Git Product home page Git Product logo

insights-rbac's Introduction

Insights Role Based Access Control README

license Build Status Docs

About

Insights RBAC's goal is to provide an open source solution for storing roles, permissions and groups.

Full documentation is available through readthedocs. More info is available through platformdocs.

Getting Started

This is a Python project developed using Python 3.9. Make sure you have at least this version installed.

Additionally, the development environment installation requires the postgresql-devel package installed for your distribution before running properly.

Development

To get started developing against Insights-rbac first clone a local copy of the git repository. :

git clone https://github.com/RedHatInsights/insights-rbac.git

Developing inside a virtual environment is recommended. A Pipfile is provided. Pipenv is recommended for combining virtual environment (virtualenv) and dependency management (pip). To install pipenv, use pip :

pip3 install pipenv

Then project dependencies and a virtual environment can be created using :

pipenv install --dev

To activate the virtual environment run :

pipenv shell

Preferred Environment

Please refer to Working with Openshift.

Alternative Environment

If deploying with Openshift seems overly complex you can try an alternate local environment where you will need to install and setup some of the dependencies and configuration.

Configuration

This project is developed using the Django web framework. Many configuration settings can be read in from a .env file. An example file .env.example is provided in the repository. To use the defaults simply :

cp .env.example .env

Modify as you see fit.

Database

PostgreSQL is used as the database backend for Insights-rbac. A docker-compose file is provided for creating a local database container. If modifications were made to the .env file the docker-compose file will need to be modified to ensure matching database credentials. Several commands are available for interacting with the database. :

# This will launch a Postgres container
make start-db

# This will run Django's migrations against the database
make run-migrations

# This will stop and remove a currently running database and run the above commands
make reinitdb

Assuming the default .env file values are used, to access the database directly using psql run :

psql postgres -U postgres -h localhost -p 15432

There is a known limitation with docker-compose and Linux environments with SELinux enabled. You may see the following error during the postgres container deployment:

"mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied" can be resolved by granting ./pg_data ownership permissions to uid:26 (postgres user in centos/postgresql-96-centos7)

If a docker container running Postgres is not feasible, it is possible to run Postgres locally as documented in the Postgres tutorial. The default port for local Postgres installations is 5432. Make sure to modify the .env file accordingly. To initialize the database run :

make run-migrations

You may also run migrations explicitly, and in parallel, by specifying TENANT_PARALLEL_MIGRATION_MAX_PROCESSES (the number of concurrent processes to run migrations) and/or TENANT_PARALLEL_MIGRATION_CHUNKS (the number of migrations for each process to run at a time). Both of these values default to 2. Be mindful of the fact that bumping these values will consume more database connections:

TENANT_PARALLEL_MIGRATION_MAX_PROCESSES=4 TENANT_PARALLEL_MIGRATION_CHUNKS=2 ./rbac/manage.py migrate

Seeds

Default roles and groups are automatically seeded when the application starts by default unless either of the following environment variables are set to 'False' respectively: :

PERMISSION_SEEDING_ENABLED
ROLE_SEEDING_ENABLED
GROUP_SEEDING_ENABLED

Locally these are sourced from /rbac/management/role/definitions/*.json, while the config maps in deployed instances are source from our RBAC config repo. If any changes to default roles/groups are required, they should be make there.

You can also execute the following Django command to run seeds manually. It's recommended that you disable db signals while running seeds with ACCESS_CACHE_CONNECT_SIGNALS=False. Caching will be busted after seeding for each tenant has processed. You may also specify the number of concurrent threads in which seeds should be run, by setting MAX_SEED_THREADS either in the process, or the app environment. The default value is 2. Be mindful of the fact that bumping this value will consume more database connections: :

ACCESS_CACHE_CONNECT_SIGNALS=False MAX_SEED_THREADS=2 ./rbac/manage.py seeds [--roles|--groups|--permissions]
Server

To run a local dev Django server you can use :

make serve

To run the local dev Django on a specific port use:

make PORT=8111 serve

Making Requests

You can make requests to RBAC locally to mimic traffic coming from the gateway, or locally within the same cluster from another internal service.

Basic/JWT Auth with an Identity Header

By default, with the DEVELOPMENT variable set to True, the dev_middleware.py will be used. This will ensure that a mock identity header will be set on all requests for you. You can modify this header to add new users to your tenant by changing the username, create new tenants by changing the account_number, and toggling between admin/non-admins by flipping is_org_admin from True to False.

