Make controller specific team and org roles #15445
Conversation
fosterseth
force-pushed
the
add_controller_specific_roles
branch
from
cdd458f
to
4431257
Compare
|
I'd like to get some API-level tests (like with the
Tests in ansible/django-ansible-base#562 overlap with this, but don't really do it justice with the specific names and stuff. Your existing test does what the 1st case does on the ORM layer. But I'd like to confirm the API version of all of these cases work using the test database. |
|
The test failures from this are strange, basically all permission checks are giving the right answer. I don't have a simple answer as to why that's happening. |
|
I put up #15453 and I believe this will make some progress towards fixing the test failures. Probably not all, but it goes in the right direction, in that we remove any references to (old) role members and use permission evaluations instead. We needed to do this anyway, irrelevant of this. |
I was more worried about the revoking flow, than the granting flow. But it turned out it worked just fine. So I'll go ahead and add these, in support of ansible/awx#15445 AAP-24052
fosterseth
force-pushed
the
add_controller_specific_roles
branch
from
8dd8d51
to
e97175e
Compare
awx/main/models/organization.py
Outdated
| @@ -123,6 +126,10 @@ def get_absolute_url(self, request=None): | |||
| def _get_related_jobs(self): | |||
| return UnifiedJob.objects.non_polymorphic().filter(organization=self) | |||
|
|
|||
| def validate_role_assignment(self, actor, role_definition): | |||
| if role_definition.name in ['Organization Admin', 'Organization Member']: | |||
| raise DRFValidationError({'detail': _(f"Assignment must use the Controller {role_definition.name} role.")}) | |||
There was a problem hiding this comment.
Remove this validation. It'll be handled in DAB and has to be configurable.
There was a problem hiding this comment.
With the new DAB version, you should be able to add the setting that will replace this:
ALLOW_LOCAL_ASSIGNING_JWT_ROLES = False
awx/main/models/organization.py
Outdated
| @@ -166,6 +173,10 @@ class Meta: | |||
| def get_absolute_url(self, request=None): | |||
| return reverse('api:team_detail', kwargs={'pk': self.pk}, request=request) | |||
|
|
|||
| def validate_role_assignment(self, actor, role_definition): | |||
| if role_definition.name in ['Team Admin', 'Team Member']: | |||
| raise DRFValidationError({'detail': _(f"Assignment must use the Controller {role_definition.name} role.")}) | |||
|
|
||
| new_state = migrator.apply_tested_migration( | ||
| ('main', '0192_custom_roles'), | ||
| ) | ||
|
|
||
| RoleUserAssignment = new_state.apps.get_model('dab_rbac', 'RoleUserAssignment') | ||
| assert RoleUserAssignment.objects.filter(user=user.id, object_id=org.id).exists() | ||
| assert RoleUserAssignment.objects.filter(user=user.id, role_definition__name='Controller Organization Member', object_id=org.id).exists() | ||
| assert RoleUserAssignment.objects.filter(user=user.id, role_definition__name='Controller Team Member', object_id=team.id).exists() |
There was a problem hiding this comment.
Did that not require any changes to the data migration? I guess maybe it imported some of the translation methods from the models? I just don't see how this would have gotten fixed.
github-actions
bot
added
the
dependencies
Controller Team Admin Controller Team Member Controller Organization Admin Controller Organization Member Plug old RBAC system to use these roles instead of the platform roles. Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
fosterseth
force-pushed
the
add_controller_specific_roles
branch
from
2bb44a9
to
bcef496
Compare
Signed-off-by: Seth Foster <[email protected]>
|
SUMMARY
Controller Team Admin
Controller Team Member
Controller Organization Admin
Controller Organization Member
Permissions-wise, these four roles are identical to the platform roles, those without the
Controllerprefix.Role assignments that are issued via the AWX API utilize these role definitions, not the platform roles. Role assignments for the platform roles must be issued in gateway and synced to AWX via JWT payloads. A followup PR will add a flag and some logic to role definitions to implement this restriction.
For role assigments that use the deprecated RBAC system, the Controller specific roles will be used.
ISSUE TYPE
COMPONENT NAME
TODO