External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-10 19:07:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1913 from wwitzel3/issue-1884

Browse Source 
Consolidate roles and re-structure auditor children.
This commit is contained in:
Wayne Witzel III
2016-05-13 13:11:14 -04:00
parent ae4cfc98ce 599902da47
commit 1e16482809
16 changed files with 90 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
awx/api/views.py
View File

@@ -818,7 +818,7 @@ class TeamList(ListCreateAPIView):
def get_queryset(self): def get_queryset(self):
qs = Team.accessible_objects(self.request.user, 'read_role').order_by() qs = Team.accessible_objects(self.request.user, 'read_role').order_by()
qs = qs.select_related('admin_role', 'auditor_role', 'member_role', 'organization') qs = qs.select_related('admin_role', 'read_role', 'member_role', 'organization')
return qs return qs
class TeamDetail(RetrieveUpdateDestroyAPIView): class TeamDetail(RetrieveUpdateDestroyAPIView):
@@ -865,7 +865,7 @@ class TeamProjectsList(SubListAPIView):
def get_queryset(self): def get_queryset(self):
team = self.get_parent_object() team = self.get_parent_object()
self.check_parent_access(team) self.check_parent_access(team)
team_qs = Project.objects.filter(Q(member_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct() team_qs = Project.objects.filter(Q(use_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct()
user_qs = Project.accessible_objects(self.request.user, 'read_role').distinct() user_qs = Project.accessible_objects(self.request.user, 'read_role').distinct()
return team_qs & user_qs return team_qs & user_qs
@@ -913,9 +913,8 @@ class ProjectList(ListCreateAPIView):
projects_qs = projects_qs.select_related( projects_qs = projects_qs.select_related(
'organization', 'organization',
'admin_role', 'admin_role',
'auditor_role', 'use_role',
'member_role', 'update_role',
'scm_update_role',
) )
return projects_qs return projects_qs
@@ -1422,7 +1421,7 @@ class InventoryList(ListCreateAPIView):
def get_queryset(self): def get_queryset(self):
qs = Inventory.accessible_objects(self.request.user, 'read_role') qs = Inventory.accessible_objects(self.request.user, 'read_role')
qs = qs.select_related('admin_role', 'auditor_role', 'update_role', 'execute_role') qs = qs.select_related('admin_role', 'read_role', 'update_role', 'execute_role')
return qs return qs
class InventoryDetail(RetrieveUpdateDestroyAPIView): class InventoryDetail(RetrieveUpdateDestroyAPIView):

4
awx/main/access.py
View File

@@ -1384,6 +1384,10 @@ class CustomInventoryScriptAccess(BaseAccess):
return self.model.objects.distinct().all() return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, 'read_role').all() return self.model.accessible_objects(self.user, 'read_role').all()
@check_superuser
def can_admin(self, obj):
return self.user in obj.admin_role
@check_superuser @check_superuser
def can_read(self, obj): def can_read(self, obj):
return self.user in obj.read_role return self.user in obj.read_role

64
awx/main/migrations/0008_v300_rbac_changes.py
View File

@@ -137,11 +137,6 @@ class Migration(migrations.Migration):
name='roleancestorentry', name='roleancestorentry',
index_together=set([('ancestor', 'content_type_id', 'object_id'), ('ancestor', 'content_type_id', 'role_field'), ('ancestor', 'descendent')]), index_together=set([('ancestor', 'content_type_id', 'object_id'), ('ancestor', 'content_type_id', 'role_field'), ('ancestor', 'descendent')]),
), ),
migrations.AddField(
model_name='credential',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor'], to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='credential', model_name='credential',
name='owner_role', name='owner_role',
@@ -155,27 +150,17 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='credential', model_name='credential',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'use_role', b'auditor_role', b'owner_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor', b'use_role', b'owner_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='custominventoryscript', model_name='custominventoryscript',
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField(
model_name='custominventoryscript',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='custominventoryscript',
name='member_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.member_role', to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='custominventoryscript', model_name='custominventoryscript',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'member_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'organization.member_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='group', model_name='group',
@@ -187,11 +172,6 @@ class Migration(migrations.Migration):
name='adhoc_role', name='adhoc_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.adhoc_role', b'parents.adhoc_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.adhoc_role', b'parents.adhoc_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField(
model_name='group',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.auditor_role', b'parents.auditor_role'], to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='group', model_name='group',
name='execute_role', name='execute_role',
@@ -205,7 +185,7 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='group', model_name='group',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'update_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
@@ -215,12 +195,7 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
name='adhoc_role', name='adhoc_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
@@ -230,28 +205,23 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
name='update_role', name='update_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
name='use_role', name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='inventory', model_name='inventory',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'),
), ),
migrations.AddField(
model_name='jobtemplate',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.auditor_role', b'inventory.auditor_role')], to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
name='execute_role', name='execute_role',
@@ -260,7 +230,7 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='organization', model_name='organization',
@@ -289,34 +259,24 @@ class Migration(migrations.Migration):
), ),
migrations.AddField( migrations.AddField(
model_name='project', model_name='project',
name='auditor_role', name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='project',
name='member_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='project', model_name='project',
name='scm_update_role', name='update_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='project', model_name='project',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'member_role', b'auditor_role', b'scm_update_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor', b'use_role', b'update_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='team', model_name='team',
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'),
), ),
migrations.AddField(
model_name='team',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='team', model_name='team',
name='member_role', name='member_role',
@@ -325,6 +285,6 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='team', model_name='team',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'auditor_role', b'member_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'),
), ),
] ]

10
awx/main/migrations/_rbac.py
View File

@@ -219,7 +219,7 @@ def migrate_inventory(apps, schema_editor):
if perm.permission_type == 'admin': if perm.permission_type == 'admin':
return inventory.admin_role return inventory.admin_role
elif perm.permission_type == 'read': elif perm.permission_type == 'read':
return inventory.auditor_role return inventory.read_role
elif perm.permission_type == 'write': elif perm.permission_type == 'write':
return inventory.update_role return inventory.update_role
elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create': elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create':
@@ -320,22 +320,22 @@ def migrate_projects(apps, schema_editor):
logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username))) logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username)))
for team in project.deprecated_teams.all(): for team in project.deprecated_teams.all():
team.member_role.children.add(project.member_role) team.member_role.children.add(project.use_role)
logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name))) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name)))
if project.organization is not None: if project.organization is not None:
for user in project.organization.deprecated_users.all(): for user in project.organization.deprecated_users.all():
project.member_role.members.add(user) project.use_role.members.add(user)
logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name))) logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
for perm in Permission.objects.filter(project=project): for perm in Permission.objects.filter(project=project):
# All perms at this level just imply a user or team can read # All perms at this level just imply a user or team can read
if perm.team: if perm.team:
perm.team.member_role.children.add(project.member_role) perm.team.member_role.children.add(project.use_role)
logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name))) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name)))
if perm.user: if perm.user:
project.member_role.members.add(perm.user) project.use_role.members.add(perm.user)
logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name))) logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name)))

15
awx/main/models/credential.py
View File

@@ -208,19 +208,14 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
], ],
) )
auditor_role = ImplicitRoleField(
parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
],
)
use_role = ImplicitRoleField( use_role = ImplicitRoleField(
parent_role=['owner_role'] parent_role=['owner_role']
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(parent_role=[
parent_role=[ 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'use_role', 'auditor_role', 'owner_role' 'use_role',
], 'owner_role'
) ])
@property @property
def needs_ssh_password(self): def needs_ssh_password(self):

40
awx/main/models/inventory.py
View File

@@ -99,24 +99,25 @@ class Inventory(CommonModel, ResourceMixin):
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role='organization.admin_role', parent_role='organization.admin_role',
) )
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
update_role = ImplicitRoleField( update_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role='admin_role',
) )
use_role = ImplicitRoleField( use_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role='admin_role',
) )
adhoc_role = ImplicitRoleField( adhoc_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role='admin_role',
) )
execute_role = ImplicitRoleField( execute_role = ImplicitRoleField(
parent_role='adhoc_role', parent_role='adhoc_role',
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(parent_role=[
parent_role=['auditor_role', 'execute_role', 'update_role', 'use_role', 'admin_role'], 'organization.auditor_role',
) 'execute_role',
'update_role',
'use_role',
'admin_role',
])
def get_absolute_url(self): def get_absolute_url(self):
return reverse('api:inventory_detail', args=(self.pk,)) return reverse('api:inventory_detail', args=(self.pk,))
@@ -519,9 +520,6 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role=['inventory.admin_role', 'parents.admin_role'], parent_role=['inventory.admin_role', 'parents.admin_role'],
) )
auditor_role = ImplicitRoleField(
parent_role=['inventory.auditor_role', 'parents.auditor_role'],
)
update_role = ImplicitRoleField( update_role = ImplicitRoleField(
parent_role=['inventory.update_role', 'parents.update_role', 'admin_role'], parent_role=['inventory.update_role', 'parents.update_role', 'admin_role'],
) )
@@ -531,9 +529,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
execute_role = ImplicitRoleField( execute_role = ImplicitRoleField(
parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'], parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'],
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(parent_role=[
parent_role=['execute_role', 'update_role', 'auditor_role', 'admin_role'], 'inventory.read_role',
) 'parents.read_role',
'execute_role',
'update_role',
'admin_role'
])
def __unicode__(self): def __unicode__(self):
return self.name return self.name
@@ -1307,14 +1309,8 @@ class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role='organization.admin_role', parent_role='organization.admin_role',
) )
member_role = ImplicitRoleField(
parent_role='organization.member_role',
)
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
read_role = ImplicitRoleField( read_role = ImplicitRoleField(
parent_role=['auditor_role', 'member_role', 'admin_role'], parent_role=['organization.auditor_role', 'organization.member_role', 'admin_role'],
) )
def get_absolute_url(self): def get_absolute_url(self):

5
awx/main/models/jobs.py
View File

@@ -223,14 +223,11 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role=[('project.admin_role', 'inventory.admin_role')] parent_role=[('project.admin_role', 'inventory.admin_role')]
) )
auditor_role = ImplicitRoleField(
parent_role=[('project.auditor_role', 'inventory.auditor_role')]
)
execute_role = ImplicitRoleField( execute_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role=['admin_role'],
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(
parent_role=['execute_role', 'auditor_role', 'admin_role'], parent_role=[('project.organization.auditor_role', 'inventory.organization.auditor_role'), 'execute_role', 'admin_role'],
) )
@classmethod @classmethod

5
awx/main/models/organization.py
View File

@@ -104,12 +104,9 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role='organization.admin_role', parent_role='organization.admin_role',
) )
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
member_role = ImplicitRoleField() member_role = ImplicitRoleField()
read_role = ImplicitRoleField( read_role = ImplicitRoleField(
parent_role=['admin_role', 'auditor_role', 'member_role'], parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
) )
def get_absolute_url(self): def get_absolute_url(self):

33
awx/main/models/projects.py
View File

@@ -220,27 +220,26 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
default=0, default=0,
blank=True, blank=True,
) )
admin_role = ImplicitRoleField(
parent_role=[ admin_role = ImplicitRoleField(parent_role=[
'organization.admin_role', 'organization.admin_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
], ])
)
auditor_role = ImplicitRoleField( use_role = ImplicitRoleField(
parent_role=[
'organization.auditor_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
],
)
member_role = ImplicitRoleField(
parent_role='admin_role', parent_role='admin_role',
) )
scm_update_role = ImplicitRoleField(
update_role = ImplicitRoleField(
parent_role='admin_role', parent_role='admin_role',
) )
read_role = ImplicitRoleField(
parent_role=['member_role', 'auditor_role', 'scm_update_role'], read_role = ImplicitRoleField(parent_role=[
) 'organization.auditor_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'use_role',
'update_role',
])
@classmethod @classmethod
def _get_unified_job_class(cls): def _get_unified_job_class(cls):

4
awx/main/models/rbac.py
View File

@@ -42,7 +42,6 @@ role_names = {
'member_role' : 'Member', 'member_role' : 'Member',
'owner_role' : 'Owner', 'owner_role' : 'Owner',
'read_role' : 'Read', 'read_role' : 'Read',
'scm_update_role' : 'SCM Update',
'update_role' : 'Update', 'update_role' : 'Update',
'use_role' : 'Use', 'use_role' : 'Use',
} }
@@ -57,8 +56,7 @@ role_descriptions = {
'member_role' : 'User is a member of the %s', 'member_role' : 'User is a member of the %s',
'owner_role' : 'Owns and can manage all aspects of this %s', 'owner_role' : 'Owns and can manage all aspects of this %s',
'read_role' : 'May view settings for the %s', 'read_role' : 'May view settings for the %s',
'scm_update_role' : 'May update the project from the configured source control management system', 'update_role' : 'May update project or inventory or group using the configured source update system',
'update_role' : 'May update the inventory or group using the cloud source update system',
'use_role' : 'Can use the %s in a job template', 'use_role' : 'Can use the %s in a job template',
} }

4
awx/main/tests/functional/test_projects.py
View File

@@ -74,9 +74,9 @@ def test_team_project_list(get, project_factory, team_factory, admin, alice, bob
assert get(reverse('api:team_projects_list', args=(team1.pk,)), alice).data['count'] == 2 assert get(reverse('api:team_projects_list', args=(team1.pk,)), alice).data['count'] == 2
# but if she does, then she should only see the shared project # but if she does, then she should only see the shared project
team2.auditor_role.members.add(alice) team2.read_role.members.add(alice)
assert get(reverse('api:team_projects_list', args=(team2.pk,)), alice).data['count'] == 1 assert get(reverse('api:team_projects_list', args=(team2.pk,)), alice).data['count'] == 1
team2.auditor_role.members.remove(alice) team2.read_role.members.remove(alice)
# Test user endpoints first, very similar tests to test_user_project_list # Test user endpoints first, very similar tests to test_user_project_list
# but permissions are being derived from team membership instead. # but permissions are being derived from team membership instead.

22
awx/main/tests/functional/test_rbac_inventory.py
View File

@@ -42,12 +42,12 @@ def test_inventory_auditor_user(inventory, permissions, user):
perm.save() perm.save()
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u in inventory.auditor_role assert u in inventory.read_role
assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False
@@ -58,7 +58,7 @@ def test_inventory_updater_user(inventory, permissions, user):
perm.save() perm.save()
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
@@ -73,7 +73,7 @@ def test_inventory_executor_user(inventory, permissions, user):
perm.save() perm.save()
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
@@ -98,7 +98,7 @@ def test_inventory_admin_team(inventory, permissions, user, team):
assert team.member_role.members.count() == 1 assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role assert u in inventory.read_role
@@ -113,14 +113,14 @@ def test_inventory_auditor(inventory, permissions, user, team):
team.deprecated_users.add(u) team.deprecated_users.add(u)
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_team(apps,None) rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1 assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role assert u in inventory.read_role
@@ -134,14 +134,14 @@ def test_inventory_updater(inventory, permissions, user, team):
team.deprecated_users.add(u) team.deprecated_users.add(u)
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_team(apps,None) rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1 assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role) assert team.member_role.is_ancestor_of(inventory.update_role)
@@ -156,14 +156,14 @@ def test_inventory_executor(inventory, permissions, user, team):
team.deprecated_users.add(u) team.deprecated_users.add(u)
assert u not in inventory.admin_role assert u not in inventory.admin_role
assert u not in inventory.auditor_role assert u not in inventory.read_role
rbac.migrate_team(apps, None) rbac.migrate_team(apps, None)
rbac.migrate_inventory(apps, None) rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1 assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role) is False assert team.member_role.is_ancestor_of(inventory.update_role) is False

4
awx/main/tests/functional/test_rbac_team.py
View File

@@ -72,7 +72,7 @@ def test_team_access_member(organization, team, user):
def test_team_accessible_by(team, user, project): def test_team_accessible_by(team, user, project):
u = user('team_member', False) u = user('team_member', False)
team.member_role.children.add(project.member_role) team.member_role.children.add(project.use_role)
assert team in project.read_role assert team in project.read_role
assert u not in project.read_role assert u not in project.read_role
@@ -83,7 +83,7 @@ def test_team_accessible_by(team, user, project):
def test_team_accessible_objects(team, user, project): def test_team_accessible_objects(team, user, project):
u = user('team_member', False) u = user('team_member', False)
team.member_role.children.add(project.member_role) team.member_role.children.add(project.use_role)
assert len(Project.accessible_objects(team, 'read_role')) == 1 assert len(Project.accessible_objects(team, 'read_role')) == 1
assert not Project.accessible_objects(u, 'read_role') assert not Project.accessible_objects(u, 'read_role')