This will allow you to simulate a JWT or basic-auth request from the gateway.

Service to Service Requests

RBAC also allows for service-to-service requests. These requests require a PSK, and some additional headers in order to authorize the request as an "admin". To test this locally, do the following:

First disable the local setting of the identity header in dev_middleware.py by [commenting this line out](

insights-rbac/rbac/rbac/dev_middleware.py

Line 72 in b207668

request.META[self.header] = dev_header
)

Next, start the server with: :

make serve SERVICE_PSKS='{"catalog": {"secret": "abc123"}}'

Verify that you cannot access any endpoints requiring auth: :

curl http://localhost:8000/api/rbac/v1/roles/ -v

Verify that if you pass in the correct headers/values, you can access the endpoint: :

curl http://localhost:8000/api/rbac/v1/roles/ -v -H 'x-rh-rbac-psk: abc123' -H 'x-rh-rbac-account: 10001' -H 'x-rh-rbac-client-id: catalog'

Change the 'x-rh-rbac-client-id', 'x-rh-rbac-psk' and 'x-rh-rbac-account' header values to see that you should get back a 401 (or 400 with an account that doesn't exist).

You can also send a request with the identity header explicitly in the curl command along with the service-to-service headers to verify that the identity header will take precedence.

Testing and Linting

Insights-rbac uses tox to standardize the environment used when running tests. Essentially, tox manages its own virtual environment and a copy of required dependencies to run tests. To ensure a clean tox environment run :

tox -r

This will rebuild the tox virtual env and then run all tests.

To run unit tests specifically:

tox -e py39

To lint the code base :

tox -e lint

Caveats

For all requests to the Insights RBAC API, it is assumed and required that principal information for the request be sent in a header named: x-rh-identity. The information in this header is used to determine the tenant, principal and other account-level information for the request.

Consumers of this API through cloud.redhat.com should not be concerned with adding this header, as it will be overwritten by the gateway. All traffic to the Insights RBAC API comes through Akamai and the Insights 3scale Gateway. The gateway is responsible for adding the x-rh-identity header to all authenticated requests.

Any internal, service-to-service requests which do not go through the gateway will need to have this header added to each request.

This header requirement is not reflected in the openapi.json spec, as it would cause spec-based API clients to require the header, which would be superfluously added to all requests on cloud.redhat.com.

Contributing

This repository uses pre-commit to check and enforce code style. It uses Black to reformat the Python code and Flake8 to check it afterwards. Other formats and text files are linted as well.

Install pre-commit hooks to your local repository by running:

$ pre-commit install

After that, all your committed files will be linted. If the checks don’t succeed, the commit will be rejected. Please make sure all checks pass before submitting a pull request. Thanks!

Repositories of the roles to be seeded

Default roles can be found in the RBAC config repo.

For additional information please refer to Contributing.

insights-rbac's People

Contributors

abaiken avatar aleccohan avatar astrozzc avatar bennyturns avatar bsquizz avatar casey-williams-rh avatar catastrophe-brandon avatar chambridge avatar coderbydesign avatar dagbay-rh avatar ddonahue007 avatar dehort avatar ellen-yi-dong avatar j00bar avatar justinorringer avatar kylape avatar lphiri avatar lpichler avatar mfindra avatar mikelalejobr avatar mjholder avatar mkanoor avatar petracihalova avatar psav avatar pyup-bot avatar redallen avatar shannon-donahue avatar vbelchio avatar wcmitchell avatar xxlhacker avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mkanoor lgalis hsong-rh dccurtis psav lcouzens coderbydesign wcmitchell astrozzc catastrophe-brandon carlosthe19916 semtexzv panspagetka j00bar kruai kahowell bsquizz xxlhacker hyperkid123 rafaelcassau pombredanne kylape redallen dehort vbelchio yungbender zsadeh gburges lahavyuv86 lpichler apuntamb mjholder casey-williams-rh paradigm romanblanco hyp3rion31gr3y justinorringer pilhuhn petracihalova andrewgdewar abaiken niyazredhat dagbay-rh mfindra lzap ellen-yi-dong gwenneg josejulio shannon-donahue ddonahue007 fynardo paulway mikelalejobr prichard77 linhhv wscalf victoremepunto

insights-rbac's Issues

List the current roles assigned to a user

User Story

The currently logged in user (normal user or admin user) would like to know the roles that he is assigned to.

