As a user, I should have CRUD permissions for all entities that are exposed to me.
Refs #5217: Adjusts product organization_id migration to account for provider field.
Refs #5217: Adding check that the consumer cert matches the passed in
consumer identity when present.
Refs #5217: Fix activation key destroy.
This was introduced with merges from master and would cause errors
on deletion since the show rabl file sends attributes stored in Candlepin.
And since the activation key has been deleted at that point from Candlepin,
the object is no longer available.
#3 Updated by Eric Helms over 6 years ago
Copying in the bulk of the notes from our earlier roles etherpading:
As a user, I should be able to define a permission for CRUD on all Katello entities that are exposed to the user. (http://projects.theforeman.org/issues/5217)
As a user, I should be able to lock permissions by Organizations.
As a user, I should be able to lock permissions by Lifecycle Environment.
As a user, I should not see menu items for entities that I do not have access to.
As a user, I should not be able to access APIs I don't have permissions to.
As a user, I should have consistent permissions across Fortello.
As a user, I'd like not to see or have access to the legacy roles/permissions from Katello.
As a readonly user, I should not be able to edit any entity through the API or UI.
Nice to have Requirements¶
As a user I should be able to define a permission to manage systems in system group A
As a user I should be able to define a permission to manage the association between system group A and all systems I can manage through my other permissions.
As a user I should be able to define a permission to manage All Systems in Environment C
As a user I should be able to define a permission to manage All Systems in Environment C within Content View X
As a user I should be able to define a permission to manage All Systems in Organization O
As a user I should be able to define a permission to restricts which Environments and Content Views a user can assign (or register) a System to.
Content Views & Lifecycle Environments:
As a user I should be able to define a permission to publish a new version of Content View X
As a user I should be able to define a permission to promote Content View X to Environment Y
- CRUD BY Org (sounded like Yes) * If we address permissions in the API, will the CLI just work?
- Question for CLI guys to see how Foreman side currently works against their permissions * Can we do the implementation entity by entity or page by page?
Create Role-rework branch (ehelms) https://github.com/Katello/katello/tree/roles
Create permissions.rb file and include it from the plugin.rb file (ehelms)
Remove Legacy Katello roles UI
Dig into mechanics of new permissions as they relate to controllers (partha)
For a given entity:
Define the CRUD permission set for entity
Define the set of scoped search fields used when filtering
Re-factor guts of the entity Authorization module, remove where it no longer makes sense
Remove rules from the controller (handled by permission definitions/routes combinations)
Test the UI
Test the API
Test that the Menu item hides properly
Lifecycle Environment management (partha)
RedHat Repo enable/disable
Products & Repository (ehelms) GPG Keys (ehelms) - https://github.com/Katello/katello/pull/3985
Sync Plan (walden)
System Groups (Host Collections)