Development #6994
Create RBAC models: Role, User-Role relation, Role-Role hierarchy, Permissions, OrganizationalUnit
100%
Description
All objects should pertain to an organization unit (OU).
User can be linked to many roles. Roles can be linked to many users. Roles can be linked to roles.
Roles can be linked to many permissions.
The permission model must contain a generic foreign key (the ressource) and a string (the operation) and a scope (generic foreign key to organizations for example). Permissions without scope apply to all ressources targeted, with a scope only to ressources of this scope. Ex.:
Permission(ressource=ContentType(User), operation="admin", scope=OU) is the permission to administer users in the people OU.
Role hierarchy must be stored denormalized to speed queries. On each creation/deletion of a link the full transitive closure of the relation must be maintained. Role have flags:- mirror : generic foreign key to the object it was made for, if present it means the role was automatically created and must not be deleted
- organization : the organization owning this role
Associated revisions
django_rbac: add an RBAC engine (#6994)
- swappable role model supporting role graph with cycles
- swappable role parenting model
- swappable permission model
- swappable organizational unit model allowing to have scopes on permissions and objects
- authorization backend based on role membership
- helpers to filter querysets by the permissions users have on them
utils: add get_fk_model to retrieve related model
get_fk_model() is an helper method to retrieve the related model of a
possible foreign key field of a model, it supports pre and post 1.8
model's _meta internal API.
refs #6994
a2_rbac: integrate django_rbac in authentic2
This commit add local implementations for swappable models of the
django_rbac application. The role model gets extraneous fields to map
some roles one-to-one to permssions (admin_scope generic key field) and
to link roles to a service to make service's roles.
The admin scope allow building automatic management roles, like the
general management role for an organizational unit which inherits all
content type management roles for this ou.
tox.ini: run tests for RBAC and CAS idp
refs #6994
History
#1 Updated by Benjamin Dauvergne over 4 years ago
- Assignee set to Benjamin Dauvergne
- Target version set to 2.2.0
#2 Updated by Frédéric Péters over 4 years ago
- Blocked by Development #7163: Rendre le menu déroulant Publik contextuel + Wording added
#3 Updated by Frédéric Péters over 4 years ago
- Blocked by deleted (Development #7163: Rendre le menu déroulant Publik contextuel + Wording)
#4 Updated by Benjamin Dauvergne over 4 years ago
- Status changed from Nouveau to Résolu (à déployer)
- % Done changed from 0 to 100
Appliqué par commit authentic2|c9915b9b6d0e34fecfce78b2670323d403534613.
#5 Updated by Benjamin Dauvergne over 3 years ago
- Status changed from Résolu (à déployer) to Solution déployée
#6 Updated by Benjamin Dauvergne over 1 year ago
- Status changed from Solution déployée to Fermé