Impacts

The current get_principal_access list all the permissions assigned to a user, we would like to use the same api but limit the scope to roles. The default scope for the get_principal_access could be access but a user could curtail it at the role level.

Role

A user

Assumptions

  • default type is permission

API Details

API Detail
Method GET
Path /api/v1/access/?type=role

Acceptance Criteria

  • Request returns all roles for a user when type=role is provided
  • Request returns 400 when bad type is provided

List roles of a group

It is highly desired to be able to query roles (or at least policies) for a given group. One possible solution might be to enhance the policy listing option to accept a group name or uuid.

Filter objects by name in list_* calls

User Story

The user making the API call would want to fetch objects where the name matches a sub string
Without this API the user would have to fetch all the objects and then filter out the ones he needs. By pushing the filter logic to the server side we can limit the number of objects being exchanged.

Impacts

API, UI, Docs

Role

Assumptions

  • Supports simple regular expression (e.g. name = test_1*)

API Details

API Detail
Method GET
Path /api/v1/roles/
Body
Response

UI Details

Acceptance Criteria

  • [ ]
  • [ ]

Incomplete Models

Describe the bug
Inherited models dont contain all the attributes

To Reproduce
Steps to reproduce the behavior:

  1. Run openapi-generator on the json file and create a client
  2. open the docs directory where the client is generated
  3. Examine the RoleIn.md file
  4. It only lists name as the single property access is missing

Expected behavior
The object definition should have included name and access properties

Screenshots

RBACApiClient::RoleIn

Properties

Name Type Description Notes
name String

This is true for several other objects in the definition, the problem seems to be a missing object node in the swagger definition when doing inheritance
https://swagger.io/docs/specification/data-models/inheritance-and-polymorphism/

allOf:     # Combines the BasicErrorModel and the inline model
        - $ref: '#/components/schemas/BasicErrorModel'
        - type: object

PolicyPagination has roles as an array of strings

Describe the bug
The PolicyPagination object has a PolicyOut object which stores roles as an array of strings

To Reproduce
Steps to reproduce the behavior:

  1. Fetch the policies
  2. Examine each policy object for group and roles

Travis failing with dependency install

Describe the bug
Travis builds are failing with pip install issue:

277
Installing initially failed dependencies…
278
[pipenv.exceptions.InstallError]:   File "/home/travis/build/RedHatInsights/insights-rbac/.tox/py36/lib/python3.6/site-packages/pipenv/core.py", line 1874, in do_install
279
[pipenv.exceptions.InstallError]:       keep_outdated=keep_outdated
280
[pipenv.exceptions.InstallError]:   File "/home/travis/build/RedHatInsights/insights-rbac/.tox/py36/lib/python3.6/site-packages/pipenv/core.py", line 1253, in do_init
281
[pipenv.exceptions.InstallError]:       pypi_mirror=pypi_mirror,
282
[pipenv.exceptions.InstallError]:   File "/home/travis/build/RedHatInsights/insights-rbac/.tox/py36/lib/python3.6/site-packages/pipenv/core.py", line 859, in do_install_dependencies
283
[pipenv.exceptions.InstallError]:       retry_list, procs, failed_deps_queue, requirements_dir, **install_kwargs
284
[pipenv.exceptions.InstallError]:   File "/home/travis/build/RedHatInsights/insights-rbac/.tox/py36/lib/python3.6/site-packages/pipenv/core.py", line 763, in batch_install
285
[pipenv.exceptions.InstallError]:       _cleanup_procs(procs, not blocking, failed_deps_queue, retry=retry)
286
[pipenv.exceptions.InstallError]:   File "/home/travis/build/RedHatInsights/insights-rbac/.tox/py36/lib/python3.6/site-packages/pipenv/core.py", line 681, in _cleanup_procs
287
[pipenv.exceptions.InstallError]:       raise exceptions.InstallError(c.dep.name, extra=err_lines)
288
[pipenv.exceptions.InstallError]: ['Looking in indexes: https://pypi.python.org/simple', 'Collecting pyparsing==2.4.1 (from -r /tmp/pipenv-jjzpdvhg-requirements/pipenv-f0g67bpk-requirement.txt (line 1))']
289
[pipenv.exceptions.InstallError]: ['Could not find a version that satisfies the requirement pyparsing==2.4.1 (from -r /tmp/pipenv-jjzpdvhg-requirements/pipenv-f0g67bpk-requirement.txt (line 1)) (from versions: 1.4.6, 1.4.7, 1.4.8, 1.4.11, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1.1, 2.4.2a1, 2.4.2)', 'No matching distribution found for pyparsing==2.4.1 (from -r /tmp/pipenv-jjzpdvhg-requirements/pipenv-f0g67bpk-requirement.txt (line 1))']
290
ERROR: ERROR: Package installation failed...

