Fixes the permission issue with import-all. #379
Conversation
| permissions=[ | ||
| "core.add_compositecontentguard", | ||
| "core.add_domain", | ||
| "core.add_headercontentguard", | ||
| "ostree.add_ostreedistribution", | ||
| "ostree.add_ostreeremote", | ||
| "ostree.add_ostreerepository", | ||
| "ostree.view_ostreerepository", | ||
| "ostree.change_ostreerepository", | ||
| "ostree.delete_ostreerepository", | ||
| "ostree.import_commits_ostreerepository", | ||
| "ostree.manage_roles_ostreerepository", | ||
| "ostree.modify_ostreerepository", | ||
| "ostree.repair_ostreerepository", | ||
| "ostree.sync_ostreerepository", | ||
| "ostree.view_ostreerepository", | ||
| "ostree.add_ostreerepository", | ||
| "ostree.view_ostreeremote", | ||
| "ostree.change_ostreeremote", | ||
| "ostree.delete_ostreeremote", | ||
| "ostree.manage_roles_ostreeremote", | ||
| "ostree.view_ostreeremote", | ||
| "ostree.add_ostreeremote", | ||
| "ostree.view_ostreedistribution", | ||
| "ostree.change_ostreedistribution", | ||
| "ostree.delete_ostreedistribution", | ||
| "ostree.manage_roles_ostreedistribution", | ||
| "ostree.view_ostreedistribution", | ||
| "ostree.add_ostreedistribution", | ||
| "core.replicate_upstreampulp", | ||
| "core.view_upload", | ||
| "core.change_upload", | ||
| "core.delete_upload", | ||
| "core.manage_roles_upload", | ||
| "core.view_upload", | ||
| "core.add_upload", | ||
| "core.view_task", | ||
| "core.change_task", | ||
| "core.delete_task", | ||
| "core.manage_roles_task", | ||
| "core.view_task", | ||
| "core.view_taskschedule", | ||
| "core.manage_roles_taskschedule", | ||
| "core.view_taskschedule", | ||
| "core.download_rbaccontentguard", | ||
| "core.view_rbaccontentguard", | ||
| "core.change_rbaccontentguard", | ||
| "core.delete_rbaccontentguard", | ||
| "core.manage_roles_rbaccontentguard", | ||
| "core.view_rbaccontentguard", | ||
| "core.add_rbaccontentguard", | ||
| "core.view_headercontentguard", | ||
| "core.change_headercontentguard", | ||
| "core.delete_headercontentguard", | ||
| "core.manage_roles_headercontentguard", | ||
| "core.view_headercontentguard", | ||
| "core.add_headercontentguard", | ||
| "core.view_group", | ||
| "core.change_group", | ||
| "core.delete_group", | ||
| "core.manage_roles_group", | ||
| "core.view_group", | ||
| "core.add_group", | ||
| "core.view_domain", | ||
| "core.change_domain", | ||
| "core.delete_domain", | ||
| "core.manage_roles_domain", | ||
| "core.view_domain", | ||
| "core.add_domain", | ||
| "core.view_contentredirectcontentguard", | ||
| "core.change_contentredirectcontentguard", | ||
| "core.delete_contentredirectcontentguard", | ||
| "core.manage_roles_contentredirectcontentguard", | ||
| "core.view_contentredirectcontentguard", | ||
| "core.add_contentredirectcontentguard", | ||
| "core.view_compositecontentguard", | ||
| "core.change_compositecontentguard", | ||
| "core.delete_compositecontentguard", | ||
| "core.manage_roles_compositecontentguard", | ||
| "core.view_compositecontentguard", | ||
| "core.add_compositecontentguard", | ||
| ], |
There was a problem hiding this comment.
