-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor the RBAC documentation for the plugin
closes #641
- Loading branch information
Showing
8 changed files
with
367 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Improved the documentation for RBAC by adding a new section for roles and a new section for | ||
migrating from permissions to roles. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
.. _rbac-index: | ||
|
||
Role-based Access Control | ||
========================= | ||
|
||
Role-based access control (RBAC) **restricts** access to entities based on a user's role within an | ||
organization. A role consists of one or more permissions. Users having a proper set of roles can | ||
view, modify, or delete content hosted on different endpoints. | ||
|
||
By default, container repositories' content is accessible via ``podman`` or ``docker`` pull | ||
commands, unless the opposite is *explicitly* specified. A private repository can be created via the | ||
REST API for container distributions. An existing distribution can be updated with the parameter | ||
``private=True``. | ||
|
||
.. note:: | ||
|
||
Users logged in as administrators (staff) always bypass any authorization checks. | ||
|
||
Visit the following sections to understand how the plugin implements RBAC: | ||
|
||
.. toctree:: | ||
:maxdepth: 2 | ||
|
||
roles | ||
permissions | ||
migrating-perms-to-roles |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
.. _migrating-perms-to-roles: | ||
|
||
Migrating Permissions | ||
===================== | ||
|
||
As of release 2.11.0, the plugin started to support roles instead of separate groups and | ||
permissions. Permission classes provided by Pulp are **automatically** migrated when upgrading | ||
from older releases. But, custom permissions created before release 2.11.0 require additional | ||
**post-upgrade steps** to preserve the initial behaviour. | ||
|
||
Usually, administrators define permissions for two types of operations: | ||
|
||
1. **pull** - Pulling content from all or a number of specific repositories | ||
2. **push** - Pushing content to all or concrete repositories | ||
|
||
During the upgrade, the custom permissions need to be manually revised and assigned. To do so, one | ||
can proceed as follows: | ||
|
||
1. Make all repositories private: | ||
|
||
.. code-block:: bash | ||
for name in $(pulp container distribution list | jq -re '.[].name') | ||
do | ||
pulp container distribution update --name $name --private | ||
done | ||
2. Start assigning Pulp-provided/adjusted roles to a particular user. For instance, use the role | ||
``container.containerdistribution_consumer`` to enable user ``alice`` to consume content from | ||
distributions ``dist1``, ``dist2``, ``dist3``: | ||
|
||
.. code-block:: bash | ||
for distribution in "dist1" "dist2" "dist3" | ||
do | ||
DISTRIBUTION_HREF=$(pulp container distribution show --name $distribution | jq -r ".pulp_href") | ||
pulp user role-assignment add --username "alice" --role "container.containerdistribution_consumer" --object $DISTRIBUTION_HREF | ||
done | ||
Similarly, execute an adjusted script for other repository objects that were asserted under | ||
the permissions' scope. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.