To Reproduce
Steps to reproduce the behavior:

  1. Run travis build
  2. See error

Expected behavior
Dependencies should install and travis run cleanly on master.

Add a group description

User Story

When an Administrator adds a new group they should optionally have the ability to set/edit the group description.

Impacts

API
UI

Role

Assumptions

API Details

API Detail
Method GET/POST/PUT/PATCH/DELETE
Path /api/v1/?/
Body
Response

UI Details

Acceptance Criteria

  • [ ]
  • [ ]

Group update missing from open api definition

Describe the bug
Open API definition is missing the PUT method on /v1/groups/{uuid}/ to set the name and definition of the group.

To Reproduce
Open openapi.json in swagger editor and see missing method.

Expected behavior
PUT method should be documented for group

Load Default Roles at startup for each application

Describe the bug
The roles define the permissions which are application specific, we would like these to be shared between tenant and marked as readonly so users don't end up deleting it. These basic roles are needed for each application to work properly. Each app team would provide a JSON file with the default roles and the RBAC service would load them in at startup. Once a user queries the roles, the roles should include these default roles, which are visible across tenants.

To Reproduce

Expected behavior

  • Load the default roles
  • List the default roles when a user queries for it.
  • Don't allow users to delete these roles.

Screenshots
If applicable, add screenshots to help explain your problem.

Context (please complete the following information):

Additional context
Sample Payload for Catalog App

{"roles":[{"name":"Catalog Administrator","description":"A catalog administrator roles grants read, write and order permissions","access":[{"permission":"catalog:portfolios:read"},{"permission":"catalog:portfolios:write"},{"permission":"catalog:portfolios:order"},{"permission":"catalog:portfolio_items:read"},{"permission":"catalog:portfolio_items:write"},{"permission":"catalog:portfolio_items:order"},{"permission":"catalog:orders:read"},{"permission":"catalog:orders:write"},{"permission":"catalog:orders:order"},{"permission":"catalog:order_items:read"},{"permission":"catalog:order_items:write"},{"permission":"catalog:order_items:order"},{"permission":"catalog:progress_messages:read"},{"permission":"catalog:progress_messages:write"}]},{"name":"Catalog User","description":"A catalog user roles grants read and order permissions","access":[{"permission":"catalog:portfolios:read"},{"permission":"catalog:portfolios:order"},{"permission":"catalog:portfolio_items:read"},{"permission":"catalog:portfolio_items:order"},{"permission":"catalog:orders:read"},{"permission":"catalog:orders:order"},{"permission":"catalog:order_items:read"},{"permission":"catalog:order_items:order"},{"permission":"catalog:progress_messages:read"}]}]}```

Traceback: binascii.Error: Incorrect padding

Describe the bug
Receiving a 500 from the /api/rbac/v1/access/ API with traceback:

Traceback (most recent call last):
--
  | File "/opt/app-root/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
  | response = get_response(request)
  | File "/opt/app-root/lib/python3.6/site-packages/django/utils/deprecation.py", line 93, in __call__
  | response = self.process_request(request)
  | File "/opt/app-root/src/rbac/rbac/middleware.py", line 230, in process_request
  | rh_auth_header, json_rh_auth = extract_header(request, self.header)
  | File "/opt/app-root/src/rbac/api/serializers.py", line 49, in extract_header
  | decoded_rh_auth = b64decode(rh_auth_header)
  | File "/opt/app-root/lib64/python3.6/base64.py", line 87, in b64decode
  | return binascii.a2b_base64(s)
  | binascii.Error: Incorrect padding

https://stackoverflow.com/questions/2941995/python-ignore-incorrect-padding-error-when-base64-decoding

To Reproduce
Steps to reproduce the behavior:

  1. Problem seen intermittently

Expected behavior
Should properly decode the authentication header.

