[feature] transition the package_roles method onto the restful API

[4383]

These changes adds the package_roles as results of the return of the admin.views.project restful API.

The package_roles method was available into the xmlrpc, unfortunately these informations are missing into the restful API [1].

These changes adds the creation of an equivalent into the restful API.

[1] #9700

[4383]

I'm not sure if we want to create some representations by using the RoleFactory. In this case what should be the difference between maintainers and package_roles?

[4383]

These changes aim to address #9700

[4383]

Hello team,

I hate harassing people for getting reviews, but, at least, can we have a minimal analyse from your side just to know if this is the right thing to do to fix #9700 and get some visibility on our side.

Thanks for your understanding.

[abitrolly]

JSON API at https://warehouse.readthedocs.io/api-reference/json.html#get--pypi--project_name--json promises this.

Metadata returned comes from the values provided at upload time and does not necessarily match the content of the uploaded

And package_roles is not a part of these values.

I don't think it is a good idea to skew the data that goes into [packaging] -> [uploading] -> [storing] -> [accessing through API] pipelines without documenting all the transformations that may come unexpected for people. I mean #3520 needs to be merged first to solve [packaging] -> [uploading] uncertainty in data fields and values, and then a similar mapping will need to be done to decouple fields in REST API from what people have in packages and uploads.

Or, make a separate namespace that will expose PyPI admin interface for a package, allowing to assign maintainership roles etc. Right now PyPI evolution stuck between going into central command and control server and providing a more decentralized alternative. When all information including maintainers was contained in the package, the management was decentralized. When people started to need the account and configure access on the server side, the management is centralized.

Given the above, I would not just make a separate namespace in the JSON, like "pypi_rbac" or "pypi_config", but a separate endpoint like api/v2/config/<project_name>/access, which will only manage PyPI settings. Because you would likely need the API to limit role scopes, assign token, check their validity, audit logs.

I mean there is a lot of signals that the admin API is needed https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+token+API

[4383]

Thanks for your interesting feedback