Project

General

Profile

Actions

Architecture #23797

closed

User story #23796: RBAC for nodes via tenants (view only)

Backend evolution for node RBAC: add tenants domain concept

Added by François ARMAND 8 months ago. Updated 4 months ago.

Status:
Released
Priority:
N/A
Category:
Architecture - Internal libs
Target version:
Effort required:
Name check:
To do
Fix check:
To do
Regression:
No

Description

The first step in the parent ticket is to weave into rudder new CoreNodeFactRepository a notion of permission to see a node.
That notion will deal witht the domain design of "tenants" and needs 3 things:

- in the node, it needs a "tenant" materialization. For design model, we will name it SecurityTag which will hold a list of tenants (and perhaps later on other RBAC aspects for nodes, like fine-grained perms). This is internal and can be draft level, it won't be exposed directly, even with API.
- in user authorization, it needs a "tenant" materialization. This will be a new tenants attribute for users (a list of accessible tenants)
- in rudder code, a way to easily weave from interface point between modules who is asking for nodes, so that rudder can filter out them. This is a notion of QueryContext, which reflect ChangeContext for change.

That ticket will bring these changes but only so that we are able to test a full feedback loop from user definition (from the XML file, because we want to expose UX here) to node filtering in the UI (only node/node details pages, it's enought to see if the design fly). And it's OK is we have to set node's security tag by hand/ldap browser (not expose to users).


Subtasks 2 (0 open2 closed)

Architecture #23857: Impact of API change for tenants on pluginsReleasedVincent MEMBRÉActions
Rudder plugins - Architecture #23859: Impact of API change for tenants on private plugins ReleasedVincent MEMBRÉActions

Related issues 3 (1 open2 closed)

Related to Rudder - Bug #23920: Lift Async system is not able to find spring SecurityContextHolderReleasedVincent MEMBRÉActions
Related to Rudder - Bug #24392: Pending node number in dashboard is not tenant awareNewFrançois ARMANDActions
Related to Authentication backends - Bug #24394: Autoprovisioned users don't have access to any nodesReleasedClark ANDRIANASOLOActions
Actions #1

Updated by François ARMAND 8 months ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #2

Updated by François ARMAND 8 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/5229
Actions #3

Updated by Anonymous 8 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Anonymous 8 months ago

Actions #5

Updated by François ARMAND 8 months ago

  • Subtask #23857 added
Actions #6

Updated by François ARMAND 8 months ago

  • Subtask #23859 added
Actions #7

Updated by François ARMAND 6 months ago

  • Related to Bug #23920: Lift Async system is not able to find spring SecurityContextHolder added
Actions #8

Updated by François ARMAND 4 months ago

  • Related to Bug #24392: Pending node number in dashboard is not tenant aware added
Actions #9

Updated by François ARMAND 4 months ago

  • Related to Bug #24394: Autoprovisioned users don't have access to any nodes added
Actions #10

Updated by Vincent MEMBRÉ 4 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.1.0~alpha1 which was released today.

Actions

Also available in: Atom PDF