Test Case for orphaned policy

Describe the bug
Create a test case that covers the potential for orphaned policy.

Policies could be orphaned in two ways:

  • Group is deleted
  • Policy contained only one role and that role is deleted.

In both of the above cases the associated policy should be removed.

Get list of groups that a user belongs to

User Story

A logged in user would like to know what groups he belongs to so he can do group level activity. For the Approval service a user can approve all requests in a group.

Impacts

API, UI, Docs

Role

Assumptions

API Details

API Detail
Method GET
Path /v1/groups/?username={username}
Body
Response

UI Details

Acceptance Criteria

  • [ ]
  • [ ]

Documentation has typo for principals

Describe the bug
Documentation has typo for principals

To Reproduce
Steps to reproduce the behavior:

  1. Go to r/insights/platform/rbac/apidoc/index.html#api-Group-removePrincipals
  2. See section title and api address

Both cases have principals spelt incorrectly.

Screenshots
screenshot from 2019-02-07 15-07-18

List roles for principals still needs the principal to be an admin

Describe the bug
The list_roles and list_groups function which take scope=principal still require the principal to be admin. The admin check should only be used when the scope=account. If there are no roles assigned we should get back an empty array but not a 403 error.

To Reproduce
Steps to reproduce the behavior:

  1. As an admin assign a role/group to a standard non admin user
  2. Login as the non admin user and fetch the roles/groups assigned to you

Expected behavior
Non admin users should be able to list their groups/roles

Update PII when user changed account info

User Story

As the Insights Platform owner, I would like all PII data collected by the RBAC service to be automatically updated when users update or delete their accounts on the Customer Portal so that I can satisfy privacy requirements

Impacts

API backend

Acceptance Criteria

  • When a user updates their information in the Red Hat user database , any PII in RBAC database is updated
  • When a user deletes their account, any PII is removed from the RBAC database
  • The update does not have to happen immediately but within a configurable about of time e.g. within 1 business day.

Enable CloudWatch Logging

User Story

As dev/ops I want to adhere to the platform's logging requirements so I can view logs in a timely manner when debugging issues.

Role

Assumptions

  • A ticket has been submitted to RHIOPS for AWS access for logging
  • We need to update logging in our Django settings to send to CloudWatch

See https://github.com/RedHatInsights/cloudwatch-test for example

Acceptance Criteria

  • Dev projects log to the new dev kibana cluster
  • Prod projects log to the new prod kibana cluster

Principal/policy counts seem incorrect

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'api/rbac/v1/groups'
  2. Create a group
  3. Add principal to group
  4. Create role/policy
  5. Add second user to group
  6. Check group principal/policy counts

Expected behavior
Counts should match principals and policies independently.

Context (please complete the following information):

  • OS: Fedora
  • Browser: FireFox
  • Commit Hash from status endpoint: "6e05d8cb2ac3f6fa26fe19a1e8797a73bb312e91"

Additional context

{
            "uuid": "745ac0cd-b8a3-4a92-a480-bebea168c2e4",
            "name": "test_group_PuAKHCGnWX",
            "description": "Group for admin tests",
            "principalCount": 2,
            "policyCount": 2,
            "created": "2019-07-15T10:57:00.728610Z",
            "modified": "2019-07-15T10:59:33.001129Z"
        }

Looking at the code I believe the issue is with Group.objects.annotate here
https://github.com/RedHatInsights/insights-rbac/blob/master/rbac/management/group/view.py#L66

While investigating we found this https://docs.djangoproject.com/en/2.2/topics/db/aggregation/#combining-multiple-aggregations

User Access data not paginated result

Describe the bug
The output from the access endpoint does not match the Open API definition which specifies a paginated response.

To Reproduce
Steps to reproduce the behavior:

  1. Create a group and add a user
  2. Create a role with associated permission and resource definition
  3. Create policy to associate the group and role
  4. Call the access endpoint and see the error:
{“access”:[{“permission”:“catalog:portfolios:read”,“resourceDefinition”:[]},{“permission”:“catalog:portfolios:execute”,“resourceDefinition”:[]},{“permission”:“catalog:portfolio_items:read”,“resourceDefinition”:[]},{“permission”:“catalog:portfolio_items:execute”,“resourceDefinition”:[]},{“permission”:“catalog:orders:read”,“resourceDefinition”:[]},{“permission”:“catalog:orders:execute”,“resourceDefinition”:[]},{“permission”:“catalog:order_items:read”,“resourceDefinition”:[]},{“permission”:“catalog:order_items:execute”,“resourceDefinition”:[]},{“permission”:“catalog:progress_messages:read”,“resourceDefinition”:[]}]}

Expected behavior
Should provide a paginated response object matching the platform guidelines described in the existing OpenAPI example:

x-rh-identity causes an error about missing user

Describe the bug
When trying to connect to the RBAC service to get roles in the QE environment with the we get
the following error

Traceback (most recent call last):

  | File "/opt/app-root/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
  | response = get_response(request)
  | File "/opt/app-root/lib/python3.6/site-packages/django/utils/deprecation.py", line 93, in call
  | response = self.process_response(request, response)
  | File "/opt/app-root/src/rbac/rbac/middleware.py", line 287, in process_response
  | if request.user:
  | AttributeError: 'WSGIRequest' object has no attribute 'user'

To Reproduce
From inside dev cluster
Pass the following x-rh-identity
"eyJpZGVudGl0eSI6eyJpbnRlcm5hbCI6eyJhdXRoX3RpbWUiOjAsImF1dGhfdHlwZSI6ImJhc2ljLWF1dGgiLCJvcmdfaWQiOiIxMTc4OTc3MiIsImFjY291bnRfbnVtYmVyIjoiNjA4OTcxOSIsInVzZXIiOnsiZmlyc3RfbmFtZSI6IkplZmYiLCJsYXN0X25hbWUiOiJOZWVkbGUiLCJpc19pbnRlcm5hbCI6ZmFsc2UsImlzX2FjdGl2ZSI6dHJ1ZSwibG9jYWxlIjoiZW5fVVMiLCJpc19vcmdfYWRtaW4iOnRydWUsInVzZXJuYW1lIjoiaW5zaWdodHMtcWEiLCJlbWFpbCI6ImpuZWVkbGUrcWFAcmVkaGF0LmNvbSIsInR5cGUiOiJVc2VyIiwiZW50aXRsZW1lbnRzIjp7Imluc2lnaHRzIjp7ImlzX2VudGl0bGVkIjp0cnVlLCJvcGVuc2hpZnQiOnsiaXNfZW50aXRsZWQiOnRydWV9LCJzbWFydF9tYW5hZ2VtZW50Ijp7ImlzX2VudGl0bGVkIjpmYWxzZX0sImh5YnJpZF9jbG91ZCI6eyJpc19lbnRpdGxlZCI6dHJ1ZX19fX19fX0="
Expected behavior
Incompatible header

Screenshots
If applicable, add screenshots to help explain your problem.

Context (please complete the following information):

  • OS: [e.g. iOS]
  • Browser: [e.g. chrome, safari]
  • Commit Hash from status endpoint:

Additional context
Add any other context about the problem here.

Lint failing on master with pydocstyle error

Describe the bug
tox fails during lint with the following error:
"flake8-docstrings" failed during execution due to "module 'pydocstyle' has no attribute 'tokenize_open'"

To Reproduce
Steps to reproduce the behavior:

  1. Clone repo
  2. pipenv install --dev
  3. Execute tox
  4. See error

Expected behavior
master branch should not have a build failure.

An internal flag for roles and policies

The RBAC UI allow admins to create policies and view roles. Our apps also create policies and roles, often because roles with ACLs for selected entities are needed to be created on the fly. They are not directly created by users (admins) therefore should not be visible on UI.

We propose to have an internal flag when creating roles and policies. The default value can be false. UI can then list those having the internal flag to be false. This flag needs to be in the listing option too.

Handle create role update for existing tenants where role is version 1

Describe the bug

Using Role.get_or_create() roles are initialized to version 1, so if a system role is created with version 1 it will not be correctly updated.

To Reproduce
Steps to reproduce the behavior:

  1. Add a system role definition with version 1
  2. See error

Expected behavior
New roles for existing accounts should be created correctly with version 1.

Document pagination query parameters

User Story

As an API user, I want to be able to specify parameters to paginate through data so that view large amounts of data.

Impacts

API, Docs

Role

API User

API Details

  • Using page and page_size for query params

Default page_size is 10.

