RBAC M2: Building the roles and permissions core

[MaferMazu]

Core implementation of roles and permissions.

Implements the backend system defined in the architecture phase. Depending on the chosen direction (centralized service or embedded library), the system will include the RBAC data models, permission logic, and integration with Open edX. Deliverables:
● RBAC data models, APIs, and logic
● Central service or embedded utility
● Test suite (TDD)
● ADRs for implementation decisions
● Developer integration documentation

Based on the user stories for the Libraries AuthZ MVP https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5209980941/Scope+of+the+implementation+for+the+AuthZ+MVP+as+a+whole#User-stories-(flows)-we-are-going-to-cover these are the needs:

User Story	Core Back Requirement
#46	Method and endpoint to obtain all the users who have permissions over a resource (paginated)
#50	Extend the method and endpoint to filter and sort the users who have permissions over a resource.
#48	Method to obtain the role and its permission by user
#51	Method and endpoint to obtain the available roles, their description, and their permissions categorized (the description could live in the app and the categorization too)
#53	Aggregate the number of members of each role
#47	CRUD over the assignments
#45	CRUD over the assignments
#54	CRUD over the assignments
#52	Ask if it is related to allow_public_read openedx/frontend-app-authoring#1342 (Related to manage access and mfe communication with the apis: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5210112002/Open+edX+AuthZ+Framework+Long-Term+Vision?focusedCommentId=5229641738 )

Roadmap

1. Create a solid model.conf to test Casbin with a use case close to what we'll implement.
2. Build engine utilities for the Casbin-based authorization engine. This includes enforcers, adapters, matchers, and other Casbin-specific tools needed for our APIs.
3. Develop APIs as the main interface to be used by services and our own REST APIs (this is our api.py).
4. Add REST APIs which consume our api.py.
   • API methods needed
     • CRUD over the assignments (grants)
     • Method and endpoint to obtain all the users who have permissions over a resource.
     • Be able to filter and sort them
     • Method and endpoint to obtain the available roles, their description, and their permissions.

[MaferMazu]

Related docs:

• https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5209980941/Scope+of+the+implementation+for+the+AuthZ+MVP+as+a+whole
• https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5216927745/How+to+Model+model.conf+and+authz.policy
• https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5210112002/WIP+Open+edX+AuthZ+Framework+Long-Term+Vision

[MaferMazu]

Task:

• Risk and open question (prioritize related to the core) @mariajgrimaldi @BryanttV
  • Blocker: load policy
• Model.conf (behavior, how) @mariajgrimaldi @BryanttV (evolve, but having a good base)
• AuthZ policies (rules) - related to libraries, not blocking @MaferMazu
• api.py with utilities based on user stories (long-term vision)
• Rest APIs
  • CRUD over assignments with sorting, filtering, and pagination
  • CRUD over scopes (discarded)
• Enforcement API (MFE)
• Query completion (bridgekeeper)

References:
https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5216927745/How+to+Model+model.conf+and+authz.policy

---

Pre-requisite for implementation: Model.conf base and solve load policy