| permissions=[ | |
| "core.add_compositecontentguard", | |
| "core.add_domain", | |
| "core.add_headercontentguard", | |
| "ostree.add_ostreedistribution", | |
| "ostree.add_ostreeremote", | |
| "ostree.add_ostreerepository", | |
| "ostree.view_ostreerepository", | |
| "ostree.change_ostreerepository", | |
| "ostree.delete_ostreerepository", | |
| "ostree.import_commits_ostreerepository", | |
| "ostree.manage_roles_ostreerepository", | |
| "ostree.modify_ostreerepository", | |
| "ostree.repair_ostreerepository", | |
| "ostree.sync_ostreerepository", | |
| "ostree.view_ostreerepository", | |
| "ostree.add_ostreerepository", | |
| "ostree.view_ostreeremote", | |
| "ostree.change_ostreeremote", | |
| "ostree.delete_ostreeremote", | |
| "ostree.manage_roles_ostreeremote", | |
| "ostree.view_ostreeremote", | |
| "ostree.add_ostreeremote", | |
| "ostree.view_ostreedistribution", | |
| "ostree.change_ostreedistribution", | |
| "ostree.delete_ostreedistribution", | |
| "ostree.manage_roles_ostreedistribution", | |
| "ostree.view_ostreedistribution", | |
| "ostree.add_ostreedistribution", | |
| "core.replicate_upstreampulp", | |
| "core.view_upload", | |
| "core.change_upload", | |
| "core.delete_upload", | |
| "core.manage_roles_upload", | |
| "core.view_upload", | |
| "core.add_upload", | |
| "core.view_task", | |
| "core.change_task", | |
| "core.delete_task", | |
| "core.manage_roles_task", | |
| "core.view_task", | |
| "core.view_taskschedule", | |
| "core.manage_roles_taskschedule", | |
| "core.view_taskschedule", | |
| "core.download_rbaccontentguard", | |
| "core.view_rbaccontentguard", | |
| "core.change_rbaccontentguard", | |
| "core.delete_rbaccontentguard", | |
| "core.manage_roles_rbaccontentguard", | |
| "core.view_rbaccontentguard", | |
| "core.add_rbaccontentguard", | |
| "core.view_headercontentguard", | |
| "core.change_headercontentguard", | |
| "core.delete_headercontentguard", | |
| "core.manage_roles_headercontentguard", | |
| "core.view_headercontentguard", | |
| "core.add_headercontentguard", | |
| "core.view_group", | |
| "core.change_group", | |
| "core.delete_group", | |
| "core.manage_roles_group", | |
| "core.view_group", | |
| "core.add_group", | |
| "core.view_domain", | |
| "core.change_domain", | |
| "core.delete_domain", | |
| "core.manage_roles_domain", | |
| "core.view_domain", | |
| "core.add_domain", | |
| "core.view_contentredirectcontentguard", | |
| "core.change_contentredirectcontentguard", | |
| "core.delete_contentredirectcontentguard", | |
| "core.manage_roles_contentredirectcontentguard", | |
| "core.view_contentredirectcontentguard", | |
| "core.add_contentredirectcontentguard", | |
| "core.view_compositecontentguard", | |
| "core.change_compositecontentguard", | |
| "core.delete_compositecontentguard", | |
| "core.manage_roles_compositecontentguard", | |
| "core.view_compositecontentguard", | |
| "core.add_compositecontentguard", | |
| ], | |
| permissions=[ | |
| "ostree.add_ostreerepository", | |
| ], |
We can use just one permission. The other remaining are automatically assigned to a user after the creation.
There was a problem hiding this comment.
Or better, we could create a user with the ostree.ostreerepository_creator role.
There was a problem hiding this comment.
There was a problem hiding this comment.
I've tested with those permissions because we've created an ostree.admin role for services. But for sure we can trim down the permissions.
There was a problem hiding this comment.
Also, I think we need this permission here https://github.com/pulp/pulp_ostree/pull/379/files#diff-933b628e96bbcca797e520be49a32612920c4b46068b3f45e12660ebcb68d2e9R163
There was a problem hiding this comment.
Not really. Because that permission will be automatically assigned to a respective user once she creates a repository, see the creation hooks here:
pulp_ostree/pulp_ostree/app/viewsets.py
Lines 184 to 203 in cb092dd
There was a problem hiding this comment.
Please don't use permissions, but roles.
There was a problem hiding this comment.
Thanks folks. I've applied all your suggestions.
|
Do we want to backport this to 2.4? 🤔 |
Backport to 2.4: 💚 backport PR created✅ Backport PR branch: Backported as #380 🤖 @patchback |
I believe it should be just to 2.3. |
Backport to 2.3: 💚 backport PR created✅ Backport PR branch: Backported as #381 🤖 @patchback |
Closes #373