Acceptance Criteria

  • OpenAPI definition contains query parameters for pagination
  • API doc contains query parameters for pagination

Access API is returning other applications and not only the requested

Describe the bug
The /access/ endpoint is not doing an exact match with the application param, we noticed this when we decided to rename from custom-policies to policies. We noticed that the call:
/api/rbac/v1/access/?application=policies still returned the custom-policies permission.

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://ci.cloud.redhat.com/ and login
  2. Go to https://ci.cloud.redhat.com/api/rbac/v1/access/?application=po
  3. See that it returns every permission of the application that have po on their name
{
    "meta": {
        "count": 7,
        "limit": 1000,
        "offset": 0
    },
    "links": {
        "first": "/api/rbac/v1/access/?application=po&limit=1000&offset=0",
        "next": null,
        "previous": null,
        "last": "/api/rbac/v1/access/?application=po&limit=1000&offset=0"
    },
    "data": [
        {
            "permission": "catalog:portfolios:read",
            "resourceDefinitions": [
                {
                    "attributeFilter": {
                        "key": "scope",
                        "value": "group",
                        "operation": "equal"
                    }
                }
            ]
        },
        ...
    ]
}

Expected behavior
I would expect the application to be an exact match of the application that we require, as show in the openapi.json doc

The application name to obtain access for the principal

Context (please complete the following information):

  • OS: Fedora
  • Browser: Chrome
  • Commit Hash from status endpoint: c107d88022cf94b7744da5d35ec7ca98e0f25f75

Add system defined roles for cost management

Cost management application would like several system defined roles that are seeded.

  • Cost Administrator
  • Cost Price List Administrator
  • Cost Cloud Viewer
  • Cost OpenShift Viewer

Migrate production to use RDS and TLS certifiacte connection

The platform team has provisioned us an RDS database that has proper encryption enabled. The production environment already contains the secret to connect to the database along with a certificate to use for TLS connection.

We need to migrate the data (if possible) from our existing postgres database to the platform provisioned RDS and enable the TLS certificate based connection.

Inconsistent get_principal_access result

In the QE environment a user insights-qa has 2 different result sets coming back from a call to get_principal_access when called externally via 3scale and when called internally from a pod. The user is a member of the "Catalog Administrators" group and has a "Catalog Administrator" role.
When doing an external access we get back this ACL
{:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"*"}}]}
This one is missing when being accessed internally from the pod.

To Reproduce
Steps to reproduce the behavior:

  1. Call get_principal_access for insights-qa externally
  2. Call get_principal_access from a pod and pass in x-rh-identity with the following base64 string

"eyJpZGVudGl0eSI6eyJpbnRlcm5hbCI6eyJhdXRoX3RpbWUiOjAsImF1dGhfdHlwZSI6ImJhc2ljLWF1dGgiLCJvcmdfaWQiOiIxMTc4OTc3MiJ9LCJh Y2NvdW50X251bWJlciI6IjYwODk3MTkiLCJ1c2VyIjp7ImZpcnN0X25hbWUiOiJKZWZmIiwibGFzdF9uYW1lIjoiTmVlZGxlIiwiaXNfaW50ZXJuYWwiOmZhbHNlLCJpc19hY3R pdmUiOnRydWUsImxvY2FsZSI6ImVuX1VTIiwiaXNfb3JnX2FkbWluIjp0cnVlLCJ1c2VybmFtZSI6Imluc2lnaHRzLXFhIiwiZW1haWwiOiJqbmVlZGxlK3FhQHJlZGhhdC5jb2 0ifSwidHlwZSI6IlVzZXIifSwiZW50aXRsZW1lbnRzIjp7Imluc2lnaHRzIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwic 21hcnRfbWFuYWdlbWVudCI6eyJpc19lbnRpdGxlZCI6ZmFsc2V9LCJoeWJyaWRfY2xvdWQiOnsiaXNfZW50aXRsZWQiOnRydWV9fX0="

  1. Compare the results and check for catalog:portfolios:write with *
  2. See error

Expected behavior
The result should be same in both internal and external call

Openapi.json not fetchable from /api/rbac/v1/openapi.json

Describe the bug
Openapi.json not fetchable from /api/rbac/v1/openapi.json

To Reproduce
Steps to reproduce the behavior:

  1. Go to /api/rbac/v1/openapi.json
  2. Nothing loads

Expected behavior
Should be able to fetch the openapi.json from here.

