Project

General

Profile

Feature #5217

As a user, I should have CRUD permissions for all entities that are exposed to me.

Added by Eric Helms over 5 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Related issues

Related to Katello - Feature #5260: As a user, I should be able to assign CRUD permissions for Sync PlansClosed2014-04-21
Related to Katello - Feature #5416: As a user, I should be able to assign CRUD permissions for Activation keysClosed2014-04-23
Related to Katello - Feature #5434: As a user, I should be able to assign CRUD permissions for Content ViewsClosed2014-04-24
Related to Katello - Bug #5529: As a user, I should only see widgets on the content dashboard that I have access to.Closed2014-05-01
Related to Katello - Feature #5532: As a user, I should only see entities I have access to within Content Search.Closed2014-05-01
Related to Katello - Feature #5562: As a user, I should be able to assign permissions for Foreman tasksDuplicate2014-05-02
Related to Katello - Feature #5591: Red Hat Repositories: authorizationClosed2014-05-06
Related to Katello - Feature #5593: Fix menu so authorized items are displayed post single page app workClosed2014-05-06
Related to Katello - Feature #5627: Api V2 Tasks controller: CRUD authorizationClosed2014-05-07
Related to Katello - Feature #5635: Bastion: add translated 403 message to displayed error messages on form submitClosed2014-05-08
Related to Katello - Bug #5682: view lifecycle environments permisisons need to be handled betterClosed2014-05-12
Related to Katello - Feature #4351: Global user permissions need to be delivered to angular pagesDuplicate2014-02-14
Related to Katello - Feature #5503: Available UI interactions should reflect a user's permissionsClosed2014-04-29
Related to Katello - Feature #6040: Add Katello view permissions to foreman "Viewer" roleClosed2014-06-03
Related to Katello - Feature #6321: Bastion pages should enforce permissions when entering the pageClosed2014-06-20
Blocked by Katello - Feature #5230: As a user, I should be able to assign CRUD permissions for GPG Keys.Closed2014-04-17
Blocked by Katello - Feature #5261: As a user, I should be able to assign CRUD permissions for Products and Repositories.Closed2014-04-21
Blocked by Katello - Feature #5521: As a user, I should be able to assign CRUD permissions to subscriptions.Closed2014-05-01
Blocked by Katello - Feature #5531: As a user, I should be able to assign relevant permissions for Sync actions.Closed2014-05-01
Blocked by Katello - Feature #5530: As a user, I should be able to assign CRUD permissions for Lifecycle Environments.Closed2014-05-01
Blocked by Katello - Feature #5533: As a user, I should be able to assign CRUD permissions for Content Hosts.Closed2014-05-01
Blocked by Katello - Feature #5535: As a user, I should be able to assign CRUD permissions for System Groups.Closed2014-05-01
Blocked by Foreman - Feature #5537: Menu/authorization: need alternative to rails controller centric authorizationClosed2014-04-30
Blocked by Foreman - Bug #5578: Cant set permissions on specific resource types Closed2014-05-05
Blocked by Katello - Bug #5702: (Roles Branch) v2 Content Views Controller index call ignoring environment id Closed2014-05-13
Blocked by Katello - Bug #5843: Remove v1 API routesClosed2014-05-20

Associated revisions

Revision fb142fde (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Initial location to declare and load permissions.

Revision 1ad2a3cb (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Adjusts product organization_id migration to account for provider field.

Revision 13bf35e2
Added by Eric Helms over 5 years ago

Merge pull request #4058 from ehelms/refs-5217

Refs #5217: Adjusts product organization_id migration to account for provider field.

Revision 5788e199 (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Adding check that the consumer cert matches the passed in
consumer identity when present.

Revision d8fe46f0
Added by Eric Helms over 5 years ago

Merge pull request #4085 from ehelms/refs-5217

Refs #5217: Adding check that the consumer cert matches the passed in consumer identity when present.

Revision 3526da57 (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Moving permissions into lib/katello directory.

Revision c7efcfb5
Added by Eric Helms over 5 years ago

Merge pull request #4087 from ehelms/refs-5217

Refs #5217: Moving permissions into lib/katello directory.

Revision 2735ea02 (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Fix activation key destroy.

This was introduced with merges from master and would cause errors
on deletion since the show rabl file sends attributes stored in Candlepin.
And since the activation key has been deleted at that point from Candlepin,
the object is no longer available.

