Skip to content

Add flavor permission rules#581

Draft
seb-kro wants to merge 1 commit into
stable/2023.2-m3from
I759286/flavor_permission_rules
Draft

Add flavor permission rules#581
seb-kro wants to merge 1 commit into
stable/2023.2-m3from
I759286/flavor_permission_rules

Conversation

@seb-kro

@seb-kro seb-kro commented Nov 4, 2025

Copy link
Copy Markdown

Flavor access is currently controlled via private/public flavors and the flavor access list aka FlavorProjects. To restrict access to a flavor, it must be turned private and access must be granted individually to each project.

This adds flavor permission rules for a more flexible flavor permission management. These rules are independent of flavor privacy and the flavor access list. So a flavor is only available to a project if allowed by both the flavor permission rules and the flavor access list.

There are two types of flavor permission rules: allow and deny. deny rules take precedence over allow rules. Rules without a flavor_id define the project default behavior for flavors without a flavor-specific rule. If a domain or a project does not define any rules, then all flavors are permitted by default.

Depending on the specified project_id, flavor permission rules have two different scopes:

  • domain-level rules apply to all projects within the domain
  • project-level rules apply only to the project itself and are not inherited by sub-projects A flavor is permitted for a project if it is permitted at both the domain and project level.

There is at most one flavor permission rule for each combination of project_id and flavor_id. Consequently, a flavor is permitted at the domain- or project level if for that level:

  • No rules are defined
  • OR there is an allow rule matching the flavor
  • OR there is an allow rule without a flavor_id AND there is no deny rule matching the flavor

Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf

@seb-kro seb-kro force-pushed the I759286/flavor_permission_rules branch from 1108c89 to 76b89e5 Compare November 5, 2025 01:30
Flavor access is currently controlled via private/public flavors and the
flavor access list aka `FlavorProjects`. To restrict access to a flavor,
it must be turned private and access must be granted individually to
each project.

To support external customers, we want to restrict access to
certain flavors for arbitrary domains while keeping these flavors
publicly accessible on other domain without additional configuration
needs. Additionally, we want to enable project owners to configure
project-specific flavor access.

This adds flavor permission rules as a new mechanism for controlling
flavor access. These rules are independent of flavor privacy and the
flavor access list. So a flavor is only available to a project if
allowed by both the flavor permission rules and the flavor access list.

Each flavor permission rule has a `project_id`, a scope ('domain' or
'project'), an optional 'flavor_id' and a 'type' ('allow' or 'deny').

The two scopes of flavor permission rules are derived from the project
hierarchy:
- 'domain' scope rules have a domain 'project_id' and apply to all
  projects within that domain
- 'project' scope rules have a 'project_id' of a non-domain project,
  apply only to that project itself and are not inherited by
  sub-projects

A flavor is permitted for a project if it is permitted at both the
domain scope and the project scope. Rules without a 'flavor_id' define
the domain's or project's default behavior for flavors without a
flavor-specific rule. If a domain or project does not have a default
behavior rule, then all flavors are permitted at that scope by default.

There is at most one flavor permission rule for each combination of
'project_id' and 'flavor_id'. Consequently, a flavor is permitted at a
scope if for the corresponding 'project_id':
- No rules are defined
- OR there is an 'allow' rule matching the flavor
- OR there is an 'allow' rule without a 'flavor_id' AND there is no
  'deny' rule matching the flavor

Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf
@seb-kro seb-kro force-pushed the I759286/flavor_permission_rules branch from 76b89e5 to 987421e Compare July 7, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant