Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: ConsoleDot CY25Q2, Management Fabric M5
Affects Version/s: None
Component/s: Management Fabric
Labels:
- ciam-authz-rebac

Activity Type:
Product / Portfolio Work
Epic Link:
Demo HBI w/ new hosts in ephemeral queries are access aware using the fabric for 10000 hosts
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Acceptance Criteria:
None
BZ requires_doc_text:
Unset
Regression:
None
BZ Keywords:
- Unset
Intelligence Requested:
Market:
PX Impact Score:
Target Version:

ConsoleDot CY25Q3, Management Fabric M5

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The current naive implementation is essentially re-implementing RBAC with Kessel, which allowed for minimal code changes but didn't allow for using any new functionality

The idea here is to investigate options to take advantage of things like checks against specific objects where appropriate (vs always doing lookupresources on all workspaces) and fully consistent checks before making updates.

The most simplistic implementation might simply call Kessel inline from each action or any context where we need to know more. Though it may also be possible to use one or more interceptors like HBI currently does to integrate with RBAC. Requests fall (mostly) into the following buckets, which each have their own concerns to address:

Straightforward reads are probably already fine
Reads of a single host by criteria may benefit from a check call after it's identified (ex: https://github.com/RedHatInsights/insights-host-inventory/blob/1d2b5b821b7c4c948aa05aafef510997e90eb4e3/api/host.py#L537) but could also continue using lookupresources (as a read)
Many read operations are constrained to specific host ids and could use checks. Ex: https://github.com/RedHatInsights/insights-host-inventory/blob/1d2b5b821b7c4c948aa05aafef510997e90eb4e3/api/host.py#L498
- NOTE: may need a bulk check, which I don't think currently exists
- host_id_list parameter could be discovered as a keyword argument by interceptors
Many write operations are constrained to specific host ids and could use checkforupdates. Ex: https://github.com/RedHatInsights/insights-host-inventory/blob/1d2b5b821b7c4c948aa05aafef510997e90eb4e3/api/host.py#L418
- NOTE: may need a bulk check, which I don't think currently exists
- Currently uses lookupresources which is not fully consistent despite being a write
- As before, host_id_list parameter could be discovered as a keyword argument by interceptors
Some writes use search criteria. Ex: https://github.com/RedHatInsights/insights-host-inventory/blob/1d2b5b821b7c4c948aa05aafef510997e90eb4e3/api/host.py#L177
- For these, checkforupdate on each result probably isn't appropriate, even with a bulk check (result sets are unbounded).
- Naively, could pre-filter on workspace and then checkforupdate individual hosts before deleting (set constrained to valid targets but still of unbounded size)
- Could treat as a straightforward read. Would not be fully consistent for an actually pretty high-risk operation (delete), though.
  - Alternatively: could fully consistent lookupresources be a thing?

Feature flags must still work (must be switchable back to rbac)

Anything sufficiently generic should evolve toward being pulled out into Python SDK

Where we can do better, do. If not, parity is enough.

Assignee:: William Scalf

Reporter:: William Scalf

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/07/01 10:40 PM

Updated:: 2025/07/22 1:46 PM

Resolved:: 2025/07/22 1:46 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates