warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

[feature] transition the package_roles method onto the restful API

Open 4383 opened this issue 4 years ago • 4 comments

These changes adds the package_roles as results of the return of the admin.views.project restful API.

The package_roles method was available into the xmlrpc, unfortunately these informations are missing into the restful API [1].

These changes adds the creation of an equivalent into the restful API.

[1] https://github.com/pypa/warehouse/issues/9700

4383 avatar Jul 08 '21 12:07 4383

These changes aim to address #9700

4383 avatar Jul 08 '21 12:07 4383

Hello team,

I hate harassing people for getting reviews, but, at least, can we have a minimal analyse from your side just to know if this is the right thing to do to fix #9700 and get some visibility on our side.

Thanks for your understanding.

4383 avatar Aug 04 '21 12:08 4383

JSON API at https://warehouse.readthedocs.io/api-reference/json.html#get--pypi--project_name--json promises this.

Metadata returned comes from the values provided at upload time and does not necessarily match the content of the uploaded

And package_roles is not a part of these values.

I don't think it is a good idea to skew the data that goes into [packaging] -> [uploading] -> [storing] -> [accessing through API] pipelines without documenting all the transformations that may come unexpected for people. I mean https://github.com/pypa/warehouse/pull/3520 needs to be merged first to solve [packaging] -> [uploading] uncertainty in data fields and values, and then a similar mapping will need to be done to decouple fields in REST API from what people have in packages and uploads.

Or, make a separate namespace that will expose PyPI admin interface for a package, allowing to assign maintainership roles etc. Right now PyPI evolution stuck between going into central command and control server and providing a more decentralized alternative. When all information including maintainers was contained in the package, the management was decentralized. When people started to need the account and configure access on the server side, the management is centralized.

Given the above, I would not just make a separate namespace in the JSON, like "pypi_rbac" or "pypi_config", but a separate endpoint like api/v2/config/<project_name>/access, which will only manage PyPI settings. Because you would likely need the API to limit role scopes, assign token, check their validity, audit logs.

I mean there is a lot of signals that the admin API is needed https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+token+API

abitrolly avatar Aug 31 '21 14:08 abitrolly

Thanks for your interesting feedback

4383 avatar Sep 02 '21 09:09 4383