Add option to disable creating, update and deleting users and groups.

galaxy_ng/app/access_control/access_policy.py

@@ -573,6 +573,22 @@ def require_requirements_yaml(self, request, view, action):
                 })
         return True
 
+    def is_direct_shared_resource_management_disabled(self, request, view, action):
+        return not settings.DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED
+
+    def user_is_superuser(self, request, view, action):
+        if getattr(self, "swagger_fake_view", False):
+            # If OpenAPI schema is requested, don't check for superuser
+            return False
+        user = view.get_object()
+        return user.is_superuser
+
+    def is_current_user(self, request, view, action):
+        if getattr(self, "swagger_fake_view", False):
+            # If OpenAPI schema is requested, don't check for current user
+            return False
+        return request.user == view.get_object()
+
 
 class AIDenyIndexAccessPolicy(AccessPolicyBase):
     NAME = "AIDenyIndexView"
@@ -613,19 +629,6 @@ class CollectionRemoteAccessPolicy(AccessPolicyBase):
 class UserAccessPolicy(AccessPolicyBase):
     NAME = "UserViewSet"
 
-    def user_is_superuser(self, request, view, action):
-        if getattr(self, "swagger_fake_view", False):
-            # If OpenAPI schema is requested, don't check for superuser
-            return False
-        user = view.get_object()
-        return user.is_superuser
-
-    def is_current_user(self, request, view, action):
-        if getattr(self, "swagger_fake_view", False):
-            # If OpenAPI schema is requested, don't check for current user
-            return False
-        return request.user == view.get_object()
-
 
 class MyUserAccessPolicy(AccessPolicyBase):
     NAME = "MyUserViewSet"

galaxy_ng/app/access_control/statements/pulp.py

@@ -1,15 +1,20 @@
 from galaxy_ng.app.access_control.statements.standalone import (
     _collection_statements as _galaxy_collection_statements,
     _group_statements as _galaxy_group_statements,
+    _group_role_statements as _galaxy_group_role_statements
 )
 
+from galaxy_ng.app.access_control.statements.standalone import _user_statements
 
 _collection_statements = {"statements": _galaxy_collection_statements}
 
 
 _group_statements = {"statements": _galaxy_group_statements}
 
 
+_group_role_statements = {"statements": _galaxy_group_role_statements}
+
+
 _deny_all = {
     "statements": [
         {"principal": "*", "action": "*", "effect": "deny"},
@@ -565,8 +570,29 @@
 
 
 PULP_CORE_VIEWSETS = {
-    "groups/roles": _group_statements,
+    "groups/roles": _group_role_statements,
     "groups": _group_statements,
+    "groups/users": {"statements": [
+        # We didn't have an access policy here before 4.10. The default pulp access policy
+        # checks core.group permissions, rather than galaxy.group permissions, which isn't
+        # used in our system. The end result should be that only admins can make modifications
+        # on this endpoint. This should be changed to match the validation we use for the
+        # ui apis (https://github.com/ansible/galaxy_ng/blob/7e6b335326fd1d1f366e3c5dd81b3f6e
+        # 75da9e1e/galaxy_ng/app/api/ui/serializers/user.py#L62), but given that we're looking
+        # at adopting DAB RBAC, I'm going to leave this as is for now.
+        {
+            "action": "*",
+            "principal": "admin",
+            "effect": "allow"
+        },
+        {
+            "action": ["create", "destroy"],
+            "principal": "*",
+            "effect": "deny",
+            "condition": "is_direct_shared_resource_management_disabled"
+        },
+    ]},
+    "users": {"statements": _user_statements},
     "roles": {
         "statements": [
             {

galaxy_ng/app/access_control/statements/standalone.py

@@ -76,7 +76,7 @@
     }
 ]
 
-_group_statements = [
+_group_role_statements = [
     {
         "action": ["list", "retrieve"],
         "principal": "authenticated",
@@ -86,22 +86,87 @@
         "action": "destroy",
         "principal": "authenticated",
         "effect": "allow",
-        "condition": "has_model_perms:galaxy.delete_group"
+        "condition": [
+            "has_model_perms:galaxy.delete_group",
+        ]
     },
     {
         "action": "create",
         "principal": "authenticated",
         "effect": "allow",
-        "condition": "has_model_perms:galaxy.add_group"
+        "condition": [
+            "has_model_perms:galaxy.add_group",
+        ]
     },
     {
         "action": ["update", "partial_update"],
         "principal": "authenticated",
         "effect": "allow",
-        "condition": "has_model_perms:galaxy.update_group"
+        "condition": [
+            "has_model_perms:galaxy.update_group",
+        ]
     },
 ]
 
