Tracker #17954

Unify roles and permissions across plugins

Added by Ondřej Pražák 11 months ago. Updated 3 months ago.

Status:Closed% Done:

0%

Priority:Normal
Assigned To:Ondřej Pražák
Category:-
Target version:Team Marek Iteration 20
Difficulty: Bugzilla link:1304608
Found in release:
Story points-
Velocity based estimate-

Description

Each plugin handles permissions and roles differently: some create just permissions and no roles, some create plugin-specific roles. This tracker should monitor the progress of making roles uniform across all plugins.

Expected outcome:
- each plugin has plugin-specific Viewer and Manager roles (see openscap or rex). Additional plugin-specific roles are certainly possible if plugin needs them.
- plugin permissions are added to Manager and Viewer roles provided by core.


Related issues

Related to Discovery - Bug #19944: Upgrade fails due to missing override column in filter Closed 06/06/2017
Blocked by Foreman Remote Execution - Bug #17953: Add remote execution permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by OpenSCAP - Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by Ansible - Bug #17957: Add foreman_ansible permissions to Viewer and Manager roles Closed 01/06/2017
Blocked by Discovery - Bug #17959: Add foreman_discovery permissions to Manager and Viewer r... Closed 01/06/2017
Blocked by Docker - Bug #17960: Add foreman_docker permissions to Manager and View roles Closed 01/06/2017
Blocked by foreman-tasks - Bug #17961: Add foreman-tasks permissions to Manager and Viewer roles Closed 01/06/2017
Blocked by Katello - Bug #17962: Add Katello's permissions to Manager and and Viewer roles Closed 01/06/2017
Blocked by Boot disk - Bug #17963: Add foreman_bootdisk permissions to Manager role Closed 01/06/2017
Blocked by Foreman - Feature #18001: Allow plugins to easily add their permissions to core's V... Closed 01/10/2017
Blocked by Foreman - Feature #19039: Lock plugin roles Closed 03/27/2017

History

#1 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17953: Add remote execution permissions to Viewer and Manager roles added

#2 Updated by Ondřej Pražák 11 months ago

  • Blocks Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles added

#3 Updated by Ondřej Pražák 11 months ago

  • Blocks deleted (Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles)

#4 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17952: Add foreman_openscap permissions to Viewer and Manager roles added

#5 Updated by Ondřej Pražák 11 months ago

  • Bugzilla link set to 1304608

#6 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17957: Add foreman_ansible permissions to Viewer and Manager roles added

#7 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17959: Add foreman_discovery permissions to Manager and Viewer roles added

#8 Updated by Ondřej Pražák 11 months ago

  • Blocks Bug #17960: Add foreman_docker permissions to Manager and View roles added

#9 Updated by Ondřej Pražák 11 months ago

  • Blocks deleted (Bug #17960: Add foreman_docker permissions to Manager and View roles)

#10 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17960: Add foreman_docker permissions to Manager and View roles added

#11 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17961: Add foreman-tasks permissions to Manager and Viewer roles added

#12 Updated by Ondřej Pražák 11 months ago

  • Blocks Bug #17962: Add Katello's permissions to Manager and and Viewer roles added

#13 Updated by Ondřej Pražák 11 months ago

  • Blocks deleted (Bug #17962: Add Katello's permissions to Manager and and Viewer roles)

#14 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17962: Add Katello's permissions to Manager and and Viewer roles added

#15 Updated by Ondřej Pražák 11 months ago

  • Blocked by Bug #17963: Add foreman_bootdisk permissions to Manager role added

#16 Updated by Marek Hulán 10 months ago

Ondřej, could we also prevent this happening in future? What if every permission defined by plugin would be automatically assigned to Manager role and if it matches view_.+ it would be also associated to Viewer? Plugins would only defined plugin_manager and plugin_viewer role. Any other suggestions are welcome.

#17 Updated by Ondřej Pražák 10 months ago

  • Blocked by Feature #18001: Allow plugins to easily add their permissions to core's Viewer and Manager added

#18 Updated by Ondřej Pražák 10 months ago

I do not think we can do this completely automatically and there may be cases when we do not want to. But I think #18001 is a reasonable solution.

#19 Updated by Marek Hulán 10 months ago

  • Assigned To set to Ondřej Pražák
  • Target version set to Team Marek Iteration 9

#20 Updated by Marek Hulán 9 months ago

  • Target version changed from Team Marek Iteration 9 to Team Marek Iteration 10

#21 Updated by Marek Hulán 9 months ago

  • Target version changed from Team Marek Iteration 10 to Team Marek Iteration 11

#22 Updated by Marek Hulán 8 months ago

  • Target version changed from Team Marek Iteration 11 to Team Marek Iteration 12

#23 Updated by Ondřej Pražák 8 months ago

#24 Updated by Marek Hulán 8 months ago

  • Target version changed from Team Marek Iteration 12 to Team Marek Iteration 13

#25 Updated by Marek Hulán 6 months ago

  • Target version changed from Team Marek Iteration 13 to Team Marek Iteration 14

#26 Updated by Marek Hulán 6 months ago

  • Target version changed from Team Marek Iteration 14 to Team Marek Iteration 15

#27 Updated by Lukas Zapletal 5 months ago

In Discovery we are planning to lock and reset default discovery plugin roles in a seed script, this is likely a precedent. See discussion at https://github.com/theforeman/foreman_discovery/pull/352

I think the plugin API should do this automatically when roles are being registered (they should be locked).

#28 Updated by Lukas Zapletal 5 months ago

  • Related to Bug #19944: Upgrade fails due to missing override column in filter added

#29 Updated by Marek Hulán 5 months ago

Lukas Zapletal wrote:

In Discovery we are planning to lock and reset default discovery plugin roles in a seed script, this is likely a precedent. See discussion at https://github.com/theforeman/foreman_discovery/pull/352

I think the plugin API should do this automatically when roles are being registered (they should be locked).

I believe it's tracked by http://projects.theforeman.org/issues/19039, which is ready for testing

#30 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 15 to Team Marek Iteration 16

#31 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 16 to Team Marek Iteration 17

#32 Updated by Marek Hulán 4 months ago

  • Target version changed from Team Marek Iteration 17 to Team Marek Iteration 18

#33 Updated by Marek Hulán 3 months ago

  • Target version changed from Team Marek Iteration 18 to Team Marek Iteration 19

#34 Updated by Marek Hulán 3 months ago

  • Target version changed from Team Marek Iteration 19 to Team Marek Iteration 20

#35 Updated by Marek Hulán 3 months ago

  • Status changed from New to Closed

It seems like all related issues have been closed, closing this one.

Also available in: Atom PDF