: https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG
- David can point QE to the pulp PR that has API info for testing
- Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC.
This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc.
This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to).
Definition of Done
- CI is running, tests are automated and merged and successful
- DEV upstream code & tests merged
- DEV upstream documentation merged see
AAH-1802 - DEV downstream build attached to advisory
- QE - Test plans documented and attached to epic (or link to source), see
AAH-1244 - QE - automated tests merged and passing
- Docs - Downstream documentation is merged, see AAP-1649
- PM/Leads - all acceptance criteria are met
Acceptance Criteria
TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities.
- is documented by
-
AAH-1802 write upstream docs for RBAC refactor work
- Closed
- relates to
-
AAH-1579 User can't be added to group
- Closed
-
AAH-1580 Newly added roles are not listed in groups
- Closed
- split to
-
AAH-1733 After clicking a group in namespace owners tab there's no button to go back to groups
- Closed