Description

Right now, export permissions are not validated by the export service.  Instead, the request is passed to the target service (Inventory for example), which in turn, will check rbac and return a 403 if permission is denied.

However, a caller might expect the POST request to return 403 in this case rather than it silently "succeeding" and necessitating a GET /exports/<id>/status call to learn the reason for failure.

And according to the export service ADR, the intent is for the export service to check rbac, specifically this excerpt:

The export service will consult RBAC for export requests, looking for any matching permissions, responding with 403 if the user doesn't have permission to export any of the requested resources:

$application:$resource:read
$application:$resource:*
$application:*:read
$application:*:*

This won't work right now since we set application and resource to, respectively:

"urn:redhat:application:inventory"
"urn:redhat:application:inventory:export:systems"

We followed Notifications' example, but perhaps the intent was to set these values to something rbac would recognize like "inventory" and "hosts".  And then maybe the export service would be able to properly consult rbac to determine access?

Let's revisit this for M2.

cc rhjmarc rhn-engineering-jramos 

UPDATE: Per rhn-support-dehort, rbac handling isn't integrated with the export service yet.  Thus, re-purposing this card from Inventory to Exports for discussion/implementation.