[PULP-350] Teach container to allow access to the new set/unset_label options for Content #1954
Comments
|
In core/rpm, we allow set/unset_labels with the same permissions as "create" - |
|
@ggainey The permissions you are using for rpm/core don't work as you think they do. set/unset_labels doesn't require a repository in the function so the access condition methods will raise a ValidationError unless you are an admin. (https://github.com/pulp/pulpcore/blob/main/pulpcore/app/global_access_conditions.py#L529-L530) We should fix this, probably need a new access condition method to check if the content is in a repository that the user has the specific perm (modify_content) on. As for pulp_container all of the content can only be created by sync or docker/podman upload, they all have read only viewsets. They also all share a special mixin with this function (https://github.com/pulp/pulp_container/blob/main/pulp_container/app/viewsets.py#L182) that is used for queryset scoping. The scope function checks for mirror & push perms which are basically read & write perms, so we would probably need another access condition method in pulp-container to only check for push perm. |
Ha! Well, guess all of us doing/reviewing missed that, starting w/ pulpcore. OK, we def need issues in core/rpm to fix that.
Yeah, that's the direction I was heading/thinking, thanks. |
pulpcore introduce labels-on-content with PR pulp/pulpcore#5787
It requires an addition to the RBAC rules to allow access to the new set/unset_label API calls, as noted here : https://github.com/pulp/pulpcore/pull/5787/files#diff-dc946cef2bc4fef289c4a2d72dde9e612e92efc300edb9273a4e01b914092401R85
The text was updated successfully, but these errors were encountered: