Skip to content

Add support for Role Based Access Control#39

Merged
dralley merged 1 commit into
pulp:mainfrom
aKlimau:add-rbac-support
Jul 1, 2026
Merged

Add support for Role Based Access Control#39
dralley merged 1 commit into
pulp:mainfrom
aKlimau:add-rbac-support

Conversation

@aKlimau

@aKlimau aKlimau commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Add RBAC to pulp_rust following the same pattern as pulp_python. All standard REST API viewsets now have access policies with creator/owner/viewer locked roles.

Also fixed the sync dispatch call args so that RBAC could be tested with sync.

closes #23

📜 Checklist

  • Commits are cleanly separated with meaningful messages (simple features and bug fixes should be squashed to one commit)
  • A changelog entry or entries has been added for any significant changes
  • Follows the Pulp policy on AI Usage
  • (For new features) - User documentation and test coverage has been added

See: Pull Request Walkthrough

@aKlimau aKlimau marked this pull request as draft June 1, 2026 15:56
@aKlimau aKlimau force-pushed the add-rbac-support branch 2 times, most recently from a73be60 to d786edd Compare June 16, 2026 13:28
@aKlimau aKlimau marked this pull request as ready for review June 16, 2026 13:34
Comment thread pulp_rust/app/models.py Outdated
class Meta:
default_related_name = "%(app_label)s_%(model_name)s"
permissions = [
("sync_rustrepository", "Can start a sync task"),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't do syncing yet (or maybe ever - the stub task code exists and I haven't deleted it yet but it's nonfunctional)

I need to think a bit more whether we should go ahead and remove this though, since it seems like changes require migrations?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes changes to "permissions" field in model would require a migration

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's worth asking @dkliban if there would be any need for sync in the future for e.g. project lightwell. I'm otherwise content to just have pull through caching.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dralley @aKlimau at this time our main focus is on uploads. However, we recently had a situation where we wanted to sync Python packages from one domain to another. So initially, only providing support for uploads and pull-through cache is ok.

Comment thread pulp_rust/tests/functional/conftest.py Outdated


@pytest.fixture
def rust_content_factory(rust_content_api_client, pulpcore_bindings, monitor_task):

@dralley dralley Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just use or slightly modify https://github.com/pulp/pulp_rust/blob/main/pulp_rust/tests/functional/utils.py#L91

You should use the cargo publish API, not try to create content directly. To be honest, if we can disable that completely we probably should. As it stands, this is basically a re-implementation of the cargo publish API endpoint, just inside of our tests.

@aKlimau aKlimau force-pushed the add-rbac-support branch from d786edd to cfd23e9 Compare June 24, 2026 12:39
Comment thread pulp_rust/app/viewsets.py Outdated

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aKlimau Could you do as Gerrod suggested and use ReadOnlyContentViewSet here?

Comment thread pulp_rust/app/viewsets.py Outdated
"condition": [
"has_required_repo_perms_on_upload:rust.modify_rustrepository",
"has_required_repo_perms_on_upload:rust.view_rustrepository",
"has_upload_param_model_or_domain_or_obj_perms:core.change_upload",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not 100% sure if this means this block of permissions can go, as well - I think it would?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also deleted test_upload.py for that reason, since it was relying on modifying content directly

alice, bob, charlie = gen_users("rustrepository")

with bob:
repo = rust_repo_api_client.create({"name": str(uuid.uuid4())})

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can rust_repo_factory() not be used here?

@dralley

dralley commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Apart from the notes, this looks good

@dralley dralley marked this pull request as draft June 30, 2026 15:07
@aKlimau aKlimau force-pushed the add-rbac-support branch 2 times, most recently from 48f69ca to ca333b0 Compare July 1, 2026 12:03
Comment thread pulp_rust/app/viewsets.py
"effect": "allow",
"condition": [
"has_model_or_domain_or_obj_perms:rust.change_rustdistribution",
"has_model_or_domain_or_obj_perms:rust.view_rustdistribution",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right? I read this as "if you have view permissions, you can update and set labels"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never mind, they are AND'd, not OR'd

Comment thread pulp_rust/app/viewsets.py Outdated
}

@transaction.atomic
def create(self, request):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be deleted, right?

creator = gen_user(model_roles=["rust.rustrepository_creator"])

with creator:
repo = rust_repo_api_client.create({"name": str(uuid.uuid4())})

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can rust_repo_factory() be used here?

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aKlimau aKlimau force-pushed the add-rbac-support branch from ca333b0 to 8f8e98e Compare July 1, 2026 15:53
@aKlimau aKlimau marked this pull request as ready for review July 1, 2026 15:59
@dralley dralley merged commit ebdf751 into pulp:main Jul 1, 2026
14 checks passed
@aKlimau aKlimau deleted the add-rbac-support branch July 2, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support RBAC

3 participants