Tracker #17954

Unify roles and permissions across plugins

Added by Ondřej Pražák 9 months ago. Updated 25 days ago.

Status:Closed% Done:

0%

Priority:Normal
Assigned To:Ondřej Pražák
Category:-
Target version:Team Marek Iteration 20
Difficulty: Bugzilla link:1304608
Found in release:
Story points-
Velocity based estimate-

Description

Each plugin handles permissions and roles differently: some create just permissions and no roles, some create plugin-specific roles. This tracker should monitor the progress of making roles uniform across all plugins.

Expected outcome:
- each plugin has plugin-specific Viewer and Manager roles (see openscap or rex). Additional plugin-specific roles are certainly possible if plugin needs them.
- plugin permissions are added to Manager and Viewer roles provided by core.


Related issues

Related to Discovery - Bug #19944: Upgrade fails due to missing override column in filter Closed 06/06/2017
Blocked by Foreman Remote Execution - Bug #17953: Add remote execution permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by OpenSCAP - Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by Ansible - Bug #17957: Add foreman_ansible permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by Discovery - Bug #17959: Add foreman_discovery permissions to Manager and Viewer r... Closed 01/06/2017
Blocked by Docker - Bug #17960: Add foreman_docker permissions to Manager and View roles Closed 01/06/2017
Blocked by foreman-tasks - Bug #17961: Add foreman-tasks permissions to Manager and Viewer roles Closed 01/06/2017
Blocked by Katello - Bug #17962: Add Katello's permissions to Manager and and Viewer roles Closed 01/06/2017
Blocked by Boot disk - Bug #17963: Add foreman_bootdisk permissions to Manager role Closed 01/06/2017
Blocked by Foreman - Feature #18001: Allow plugins to easily add their permissions to core's V... Closed 01/10/2017
Blocked by Foreman - Feature #19039: Lock plugin roles Closed 03/27/2017

History

#1 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17953: Add remote execution permissions to Viewer and Manager roles added

#2 Updated by Ondřej Pražák 9 months ago

  • Blocks Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles added

#3 Updated by Ondřej Pražák 9 months ago

  • Blocks deleted (Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles)

#4 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles added

#5 Updated by Ondřej Pražák 9 months ago

  • Bugzilla link set to 1304608

#6 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17957: Add foreman_ansible permissions to Viewer and Manager roles added

#7 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17959: Add foreman_discovery permissions to Manager and Viewer roles added

#8 Updated by Ondřej Pražák 9 months ago

  • Blocks Bug #17960: Add foreman_docker permissions to Manager and View roles added

#9 Updated by Ondřej Pražák 9 months ago

  • Blocks deleted (Bug #17960: Add foreman_docker permissions to Manager and View roles)

#10 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17960: Add foreman_docker permissions to Manager and View roles added

#11 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17961: Add foreman-tasks permissions to Manager and Viewer roles added

#12 Updated by Ondřej Pražák 9 months ago

  • Blocks Bug #17962: Add Katello's permissions to Manager and and Viewer roles added

#13 Updated by Ondřej Pražák 9 months ago

  • Blocks deleted (Bug #17962: Add Katello's permissions to Manager and and Viewer roles)

#14 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17962: Add Katello's permissions to Manager and and Viewer roles added

#15 Updated by Ondřej Pražák 9 months ago

  • Blocked by Bug #17963: Add foreman_bootdisk permissions to Manager role added

#16 Updated by Marek Hulán 9 months ago

Ondřej, could we also prevent this happening in future? What if every permission defined by plugin would be automatically assigned to Manager role and if it matches view_.+ it would be also associated to Viewer? Plugins would only defined plugin_manager and plugin_viewer role. Any other suggestions are welcome.

#17 Updated by Ondřej Pražák 9 months ago

  • Blocked by Feature #18001: Allow plugins to easily add their permissions to core's Viewer and Manager added

#18 Updated by Ondřej Pražák 9 months ago

I do not think we can do this completely automatically and there may be cases when we do not want to. But I think #18001 is a reasonable solution.

#19 Updated by Marek Hulán 9 months ago

  • Assigned To set to Ondřej Pražák
  • Target version set to Team Marek Iteration 9

#20 Updated by Marek Hulán 8 months ago

  • Target version changed from Team Marek Iteration 9 to Team Marek Iteration 10

#21 Updated by Marek Hulán 7 months ago

  • Target version changed from Team Marek Iteration 10 to Team Marek Iteration 11

#22 Updated by Marek Hulán 6 months ago

  • Target version changed from Team Marek Iteration 11 to Team Marek Iteration 12

#23 Updated by Ondřej Pražák 6 months ago

#24 Updated by Marek Hulán 6 months ago

  • Target version changed from Team Marek Iteration 12 to Team Marek Iteration 13

#25 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 13 to Team Marek Iteration 14

#26 Updated by Marek Hulán 4 months ago

  • Target version changed from Team Marek Iteration 14 to Team Marek Iteration 15

#27 Updated by Lukas Zapletal 4 months ago

In Discovery we are planning to lock and reset default discovery plugin roles in a seed script, this is likely a precedent. See discussion at https://github.com/theforeman/foreman_discovery/pull/352

I think the plugin API should do this automatically when roles are being registered (they should be locked).

#28 Updated by Lukas Zapletal 4 months ago

  • Related to Bug #19944: Upgrade fails due to missing override column in filter added

#29 Updated by Marek Hulán 3 months ago

Lukas Zapletal wrote:

In Discovery we are planning to lock and reset default discovery plugin roles in a seed script, this is likely a precedent. See discussion at https://github.com/theforeman/foreman_discovery/pull/352

I think the plugin API should do this automatically when roles are being registered (they should be locked).

I believe it's tracked by http://projects.theforeman.org/issues/19039, which is ready for testing

#30 Updated by Marek Hulán 3 months ago

  • Target version changed from Team Marek Iteration 15 to Team Marek Iteration 16

#31 Updated by Marek Hulán 3 months ago

  • Target version changed from Team Marek Iteration 16 to Team Marek Iteration 17

#32 Updated by Marek Hulán 2 months ago

  • Target version changed from Team Marek Iteration 17 to Team Marek Iteration 18

#33 Updated by Marek Hulán about 1 month ago

  • Target version changed from Team Marek Iteration 18 to Team Marek Iteration 19

#34 Updated by Marek Hulán 27 days ago

  • Target version changed from Team Marek Iteration 19 to Team Marek Iteration 20

#35 Updated by Marek Hulán 25 days ago

  • Status changed from New to Closed

It seems like all related issues have been closed, closing this one.

Also available in: Atom PDF