Context (please complete the following information):

  • OS: Fedora
  • Browser: Firefox
  • Commit Hash from status endpoint: 6e05d8c

Additional context
I was failing to fetch this from CI/QA and PROD however was able to fetch it from /api/rbac/v1/openapi.json.gz but it required authentication. It should work from the standard endpoint and I believe shouldn't require authentication.

Add permissions controls for RBAC APIs

User Story

As a user, I want to control who can manage groups, roles, and polices so that its function is not open to all user.

Impacts

API, Docs

Role

Account Admin or user with RBAC permission

Assumptions

  • Only Account Admins will be allowed to create and manage groups (retains limited access to findUsers API)
  • Any user can be given the access to manage roles and policies

API Details

A user that is an account admin, as specified by the is_org_admin value in the user object of the x-rh-identity header, can perform any RBAC request.

Any user can call the /access/ endpoint and the username contained in the x-rh-identity header will be used. Only an account admin can pass the username query parameter to determine access for a user.

Group management, /group/*,can only be managed by an account admin.

Role management can be done by an account administrator or a user with the following permissions:

  • create/update/delete: rbac:role:write you must specify resource definition; can provide a list of uuid and the field or *
  • get/list: rbac:role:read you must specify resource definition; can provide a list of uuid and the field or *

Policy management can be done by an account administrator or a user with the following permissions:

  • create/update/delete: rbac:policy:write you must specify resource definition; can provide a list of uuid and the field or *
  • get/list: rbac:policy:read you must specify resource definition; can provide a list of uuid and the field or *

Acceptance Criteria

  • Account admin can perform any RBAC call
  • All users can call access endpoint
  • Only account admin can pass username query param to access endpoint (otherwise 403)
  • Only a user with appropriate permissions can create/update/delete roles (either a specified set or all)
  • Only a user with appropriate permissions can get/list roles (either a specified set or all)
  • Only a user with appropriate permissions can create/update/delete policies (either a specified set or all)
  • Only a user with appropriate permissions can get/list policies (either a specified set or all)

API endpoints blow up if you try to navigate without authentication

Describe the bug
API endpoints blow up if you try to navigate without authentication

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'api/rbac/v1/groups'
  2. See error

Expected behavior
Clear error message explaining issue. Also handle exception in logs

Screenshots
Screenshot from 2019-07-16 15-17-44

Context (please complete the following information):

  • OS: Fedora
  • Browser: Firefox
  • Commit Hash from status endpoint: 6e05d8c

Additional context
Screen shot is from testing locally
rbac logs

2019-07-16 15:03:05,357] WARNING: Could not obtain identity on request.
[2019-07-16 15:03:05,358] ERROR: Internal Server Error: /api/rbac/v1/groups/
Traceback (most recent call last):
  File "/opt/app-root/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/opt/app-root/lib/python3.6/site-packages/django/utils/deprecation.py", line 93, in __call__
    response = self.process_response(request, response)
  File "/opt/app-root/src/rbac/rbac/middleware.py", line 287, in process_response
    if request.user:
AttributeError: 'WSGIRequest' object has no attribute 'user'

Temporarily create Principals on API interaction

User Story

As an RBAC user, I want the list of available principals to additionally be populated based on the users interacting with the API, so that more users can be added to the database.

Impacts

API

Role

Admin

Assumptions

  • This will be removed when the back office API is available.

API Details

Any API call containing the x-rh-identity header will cause the creation of a principal in the system

Pagination meta data

Hi i am supposed to create pagination for rbac UI and there is missing meta information from paginated responses.

Currently it on returns number of results and links to next/prev/last pages.

Could you add the limit and offset to the meta object? (like here: RedHatInsights/insights-api-common-rails#35)

Yes we already have the links but you can't use those with the generated JS clients.

Currently i am parsing it from the provided links and we want to use generated clients as much as possible.

Add extra fields for operations

User Story

A user might want to select multiple resources and share them with a group, since each resource has a unique ID they might be able to create a single Access with the all the IDs in the Resource Definition Filter.

insights-rbac/docs/source/specs/openapi.json

Line 1389 in 3ad4b0b

"equal"

We would like the user to have a filter like

key: id
operation: includes
values: 100,101,102,103,104

Impacts

API, UI, Docs

Role

Assumptions

  • Values can be comma delimited

API Details

API Detail
Method GET/POST/PUT/PATCH/DELETE
Path /api/v1/?/
Body
Response

UI Details

Acceptance Criteria

  • [ ]
  • [ ]

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.