Revision 875633d4 (diff)
Added by Eric Helms over 5 years ago

Refs #5217: Fix content host menu item and add organization scoping.

Revision ec9aae7d
Added by Eric Helms over 5 years ago

Merge pull request #4088 from ehelms/refs-5217

Refs #5217: Fix activation key destroy.

Revision af2dd40f
Added by Eric Helms over 5 years ago

Merge pull request #4093 from ehelms/master-to-roles

Refs #5217: Master to roles

Revision bd4c8023
Added by Eric Helms over 5 years ago

Merge pull request #4092 from ehelms/refs-5217

Refs #5217: Fix content host menu item and add organization scoping.

Revision 374ea703
Added by Eric Helms over 5 years ago

Merge pull request #4073 from Katello/roles

Refs #5217: Merging roles branch to master.

History

#1 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5230: As a user, I should be able to assign CRUD permissions for GPG Keys. added

#2 Updated by Walden Raines over 5 years ago

  • Related to Feature #5260: As a user, I should be able to assign CRUD permissions for Sync Plans added

#3 Updated by Eric Helms over 5 years ago

Copying in the bulk of the notes from our earlier roles etherpading:

Permission Requirements

Minimum Requirements

As a user, I should be able to define a permission for CRUD on all Katello entities that are exposed to the user. (http://projects.theforeman.org/issues/5217)
As a user, I should be able to lock permissions by Organizations.
As a user, I should be able to lock permissions by Lifecycle Environment.
As a user, I should not see menu items for entities that I do not have access to.
As a user, I should not be able to access APIs I don't have permissions to.
As a user, I should have consistent permissions across Fortello.
As a user, I'd like not to see or have access to the legacy roles/permissions from Katello.
As a readonly user, I should not be able to edit any entity through the API or UI.

Nice to have Requirements

Hosts/Systems

As a user I should be able to define a permission to manage systems in system group A
As a user I should be able to define a permission to manage the association between system group A and all systems I can manage through my other permissions.
As a user I should be able to define a permission to manage All Systems in Environment C
As a user I should be able to define a permission to manage All Systems in Environment C within Content View X
As a user I should be able to define a permission to manage All Systems in Organization O
As a user I should be able to define a permission to restricts which Environments and Content Views a user can assign (or register) a System to.

Content Views & Lifecycle Environments:

As a user I should be able to define a permission to publish a new version of Content View X
As a user I should be able to define a permission to promote Content View X to Environment Y

Open Questions

  • CRUD BY Org (sounded like Yes) * If we address permissions in the API, will the CLI just work?
  • Question for CLI guys to see how Foreman side currently works against their permissions * Can we do the implementation entity by entity or page by page?

Example - https://github.com/Katello/katello/pull/3789/files

Issues

http://projects.theforeman.org/issues/5217

Action Items

Create Role-rework branch (ehelms) https://github.com/Katello/katello/tree/roles
Create permissions.rb file and include it from the plugin.rb file (ehelms)
Remove Legacy Katello roles UI
Dig into mechanics of new permissions as they relate to controllers (partha)
For a given entity:
Define the CRUD permission set for entity
Define the set of scoped search fields used when filtering
Re-factor guts of the entity Authorization module, remove where it no longer makes sense
Remove rules from the controller (handled by permission definitions/routes combinations)
Fix tests
Test the UI
Test the API
Test that the Menu item hides properly

Pages

Content Dashboard
Lifecycle Environment management (partha)
Activation Keys
Manage Subscriptions
RedHat Repo enable/disable
Products & Repository (ehelms)
GPG Keys (ehelms) - https://github.com/Katello/katello/pull/3985
Sync Status
Sync Plan (walden)
Content Views
Content Search
System/Content Hosts
System Groups (Host Collections)
Content About
Content Notices

#4 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5261: As a user, I should be able to assign CRUD permissions for Products and Repositories. added

#5 Updated by Walden Raines over 5 years ago

  • Related to Feature #5416: As a user, I should be able to assign CRUD permissions for Activation keys added

#6 Updated by Walden Raines over 5 years ago

  • Related to Feature #5434: As a user, I should be able to assign CRUD permissions for Content Views added

#7 Updated by Mike McCune over 5 years ago

  • Target version set to 44

#8 Updated by Mike McCune over 5 years ago

  • Triaged changed from No to Yes

#9 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5521: As a user, I should be able to assign CRUD permissions to subscriptions. added

