Refactor the RBAC documentation for the plugin #811
Conversation
docs/rbac/index.rst
Outdated
| Role-based Access Control | ||
| ========================= | ||
|
|
||
| Role-based access control (RBAC) **restricts** access to content based on a user's role within an |
There was a problem hiding this comment.
Are you talking specifically about "content" here (i think not). Maybe use entities instead. In the context of Pulp, "content" already has quite a distinct meaning.
docs/rbac/index.rst
Outdated
| ========================= | ||
|
|
||
| Role-based access control (RBAC) **restricts** access to content based on a user's role within an | ||
| organization. The role consists of one or more permissions. Users having a proper set of roles can |
There was a problem hiding this comment.
| organization. The role consists of one or more permissions. Users having a proper set of roles can | |
| organization. A role consists of one or more permissions. Users having a proper set of roles can |
docs/rbac/index.rst
Outdated
| organization. The role consists of one or more permissions. Users having a proper set of roles can | ||
| view, modify, or delete content hosted on different endpoints. | ||
|
|
||
| By default, all container repositories are accessible by anyone, unless the opposite is *explicitly* |
There was a problem hiding this comment.
I think you are referring to registry pull access here. Maybe something like ... repositories content is accessible via podman pull by anyone...
docs/rbac/permissions.rst
Outdated
| A role is defined by one or more permissions. In this section, there are discussed details of | ||
| permissions used within the container plugin. |
There was a problem hiding this comment.
| A role is defined by one or more permissions. In this section, there are discussed details of | |
| permissions used within the container plugin. | |
| A role is defined by one or more permissions. In this section, details of | |
| permissions used within the container plugin are discussed. |
docs/rbac/roles.rst
Outdated
| Default Roles | ||
| ------------- | ||
|
|
||
| For each endpoint, there is defined a different set of roles. The roles can be assigned at the model |
There was a problem hiding this comment.
| For each endpoint, there is defined a different set of roles. The roles can be assigned at the model | |
| For each endpoint, a different set of roles is defined. The roles can be assigned at the model |
docs/rbac/roles.rst
Outdated
| The *Consumer* role contains only the ``view`` and ``pull`` permissions. Below is showcased a list | ||
| of associated permissions for distributions: |
There was a problem hiding this comment.
| The *Consumer* role contains only the ``view`` and ``pull`` permissions. Below is showcased a list | |
| of associated permissions for distributions: | |
| The *Consumer* role contains only the ``view`` and ``pull`` permissions. Below, a list | |
| of associated permissions for distributions is showcased: |
docs/rbac/roles.rst
Outdated
| } | ||
|
|
||
| Having the ``view`` and ``pull`` permissions allows a user to see and pull content from the Pulp | ||
| Registry. Assigning this role only at the object level allows administrators to select what the |
There was a problem hiding this comment.
| Registry. Assigning this role only at the object level allows administrators to select what the | |
| Registry. Assigning this role only at the object level allows administrators and owners to select what the |
docs/rbac/roles.rst
Outdated
| ~~~~~~~~~~~~~~~~~ | ||
|
|
||
| The *Collaborator* role represents a set of permissions that a co-worker working within a same user-space | ||
| should have. In comparison to the *Consumer* role, users with the *Collaborator* role are allowed |
There was a problem hiding this comment.
| should have. In comparison to the *Consumer* role, users with the *Collaborator* role are allowed | |
| should have. In addition to the *Consumer* role, users with the *Collaborator* role are allowed |
| .. code-block:: bash | ||
|
|
||
| pulp role create --name "container.containerrepository_syncer" \ | ||
| --permission "container.view_containerrepository" \ | ||
| --permission "container.view_containerremote" \ | ||
| --permission "container.change_containerrepository" \ | ||
| --permission "container.modify_content_containerrepository" \ | ||
| --permission "container.sync_containerrepository" | ||
|
|
||
| pulp user role-assignment add --username "alice" --role "container.containerrepository_syncer" object "" |
There was a problem hiding this comment.
Should this be an example about changing the AP?
There was a problem hiding this comment.
Of course. I provide an example of how to create, assign, and hook a role.
For the sake of completeness, I will add an example of assigning default permissions to a user in one of the descriptions of the default roles.
There was a problem hiding this comment.
I would still consider these two commands as an example to create and use a "custom role". "changing the access policy" to me is the next level of customization. My suggestion: Make this example its own thing, and move the headline for AP below it. Also maybe add an example for changing the statements in the AP.
There was a problem hiding this comment.
I divided the section into two parts: Customizing Roles and Customizing Access Policies. It should be now better readable.
lubosmj
force-pushed
the
rbac-up-docs-641
branch
2 times, most recently
from
38d9d9e to
f3a0e24
Compare
lubosmj
force-pushed
the
rbac-up-docs-641
branch
from
f3a0e24 to
82fe503
Compare
docs/rbac/roles.rst
Outdated
| Customizing Roles | ||
| ----------------- | ||
|
|
||
| In Pulp, users are allowed to create or update their roles. To create a role with permissions |
lubosmj
force-pushed
the
rbac-up-docs-641
branch
from
82fe503 to
d358452
Compare
docs/rbac/index.rst
Outdated
|
|
||
| Role-based access control (RBAC) **restricts** access to entities based on a user's role within an | ||
| organization. A role consists of one or more permissions. Users having a proper set of roles can | ||
| view, modify, or delete content hosted on different endpoints. |
There was a problem hiding this comment.
s/content/resources. There is rbac not just for content.
| Role-based access control (RBAC) **restricts** access to entities based on a user's role within an | ||
| organization. A role consists of one or more permissions. Users having a proper set of roles can | ||
| view, modify, or delete content hosted on different endpoints. | ||
|
|
There was a problem hiding this comment.
maybe worth adding a section called 'Content and Repository access'
There was a problem hiding this comment.
can you also add information about the queryset scoping?
There was a problem hiding this comment.
Not sure how the information about the queryset scoping will be useful to users. It tells plugin-writers that Pulp restricts access to objects based on users' permissions (which is generally known and expected): https://github.com/pulp/pulpcore/blob/8ab3fdfba539b81fa25b67876dde7327992a6ce4/docs/plugins/plugin-writer/concepts/rbac/queryset_scoping.rst
| ===================== | ||
|
|
||
| As of release 2.11.0, the plugin started to support roles instead of separate groups and | ||
| permissions. Permission classes provided by Pulp are **automatically** migrated when upgrading |
| done | ||
| Similarly, execute an adjusted script for other repository objects that were asserted under | ||
| the permissions' scope. |
There was a problem hiding this comment.
Can you mention the dump-permission management command Matthias has added?
Also please add a note that with pulp-container 2.13 this would be the only way to process unmigrated permissions because of removed django-guardian form the stack.
There was a problem hiding this comment.
I added a note about the version and the dump-permission command.
lubosmj
force-pushed
the
rbac-up-docs-641
branch
from
d358452 to
781a1a0
Compare
closes #641