2
awx/main/tests/old/ad_hoc.py
View File

@@ -491,7 +491,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
# Explicitly give nobody user read permission on the inventory. # Explicitly give nobody user read permission on the inventory.
nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,)) nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,))
with self.current_user('admin'): with self.current_user('admin'):
response = self.post(nobody_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204) response = self.post(nobody_roles_list_url, {"id": self.inventory.read_role.id}, expect=204)
with self.current_user('nobody'): with self.current_user('nobody'):
self.run_test_ad_hoc_command(credential=other_cred.pk, expect=403) self.run_test_ad_hoc_command(credential=other_cred.pk, expect=403)
self.check_get_list(url, 'other', qs) self.check_get_list(url, 'other', qs)

10
awx/main/tests/old/inventory.py
View File

@@ -59,7 +59,7 @@ class InventoryTest(BaseTest):
# create a permission here on the 'other' user so they have edit access on the org # create a permission here on the 'other' user so they have edit access on the org
# we may add another permission type later. # we may add another permission type later.
self.inventory_b.auditor_role.members.add(self.other_django_user) self.inventory_b.read_role.members.add(self.other_django_user)
def tearDown(self): def tearDown(self):
super(InventoryTest, self).tearDown() super(InventoryTest, self).tearDown()
@@ -267,14 +267,14 @@ class InventoryTest(BaseTest):
temp_inv = temp_org.inventories.create(name='Delete Org Inventory') temp_inv = temp_org.inventories.create(name='Delete Org Inventory')
temp_inv.groups.create(name='Delete Org Inventory Group') temp_inv.groups.create(name='Delete Org Inventory Group')
temp_inv.auditor_role.members.add(self.other_django_user) temp_inv.read_role.members.add(self.other_django_user)
reverse('api:organization_detail', args=(temp_org.pk,)) reverse('api:organization_detail', args=(temp_org.pk,))
inventory_detail = reverse('api:inventory_detail', args=(temp_inv.pk,)) inventory_detail = reverse('api:inventory_detail', args=(temp_inv.pk,))
auditor_role_users_list = reverse('api:role_users_list', args=(temp_inv.auditor_role.pk,)) read_role_users_list = reverse('api:role_users_list', args=(temp_inv.read_role.pk,))
self.get(inventory_detail, expect=200, auth=self.get_other_credentials()) self.get(inventory_detail, expect=200, auth=self.get_other_credentials())
self.post(auditor_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials()) self.post(read_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials())
self.get(inventory_detail, expect=403, auth=self.get_other_credentials()) self.get(inventory_detail, expect=403, auth=self.get_other_credentials())
def test_create_inventory_script(self): def test_create_inventory_script(self):
@@ -1474,7 +1474,7 @@ class InventoryUpdatesTest(BaseTransactionTest):
# to see the inventory source and update view, but not start an update. # to see the inventory source and update view, but not start an update.
user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,)) user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
with self.current_user(self.super_django_user): with self.current_user(self.super_django_user):
self.post(user_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204) self.post(user_roles_list_url, {"id": self.inventory.read_role.id}, expect=204)
with self.current_user(self.other_django_user): with self.current_user(self.other_django_user):
self.get(inv_src_url, expect=200) self.get(inv_src_url, expect=200)
response = self.get(inv_src_update_url, expect=200) response = self.get(inv_src_update_url, expect=200)

2
awx/main/tests/old/schedules.py
View File

@@ -71,7 +71,7 @@ class ScheduleTest(BaseTest):
self.first_inventory_source.source = 'ec2' self.first_inventory_source.source = 'ec2'
self.first_inventory_source.save() self.first_inventory_source.save()
self.first_inventory.auditor_role.members.add(self.other_django_user) self.first_inventory.read_role.members.add(self.other_django_user)
self.second_inventory = Inventory.objects.create(name='test_inventory_2', description='for org 0', organization=self.organizations[0]) self.second_inventory = Inventory.objects.create(name='test_inventory_2', description='for org 0', organization=self.organizations[0])
self.second_inventory.hosts.create(name='host_2') self.second_inventory.hosts.create(name='host_2')