Project

General

Profile

Development #6994

Create RBAC models: Role, User-Role relation, Role-Role hierarchy, Permissions, OrganizationalUnit

Added by Benjamin Dauvergne over 4 years ago. Updated about 2 years ago.

Status:
Fermé
Priority:
Normal
Assignee:
Benjamin Dauvergne
Category:
-
Target version:
2.2.0
Start date:
21 Apr 2015
Due date:
% Done:

100%

Patch proposed:
No
Planning:
No

Description

All objects should pertain to an organization unit (OU).

User can be linked to many roles. Roles can be linked to many users. Roles can be linked to roles.

Roles can be linked to many permissions.

The permission model must contain a generic foreign key (the ressource) and a string (the operation) and a scope (generic foreign key to organizations for example). Permissions without scope apply to all ressources targeted, with a scope only to ressources of this scope. Ex.:

Permission(ressource=ContentType(User), operation="admin", scope=OU) is the permission to administer users in the people OU.

Role hierarchy must be stored denormalized to speed queries. On each creation/deletion of a link the full transitive closure of the relation must be maintained. Role have flags:
  • mirror : generic foreign key to the object it was made for, if present it means the role was automatically created and must not be deleted
  • organization : the organization owning this role

Associated revisions

Revision c030a45f (diff)
Added by Benjamin Dauvergne over 4 years ago

django_rbac: add an RBAC engine (#6994)

- swappable role model supporting role graph with cycles
- swappable role parenting model
- swappable permission model
- swappable organizational unit model allowing to have scopes on permissions and objects
- authorization backend based on role membership
- helpers to filter querysets by the permissions users have on them

Revision e9b72a44 (diff)
Added by Benjamin Dauvergne over 4 years ago

utils: add get_fk_model to retrieve related model

get_fk_model() is an helper method to retrieve the related model of a
possible foreign key field of a model, it supports pre and post 1.8
model's _meta internal API.

refs #6994

Revision c9915b9b (diff)
Added by Benjamin Dauvergne over 4 years ago

a2_rbac: integrate django_rbac in authentic2

This commit add local implementations for swappable models of the
django_rbac application. The role model gets extraneous fields to map
some roles one-to-one to permssions (admin_scope generic key field) and
to link roles to a service to make service's roles.

The admin scope allow building automatic management roles, like the
general management role for an organizational unit which inherits all
content type management roles for this ou.

refs #7252
fixes #6994

Revision 8d6a4b8f (diff)
Added by Benjamin Dauvergne over 4 years ago

tox.ini: run tests for RBAC and CAS idp

refs #6994

History

#1 Updated by Benjamin Dauvergne over 4 years ago

  • Assignee set to Benjamin Dauvergne
  • Target version set to 2.2.0

#2 Updated by Frédéric Péters over 4 years ago

  • Blocked by Development #7163: Rendre le menu déroulant Publik contextuel + Wording added

#3 Updated by Frédéric Péters over 4 years ago

  • Blocked by deleted (Development #7163: Rendre le menu déroulant Publik contextuel + Wording)

#4 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Nouveau to Résolu (à déployer)
  • % Done changed from 0 to 100

#5 Updated by Benjamin Dauvergne almost 4 years ago

  • Status changed from Résolu (à déployer) to Solution déployée

#6 Updated by Benjamin Dauvergne about 2 years ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF