You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/apps/rbac/for_dab_developers.md
+15-3Lines changed: 15 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,18 @@
1
1
## DAB RBAC System Design Principles
2
2
3
-
The current DAB RBAC system represents a fundamental architectural shift from graph-based role inheritance to a resource tree model with named permissions.
3
+
The DAB RBAC features and goals:
4
+
- Adheres to patterns created by django.contrib.auth, specifically its permission model
5
+
- Adds roles, containers of multiple permissions
6
+
- Adds teams, allowing bulk-assignment of permissions to a group of users
7
+
- Allows managing multiple "levels" of permissions
8
+
- object-level permission
9
+
- inheritance from an objects parent object, main organization
10
+
- system-wide permissions
11
+
- Be as lazy as possible
12
+
13
+
This is a combination of former galaxy_ng/pulp and AWX systems.
14
+
The galaxy_ng/pulp RBAC system had everything above except for inheritance.
15
+
The AWX system did not enumerate permissions at all, and structured roles in a graph-based design.
4
16
5
17
### Internal Terminology
6
18
@@ -15,8 +27,8 @@ For DAB developers working on the RBAC system itself:
15
27
16
28
### Evolution from Role Graphs to Resource Trees
17
29
18
-
**Previous (2015) System:**
19
-
The older system created a complex graph where roles had parent-child relationships with other roles. Each object auto-created its own roles, and permissions flowed through role inheritance chains. This created scenarios like an "inventory_admin" role automatically granting read permissions to job templates that used that inventory.
30
+
**Previous (2015) AWX System:**
31
+
The older system created a complex graph where roles had parent-child relationships with other roles. Each object auto-created its own roles, and permissions flowed through role inheritance chains. This means you could have "admin_role" to a job template which would give CRUD permissions plus the ability to run the job template, or "execute_role" which would give ability to run but not the ability to edit. Inheritance worked by "admin_role" to an organization being a parent of the roles of all objects within the organization.
20
32
21
33
**Current (2023+) System:**
22
34
The current system abandons role-to-role inheritance in favor of:
0 commit comments