#10 Updated by Eric Helms over 5 years ago

  • Related to Bug #5529: As a user, I should only see widgets on the content dashboard that I have access to. added

#11 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5531: As a user, I should be able to assign relevant permissions for Sync actions. added

#12 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5530: As a user, I should be able to assign CRUD permissions for Lifecycle Environments. added

#13 Updated by Eric Helms over 5 years ago

  • Related to Feature #5532: As a user, I should only see entities I have access to within Content Search. added

#14 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5533: As a user, I should be able to assign CRUD permissions for Content Hosts. added

#15 Updated by Eric Helms over 5 years ago

  • Blocked by Feature #5535: As a user, I should be able to assign CRUD permissions for System Groups. added

#16 Updated by Walden Raines over 5 years ago

  • Blocked by Feature #5537: Menu/authorization: need alternative to rails controller centric authorization added

#17 Updated by Walden Raines over 5 years ago

  • Blocked by Bug #5543: Content Search: autocomplete is not working for content views and repositories added

#18 Updated by Walden Raines over 5 years ago

  • Related to Feature #5562: As a user, I should be able to assign permissions for Foreman tasks added

#19 Updated by Walden Raines over 5 years ago

  • Blocked by Bug #4450: Tasks API is not authorized added

#20 Updated by Partha Aji over 5 years ago

  • Blocked by Bug #5578: Cant set permissions on specific resource types added

#21 Updated by Walden Raines over 5 years ago

  • Related to Feature #5591: Red Hat Repositories: authorization added

#22 Updated by Walden Raines over 5 years ago

  • Related to Feature #5593: Fix menu so authorized items are displayed post single page app work added

#23 Updated by Walden Raines over 5 years ago

  • Related to Feature #5627: Api V2 Tasks controller: CRUD authorization added

#24 Updated by Walden Raines over 5 years ago

  • Related to Refactor #5628: Remove converted v1 API controllers and tests added

#25 Updated by Walden Raines over 5 years ago

  • Related to Feature #5635: Bastion: add translated 403 message to displayed error messages on form submit added

#26 Updated by Partha Aji over 5 years ago

  • Related to Bug #5682: view lifecycle environments permisisons need to be handled better added

#27 Updated by Partha Aji over 5 years ago

  • Blocked by Bug #5702: (Roles Branch) v2 Content Views Controller index call ignoring environment id added

#28 Updated by Walden Raines over 5 years ago

  • Related to Bug #5720: Roles: Add scopes to finds in converted controllers added

#29 Updated by Walden Raines over 5 years ago

  • Blocked by Bug #5843: Remove v1 API routes added

#30 Updated by Walden Raines over 5 years ago

  • Related to deleted (Refactor #5628: Remove converted v1 API controllers and tests)

#31 Updated by Walden Raines over 5 years ago

  • Related to Feature #4351: Global user permissions need to be delivered to angular pages added

#32 Updated by Walden Raines over 5 years ago

  • Related to Feature #5503: Available UI interactions should reflect a user's permissions added

#33 Updated by Eric Helms over 5 years ago

  • Target version changed from 44 to 45

#34 Updated by Walden Raines over 5 years ago

  • Related to Feature #6040: Add Katello view permissions to foreman "Viewer" role added

#35 Updated by Eric Helms over 5 years ago

  • Target version changed from 45 to 48

#36 Updated by Walden Raines about 5 years ago

  • Blocked by deleted (Bug #5543: Content Search: autocomplete is not working for content views and repositories)

#37 Updated by Walden Raines about 5 years ago

  • Related to Feature #6321: Bastion pages should enforce permissions when entering the page added

#38 Updated by Eric Helms about 5 years ago

  • Legacy Backlogs Release (now unused) set to 13

#39 Updated by Eric Helms about 5 years ago

  • Target version changed from 48 to 49

#40 Updated by Eric Helms about 5 years ago

  • Target version changed from 49 to 54

#41 Updated by Eric Helms about 5 years ago

  • Blocked by deleted (Bug #4450: Tasks API is not authorized)

#42 Updated by Eric Helms about 5 years ago

  • Related to deleted (Bug #5720: Roles: Add scopes to finds in converted controllers)

#43 Updated by Eric Helms about 5 years ago

  • Status changed from New to Closed

Also available in: Atom PDF