Critical Pulp is changing the way that RBAC works: https://discourse.pulpproject.org/t/roles-in-pulpcore/148. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (NOTE cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems:
API
- Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. (
AAH-1093) - Existing permission grants need to be migrated to roles. (
AAH-1128) - We need to define the set of system roles that will ship by default with Hub. (
AAH-1092)
UI
- Update the UI for assigning object permissions (
AAH-1129) - Update UI for assigning global permissions (
AAH-1130) - Create UI for creating and managing custom roles (
AAH-1131)
Notes
- Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem"
- We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022.
- A subset of what dnewswan has in mind for the scope of this work: https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG
- David can point QE to the pulp PR that has API info for testing
- Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC.
This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc.
This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to).
Definition of Done
- CI is running, tests are automated and merged and successful
- DEV upstream code & tests merged
- DEV upstream documentation merged see
AAH-1802 - DEV downstream build attached to advisory
- QE - Test plans documented and attached to epic (or link to source), see
AAH-1244 - QE - automated tests merged and passing
- Docs - Downstream documentation is merged, see AAP-1649
- PM/Leads - all acceptance criteria are met
Acceptance Criteria
TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities.
- is documented by
-
AAH-1802 write upstream docs for RBAC refactor work
-
- Closed
-
- relates to
-
AAH-1579 User can't be added to group
-
- Closed
-
-
-
- Closed
-
- split to
-
-
- Closed
-
[AAH-957] Adopt new pulp RBAC system
| Priority | Original: Medium [ 10000 ] | New: Critical [ 2 ] |
| Status | Original: To Do [ 10020 ] | New: Backlog [ 10824 ] |
| Assignee | New: Brian McLaughlin [ bmclaugh@redhat.com ] |
Chris Houseknecht (Inactive)
made changes -
| Summary | Original: Adopt new pulp RBAC sytem | New: Adopt new pulp RBAC system |
| Description | Original: Pulp is changing how RBAC works and we have to adopt the new system: https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept ( |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept ( |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. Acceptance Criteria: Verify that the roles defined in the system exist in the database after a migration is run and that they are marked as "locked" and have the correct permissions. |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. Acceptance Criteria: Verify that the roles defined in the system exist in the database after a migration is run and that they are marked as "locked" and have the correct permissions. |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
We need to create a proof of concept (https://issues.redhat.com/browse/AAH-1083) that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" After we have the proof of concept completed and validated, we'll want to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. Acceptance Criteria: TBD - more clear requirements so QE can scope testing needed |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. Acceptance Criteria: TBD - more clear requirements so QE can scope testing needed |
New:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] Acceptance Criteria: TBD - more clear requirements so QE can scope testing needed |
| Status | Original: Backlog [ 10824 ] | New: In Progress [ 10018 ] |
| Description |
Original:
Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] Acceptance Criteria: TBD - more clear requirements so QE can scope testing needed |
New:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operations. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE to define |
| Description |
Original:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operations. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE to define |
New:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operation permissions. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE to define |
| Description |
Original:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operation permissions. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE to define |
New:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operation permissions. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Attachment | New: Automation Hub RBAC.jpg [ 12662705 ] |
| Description |
Original:
We use Pulp's internal RBAC system. Pulp is changing how RBAC works and we have to adopt the new system: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148 |https://discourse.pulpproject.org/t/roles-in-pulpcore/148]
The big change we are making is the RBAC system in pulp requires you to directly assign individual permissions to users and groups (e.g. delete container, update container, etc). This is cumbersome as you have to create your own permissions matrix. This refactor introduces roles into the equation. We'll create roles that are groups of permissions (e.g. container administrator) and then CRUD operation permissions. instead of assigning the individual permissions you assign the container admin role to that group. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). Notes: * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. Acceptance Criteria: TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. To complete this migration, we have to solve the following problems:
*API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. * Existing permission grants need to be migrated to roles * We need to define the set of system roles that will ship by default with Hub * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. To complete this migration, we have to solve the following problems:
*API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. * Existing permission grants need to be migrated to roles * We need to define the set of system roles that will ship by default with Hub * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. * Existing permission grants need to be migrated to roles * We need to define the set of system roles that will ship by default with Hub * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. * Existing permission grants need to be migrated to roles * We need to define the set of system roles that will ship by default with Hub * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. * We need to define the set of system roles that will ship by default with Hub. ( * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. * We need to define the set of system roles that will ship by default with Hub. ( * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( * Our existing Access Policy needs to be updated so that it can be set as the default for all the API endpoints (and not just the galaxy_ng ones) *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions ( * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions ( * Create UI for creating and managing custom roles *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions ( * Create UI for creating and managing custom roles ( *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Component/s | New: UX [ 12364293 ] | |
| Component/s | New: API [ 12340891 ] | |
| Component/s | New: QE [ 12340894 ] | |
| Component/s | New: UI [ 12340892 ] |
| Fix Version/s | New: 4.5.0 Summit [ 12374890 ] | |
| Fix Version/s | Original: 4.5.0 January [ 12372909 ] |
| Rank | New: Ranked higher |
| Rank | New: Ranked higher |
| Fix Version/s | New: 4.5.1 [ 12384873 ] | |
| Fix Version/s | Original: 4.5.0 Summit [ 12374890 ] |
| Fix Version/s | New: 4.6.0 [ 12384874 ] |
| Fix Version/s | Original: 4.5.1 [ 12384873 ] |
| Size | New: S [ 27810 ] |
| Labels | New: UX |
| Component/s | Original: UX [ 12364293 ] |
| Target start | New: 2021/12/01 |
| Target end | New: 2022/05/06 |
| Rank | New: Ranked higher |
| Target end | Original: 2022/05/06 | New: 2022/05/24 |
| Fix Version/s | New: Fest 2022 [ 12385769 ] |
| Status | Original: In Progress [ 10018 ] | New: Backlog [ 10824 ] |
| Status | Original: Backlog [ 10824 ] | New: In Progress [ 10018 ] |
| Target end | Original: 2022/05/24 | New: 2022/06/22 |
| Target end | Original: 2022/06/22 | New: 2022/08/01 |
| Parent Link | New: AAP-2358 Direct LDAP connection from Private Hub in App without another VM being required |
| Rank | New: Ranked higher |
| Description |
Original:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. (*NOTE* cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions ( * Create UI for creating and managing custom roles ( *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
New:
Pulp is changing the way that RBAC works: [https://discourse.pulpproject.org/t/roles-in-pulpcore/148]. In summary, weโre moving from assigning permissions directly to users and groups and instead grouping permissions into roles and assigning the roles to groups and users. See the attached diagram for an overview of how permission checking will work. ({*}NOTE{*} cloud and platform RBAC are out of scope for this issue. They are included in the diagram to demonstrate how they can be integrated into the existing Pulp RBAC framework.)
