Architecture #23797
closedUser story #23796: RBAC for nodes via tenants (view only)
Backend evolution for node RBAC: add tenants domain concept
Description
The first step in the parent ticket is to weave into rudder new CoreNodeFactRepository
a notion of permission to see a node.
That notion will deal witht the domain design of "tenants" and needs 3 things:
- in the node, it needs a "tenant" materialization. For design model, we will name it SecurityTag
which will hold a list of tenants (and perhaps later on other RBAC aspects for nodes, like fine-grained perms). This is internal and can be draft level, it won't be exposed directly, even with API.
- in user authorization, it needs a "tenant" materialization. This will be a new tenants
attribute for users (a list of accessible tenants)
- in rudder code, a way to easily weave from interface point between modules who is asking for nodes, so that rudder can filter out them. This is a notion of QueryContext
, which reflect ChangeContext
for change.
That ticket will bring these changes but only so that we are able to test a full feedback loop from user definition (from the XML file, because we want to expose UX here) to node filtering in the UI (only node/node details pages, it's enought to see if the design fly). And it's OK is we have to set node's security tag by hand/ldap browser (not expose to users).
Updated by François ARMAND about 1 year ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/5229
Updated by Anonymous about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|fd60555d0d68db68531e051e5531ff80b4ce4d75.
Updated by Anonymous about 1 year ago
Applied in changeset rudder|516a801789f35519fc84c56231f2f1296bea5b1d.
Updated by François ARMAND 12 months ago
- Related to Bug #23920: Lift Async system is not able to find spring SecurityContextHolder added
Updated by François ARMAND 10 months ago
- Related to Bug #24392: Pending node number in dashboard is not tenant aware added
Updated by François ARMAND 10 months ago
- Related to Bug #24394: Autoprovisioned users don't have access to any nodes added
Updated by Vincent MEMBRÉ 9 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.1.0~alpha1 which was released today.