To share some pulp RBAC test

xm1234567 · September 15, 2023, 8:52am

Anyone has tested the pulp rpm RBAC? It is Tech Preview as mentioned in the doc.

I did some test: I would like to give user9 the right to upload rpm into a repository test9, and publish it and do distribution it

My environment: The pulp instance is by ansible playbook, Postgres and redis are local. The version pulp core and pulp rpm are:
pulp-rpm 3.19.9
pulpcore 3.22.14

I follow Role Based Access Control — Pulp RPM Support 3.22.3 documentation

I created a rpm_publisher role,

First , the --object option. I try to assign role by repositiry directly, got invalid value

(pulpcli_venv) $pulp user role-assignment add --username user9 --role “rpm_publisher” --object “/pulp/api/v3/repositories/rpm/rpm/test9/”
Error: {“content_object”:[“Invalid value: /pulp/api/v3/repositories/rpm/rpm/test9/.”]}

So I run pulp rpm repository list to get the href of the repo, use this value , the role-assignment can pass

(pulpcli_venv) [xxxx@ccosfip00336 ~]$ pulp user role-assignment add --username user9 --role “rpm_publisher” --object “/pulp/api/v3/repositories/rpm/rpm/265d7eb7-9886-432b-ab05-b98ad3412be0/”
{
“pulp_href”: “/pulp/api/v3/users/3/roles/d05e717e-923a-4185-9d6c-051e3889cf65/”,
“pulp_created”: “2023-09-13T19:22:45.597810Z”,
“role”: “rpm_publisher”,
“content_object”: “/pulp/api/v3/repositories/rpm/rpm/265d7eb7-9886-432b-ab05-b98ad3412be0/”,
“description”: null,
“permissions”: [
“rpm.add_rpmdistribution”,
“rpm.add_rpmpublication”,
“rpm.view_rpmrepository”
]

to create artifact : pulp artifact upload --file xxxxx.rpm
try rpm content create, got permisson problem

pulp rpm content create --sha256 9af1ad0cd865accba9b9c26abe2175e47b3db3b83ec0285b2c3101e34907bdc9 --repository test9
Error: {“detail”:“You do not have permission to perform this action.”}

I added rpm.modify_content_rpmrepository into rpm_publisher, then the above content is created

the rpm publish and distribution, it is not working wtih the rpm_publisher role. I have not find what is the necessary and minimum requirement if permission and object of endpoint. I ended with rpm.admin role and --object "". but it is not what I am looking for

Thanks in advance if any RBAC experience to share
If I put

x9c4 · September 18, 2023, 2:29pm

I’m not super confident with the rpm predefined roles.
But I’d say, you need the rpm.modify_content... to be able to add (upload) an rpm. If now as an admin you have autopublish setup, the rest should happpen automatically. If not you probably need the 'rpm.create_rpmrepositorypermission globally. That one only works if not associated with a specific object (you want to create it after all). And so it must probably go on a separate role. Lastly, you probably need therpm.change_rpmdistribution` permission for an existing distribution.

So I think as a guideline you may want to separate the create permissions from the rest to be able to assign that role globally.