mozilla
Improve granularity of ACL system in Normandy
My understanding of the Normandy authorization backend is:
- not very fine grained access controls on specific actions
- we are tied to django admin for creating new users
- will require some investigation / engineering effort to replace and upgrade the ACL system
The purpose of upgrading the ACL system would be:
- tighter control / delegation of workflow actions to specific groups/people
- less access
- give other groups ability to manage state of recipes
Here are my notes from chatting to @mythmon about this:
So the key things are (rephrasing my own thoughts/notes):
- Users who can CRU but not D.
- Users who can CRUD but not approve.
- Users whose permissions depend on the name of the action
- Users whose permissions depend on the filter expression/filter object
Two notes:
- There should be users that can read, but not create or update. This is sort of moot though, since any users can read without special permissions already.
- The D in CRUD stands for Delete, and that is something that most users should not be able to do. Only super users should be able to delete things. Normandy should have a permanent record of everything, where possible.
I added Users who can CRU but not D. to my comment above :)
Normandy should have a permanent record of everything, where possible.
You mean an action audit trail? We don't have this at all do we?
In Socorro we added something like eventlog and injected a bunch of calls to this in various places in the code where a db-write was about to happen. E.g. eventlog('Approve Thing', instance=self, user=request.user)
You mean an action audit trail? We don't have this at all do we?
We don't keep an action list, but recipe revisions are immutable, so we can always see the history. The recipe history is permanent and a first class part of Normandy.
we are looking at needs in this larger project https://docs.google.com/document/d/1fQPB9wnbz5xI0RWggvaUmTdGspavGs6TAq7eWaNudhg/edit#