To complete this migration, we have to solve the following problems: *API* * Django Guardian has to be completely removed from our dependency chain and replaced with Pulp's internal methods for assigning and managing roles. ( * Existing permission grants need to be migrated to roles. ( * We need to define the set of system roles that will ship by default with Hub. ( *UI* * Update the UI for assigning object permissions ( * Update UI for assigning global permissions ( * Create UI for creating and managing custom roles ( *Notes* * Per David: We need to create a proof of concept that will be the minimum we need to validate that the changes they (Brian B's team) are making work. Per Brian B slack: "for 3.17 to ship on the 16th we need the PoC to be done by nov 10th or 11th I think. given there are other tickets in front of it, and that you'll have to learn about the RBAC as you go I'm worried. I'm trying to raise concerns now before we get to the deadline and have a problem" * We'll need to work with UX, Docs, QE to ensure that all feature level work is identified and completed to ensure it's ready for delivery in 4.5 / 2.2 release in May/Jun 2022. * A subset of what [~dnewswan] has in mind for the scope of this work: [https://hackmd.io/-BI_MqAQR_6XkaikoN6r8w#RBAC-Roles-in-Galaxy-NG] * David can point QE to the pulp PR that has API info for testing * Risk of redundancy: is low, the areas where some of this may be redundant (once we adopt cloud or central auth RBAC) is the UI work for setting permissions, but we'll need that anyway for ppl who don't have central or cloud RBAC. This is a technical debt/pulp dependency priority for 2.2 / 4.5 with 2 phases of development: a proof of concept to validate the changes pulp has made, and then a more fully working feature w/ UI changes, etc. This is separate from Cloud RBAC and Central Auth RBAC, which Hub doesn't currently integrate with (and has not yet committed to). *Definition of Done* * CI is running, tests are automated and merged and successful * DEV upstream code & tests merged * DEV upstream documentation merged see * DEV downstream build attached to advisory * QE - Test plans documented and attached to epic (or link to source), see * QE - automated tests merged and passing * Docs - Downstream documentation is merged, see AAP-1649 * PM/Leads - all acceptance criteria are met *Acceptance Criteria* TBD - QE will work with engineering to more clearly define, maybe based on outcome of Proof of concept. We'll need UI specs at some point. and a clear list of roles and capabilities. |
| Target end | Original: 2022/08/01 | New: 2022/08/12 |
| Rank | New: Ranked higher |
| Target end | Original: 2022/08/12 | New: 2022/09/19 |
| Labels | Original: UX | New: UX backport-flag |
| Labels | Original: UX backport-flag | New: UX |
| Link | New: This issue is related to AAH-1755 [ AAH-1755 ] |
| Fix Version/s | Original: 4.6.0 [ 12384874 ] |
Ismael Puerto
made changes -
| Status | Original: In Progress [ 10018 ] | New: Backlog [ 10824 ] |
Ismael Puerto
made changes -
| Status | Original: Backlog [ 10824 ] | New: Code Review [ 14434 ] |
| Target end | Original: 2022/09/19 | New: 2022/10/11 |
| Workflow | Original: Software Simplified Workflow for Project COST [ 15592614 ] | New: OJA-WF-Z [ 21423312 ] |
| Status | Original: Code Review [ 14434 ] | New: ON_QA [ 15723 ] |
| Release Note Type | New: Release Note [ 27784 ] |
| Link | New: This issue is documented by AAP-1649 [ AAP-1649 ] |
| QA Contact | New: Christian Torrens [ JIRAUSER176746 ] |
| Resolution | New: Done [ 1 ] | |
| Status | Original: ON_QA [ 15723 ] | New: Release Pending [ 15735 ] |
| Rank | New: Ranked higher |
| Status | Original: Release Pending [ 15735 ] | New: Closed [ 6 ] |
| Workflow | Original: OJA-WF-Z [ 21423312 ] | New: RH1-WF-D [ 26792363 ] |
| Epic Status | Original: To Do [ 10450 ] | New: Done [ 10452 ] |