Pulpcore 3.17 release announcement

We are happy to announce the release of Pulpcore 3.17!

Let’s take a look at the key features of this release.

For a full list of bugfixes, as well as Plugin API enhancements and bugfixes, see the changelog

New compatibility process

This is the first release where we will trial our attempt to increase plugin compatibility. For plugin maintainers, please read increasing Pulpcore compatibility with plugin versions for more information.

RBAC enhancements (#9411, #9413, #9415, #9498, #9604)

RBAC functionality in Pulp now has a new Roles model. To introduce and support roles in RBAC, it was necessary to introduce some supporting functions as well as rework existing functionality to use roles.

Here is a summary of the main introductions and changes to RBAC:

• A viewset to manage roles (as a set of permissions) was added. System defined locked roles appear read only.
• New views have been added to assign model-level and object-level roles to users and groups.
• Plugins can define locked system roles with their viewsets.
• New assign_role and remove_role functions have been added to the Plugin API.
• Existing access policies on viewsets were also rewritten to use roles.

RBAC’s Content Guards have also been reworked to use roles. The following new endpoints were added to the RBAC capable viewsets to manage object-level role assignments:

• add_roles
• remove_roles
• list_roles
• my_permissions

This currently includes groups, tasks and RBAC content guard.

If you ever want to revert a modified access policy to the default settings, a new reset endpoint has been added to provide for this. This will clear the customized flag, too, so updates from the plugin will be received again.

Related deprecations

The permissions_assignment field of the access policies has been renamed to creation_hooks.

A compatibility patch has been added to be removed with pulpcore=3.20. The permissions argument to creation_hooks has been deprecated to be removed with pulpcore=3.20, as per our new process.

#8554 Bulk deletion support

Over time, the database can fill with task-records. In the past, you had to manually delete individual tasks.

With this release, a new /tasks/purge/ API has been added with which you can bulk-delete old tasks records based on their completion timestamps.

#9459 Restricting username and passwords in remote URLs

For security purposes, validation has been added to prevent credentials being used in remote URLs.

This effort also includes adding data migration to ensure that existing credentials are moved from remote urls and into remote username/password fields for existing remotes.

#9518 Update to storage.url

It’s now possible to send Content-type and Content-disposition headers in the AzureStorage.url.

#9532 Metadata signing update

Administrators can add signing services to Pulp using the command line tools.

With this release, Signing service scripts can now access the public key fingerprint using the PULP_SIGNING_KEY_FINGERPRINT environment variable.

This allows for more generic scripts that do not need to “guess” (hardcode) what key they should use.

Removals

#9327 Resource manager flag

The pulpcore-worker binary no longer accepts the --resource-manager flag. There is no resource manager anymore, so this flag is no longer needed.

#9498 RBAC permission endpoints removed

Removed tech previewed assign_permission and remove_permission endpoints from RBAC content guard viewset.