Hello, Thank you for the project, quick question: I see that restrict-modify actually only allows changes made by the principals listed there. Which kinda means that you are either root or you aren't, should restrict-modify also allow index_create/user_modify for authenticated users? Thank you, -- Louis Opter
On 18 Jul 2019, at 4:35, Louis Opter wrote:
Since devpi-server 5.0.0 this should be possible via the special :AUTHENTICATED: user. That user also allows an index where any authenticated user can upload by setting it in acl_upload. Another special user is :ANONYMOUS: currently used by acl_toxresult_upload. Regards, Florian Schulze
Thank you for the answer Florian, I am not sure to understand how to configure that? For now I have edited RootFactory.__acl__ in devpi_server/view_auth.py to do: acl.extend([ (Allow, Authenticated, "index_create"), (Allow, Authenticated, "user_modify"), ]) When self.restrict_modify is not None. Authenticated is imported from pyramid.security. This seems related to what you are saying while being different. -- Louis Opter On Wed, Jul 17, 2019, at 11:07 PM, Florian Schulze wrote:
On Sat, Jul 20, 2019, at 2:12 AM, Florian Schulze wrote:
Don't edit any code, but try this command line option for devpi-server: --restrict-modify root,:AUTHENTICATED:
Oh that makes sense, reading the sources makes me believe you have to use a coma though and it seems that you can't specify an actual list in the YAML file which is a bit odd.
That way root and any authenticated user should be able to create other users and indexes.
Yes, I think my expectations for restrict-modify are off; by doing "--restrict-modify root,:AUTHENTICATED:" authenticated users will be able to create and delete other users which is not was I looking for. (And why I was originally saying you are either root or you are not). It feels like the intent of restrict-modify is to not only restrict modifications for administrative stuff like users, but also restrict index modifications. Reading the documentation led me to think that index modifications was a common thing to do for most users. Maybe I just need to find a static index scheme (but being able to create indexes felt great for CI) or trust my users. -- Louis Opter
On 18 Jul 2019, at 4:35, Louis Opter wrote:
Since devpi-server 5.0.0 this should be possible via the special :AUTHENTICATED: user. That user also allows an index where any authenticated user can upload by setting it in acl_upload. Another special user is :ANONYMOUS: currently used by acl_toxresult_upload. Regards, Florian Schulze
Thank you for the answer Florian, I am not sure to understand how to configure that? For now I have edited RootFactory.__acl__ in devpi_server/view_auth.py to do: acl.extend([ (Allow, Authenticated, "index_create"), (Allow, Authenticated, "user_modify"), ]) When self.restrict_modify is not None. Authenticated is imported from pyramid.security. This seems related to what you are saying while being different. -- Louis Opter On Wed, Jul 17, 2019, at 11:07 PM, Florian Schulze wrote:
On Sat, Jul 20, 2019, at 2:12 AM, Florian Schulze wrote:
Don't edit any code, but try this command line option for devpi-server: --restrict-modify root,:AUTHENTICATED:
Oh that makes sense, reading the sources makes me believe you have to use a coma though and it seems that you can't specify an actual list in the YAML file which is a bit odd.
That way root and any authenticated user should be able to create other users and indexes.
Yes, I think my expectations for restrict-modify are off; by doing "--restrict-modify root,:AUTHENTICATED:" authenticated users will be able to create and delete other users which is not was I looking for. (And why I was originally saying you are either root or you are not). It feels like the intent of restrict-modify is to not only restrict modifications for administrative stuff like users, but also restrict index modifications. Reading the documentation led me to think that index modifications was a common thing to do for most users. Maybe I just need to find a static index scheme (but being able to create indexes felt great for CI) or trust my users. -- Louis Opter
participants (2)
-
Florian Schulze -
Louis Opter