+_group_statements = _group_role_statements + [
+    {
+        "action": ["create", "destroy", "update", "partial_update"],
+        "principal": "*",
+        "effect": "deny",
+        "condition": "is_direct_shared_resource_management_disabled"
+    },
+]
+
+_user_statements = [
+    {
+        "action": ["list"],
+        "principal": "authenticated",
+        "effect": "allow",
+        "condition": ["v3_can_view_users"],
+    },
+    {
+        "action": ["retrieve"],
+        "principal": "authenticated",
+        "effect": "allow",
+        "condition": ["v3_can_view_users"],
+    },
+    {
+        "action": "destroy",
+        "principal": "*",
+        "effect": "deny",
+        "condition": ["user_is_superuser"]
+    },
+    {
+        "action": "destroy",
+        "principal": "*",
+        "effect": "deny",
+        "condition": ["is_current_user"]
+    },
+    {
+        "action": "destroy",
+        "principal": "*",
+        "effect": "allow",
+        "condition": "has_model_perms:galaxy.delete_user"
+    },
+    {
+        "action": "create",
+        "principal": "authenticated",
+        "effect": "allow",
+        "condition": "has_model_perms:galaxy.add_user"
+    },
+    {
+        "action": ["update", "partial_update"],
+        "principal": "authenticated",
+        "effect": "allow",
+        "condition": "has_model_perms:galaxy.change_user"
+    },
+    {
+        "action": ["create", "destroy", "update", "partial_update"],
+        "principal": "*",
+        "effect": "deny",
+        "condition": "is_direct_shared_resource_management_disabled"
+    },
+]
 _deny_all = [
     {
         "principal": "*",
@@ -187,50 +252,7 @@
             "condition": "has_model_perms:ansible.change_collectionremote"
         }
     ],
-    'UserViewSet': [
-        {
-            "action": ["list"],
-            "principal": "authenticated",
-            "effect": "allow",
-            "condition": ["v3_can_view_users"],
-        },
-        {
-            "action": ["retrieve"],
-            "principal": "authenticated",
-            "effect": "allow",
-            "condition": ["v3_can_view_users"],
-        },
-        {
-            "action": "destroy",
-            "principal": "*",
-            "effect": "deny",
-            "condition": ["user_is_superuser"]
-        },
-        {
-            "action": "destroy",
-            "principal": "*",
-            "effect": "deny",
-            "condition": ["is_current_user"]
-        },
-        {
-            "action": "destroy",
-            "principal": "*",
-            "effect": "allow",
-            "condition": "has_model_perms:galaxy.delete_user"
-        },
-        {
-            "action": "create",
-            "principal": "authenticated",
-            "effect": "allow",
-            "condition": "has_model_perms:galaxy.add_user"
-        },
-        {
-            "action": ["update", "partial_update"],
-            "principal": "authenticated",
-            "effect": "allow",
-            "condition": "has_model_perms:galaxy.change_user"
-        },
-    ],
+    'UserViewSet': _user_statements,
     'MyUserViewSet': [
         {
             "action": ["retrieve"],
@@ -244,6 +266,12 @@
             "effect": "allow",
             "condition": "is_current_user"
         },
+        {
+            "action": ["create", "destroy", "update", "partial_update"],
+            "principal": "*",
+            "effect": "deny",
+            "condition": "is_direct_shared_resource_management_disabled"
+        },
     ],
     #  disable synclists for on prem installations
     'SyncListViewSet': _deny_all,

galaxy_ng/app/api/ui/serializers/user.py

@@ -175,10 +175,11 @@ class Meta(UserSerializer.Meta):
     @extend_schema_field(OpenApiTypes.OBJECT)
     def get_model_permissions(self, obj):
         permissions = {}
+        allow_group_user_edits = settings.get("DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED", True)
         for i, j in PERMISSIONS.items():
             permissions[i] = j
             permissions[i]["has_model_permission"] = obj.has_perm(i)
-        if settings.get("SOCIAL_AUTH_KEYCLOAK_KEY"):
+        if settings.get("SOCIAL_AUTH_KEYCLOAK_KEY") or not allow_group_user_edits:
             permissions["galaxy.delete_user"]['has_model_permission'] = False
             permissions["galaxy.change_user"]['has_model_permission'] = False
             permissions["galaxy.add_user"]['has_model_permission'] = False

galaxy_ng/app/settings.py

@@ -308,3 +308,6 @@
 
 # WARNING: This setting is used in database migrations to create a default organization.
 DEFAULT_ORGANIZATION_NAME = "Default"
+
+# Disables editing and managing users and groups.
+DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED = True