External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-06 19:21:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1358 from wwitzel3/rbac

Browse Source 
RBAC PR Fixes
This commit is contained in:
Wayne Witzel III
2016-03-31 11:21:04 -04:00
parent 0360093622 24e20abb1b
commit 55b06e4d8b
4 changed files with 36 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
awx/api/views.py
View File

@@ -2211,15 +2211,15 @@ class JobTemplateCallback(GenericAPIView):
return set()
# Find the host objects to search for a match.
obj = self.get_object()
qs = obj.inventory.hosts
hosts = obj.inventory.hosts.all()
# First try for an exact match on the name.
try:
return set([qs.get(name__in=remote_hosts)])
return set([hosts.get(name__in=remote_hosts)])
except (Host.DoesNotExist, Host.MultipleObjectsReturned):
pass
# Next, try matching based on name or ansible_ssh_host variable.
matches = set()
for host in qs.all():
for host in hosts:
ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '')
if ansible_ssh_host in remote_hosts:
matches.add(host)
@@ -2228,8 +2228,9 @@ class JobTemplateCallback(GenericAPIView):
matches.add(host)
if len(matches) == 1:
return matches
# Try to resolve forward addresses for each host to find matches.
for host in qs.all():
for host in hosts:
hostnames = set([host.name])
ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '')
if ansible_ssh_host:
@@ -3376,7 +3377,7 @@ class RoleList(ListAPIView):
def get_queryset(self):
if self.request.user.is_superuser:
return Role.objects
return Role.objects.all()
return Role.visible_roles(self.request.user)
@@ -3399,7 +3400,7 @@ class RoleUsersList(SubListCreateAttachDetachAPIView):
def get_queryset(self):
role = self.get_parent_object()
self.check_parent_access(role)
return role.members
return role.members.all()
def post(self, request, *args, **kwargs):
# Forbid implicit role creation here
@@ -3455,7 +3456,7 @@ class RoleParentsList(SubListAPIView):
# XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk'])
return role.parents
return role.parents.all()
class RoleChildrenList(SubListAPIView):

2
awx/main/access.py
View File

@@ -468,7 +468,7 @@ class InventorySourceAccess(BaseAccess):
model = InventorySource
def get_queryset(self):
qs = self.model.objects
qs = self.model.objects.all()
qs = qs.select_related('created_by', 'modified_by', 'group', 'inventory')
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
return qs.filter(Q(inventory_id__in=inventory_ids) |

2
awx/main/fields.py
View File

@@ -67,7 +67,7 @@ def resolve_role_field(obj, field):
if len(field_components) == 1:
if type(obj) is not ImplicitRoleDescriptor and type(obj) is not Role:
raise Exception(smart_text('{} refers to a {}, not an ImplicitRoleField or Role').format(field, type(obj)))
raise Exception(smart_text('{} refers to a {}, not an ImplicitRoleField or Role'.format(field, type(obj))))
ret.append(obj)
else:
if type(obj) is ManyRelatedObjectsDescriptor:

52
awx/main/migrations/_rbac.py
View File

@@ -35,10 +35,10 @@ def migrate_users(apps, schema_editor):
for user in User.objects.iterator():
try:
Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id)
logger.info(smart_text("found existing role for user: {}").format(user.username))
logger.info(smart_text("found existing role for user: {}".format(user.username)))
except Role.DoesNotExist:
role = Role.objects.create(
singleton_name = smart_text('{}-admin_role').format(user.username),
singleton_name = smart_text('{}-admin_role'.format(user.username)),
content_object = user,
)
role.members.add(user)
@@ -48,11 +48,11 @@ def migrate_users(apps, schema_editor):
create=1, read=1, write=1, delete=1, update=1,
execute=1, scm_update=1, use=1,
)
logger.info(smart_text("migrating to new role for user: {}").format(user.username))
logger.info(smart_text("migrating to new role for user: {}".format(user.username)))
if user.is_superuser:
Role.singleton('System Administrator').members.add(user)
logger.warning(smart_text("added superuser: {}").format(user.username))
logger.warning(smart_text("added superuser: {}".format(user.username)))
@log_migration
def migrate_organization(apps, schema_editor):
@@ -60,10 +60,10 @@ def migrate_organization(apps, schema_editor):
for org in Organization.objects.iterator():
for admin in org.deprecated_admins.all():
org.admin_role.members.add(admin)
logger.info(smart_text("added admin: {}, {}").format(org.name, admin.username))
logger.info(smart_text("added admin: {}, {}".format(org.name, admin.username)))
for user in org.deprecated_users.all():
org.auditor_role.members.add(user)
logger.info(smart_text("added auditor: {}, {}").format(org.name, user.username))
logger.info(smart_text("added auditor: {}, {}".format(org.name, user.username)))
@log_migration
def migrate_team(apps, schema_editor):
@@ -71,7 +71,7 @@ def migrate_team(apps, schema_editor):
for t in Team.objects.iterator():
for user in t.deprecated_users.all():
t.member_role.members.add(user)
logger.info(smart_text("team: {}, added user: {}").format(t.name, user.username))
logger.info(smart_text("team: {}, added user: {}".format(t.name, user.username)))
def attrfunc(attr_path):
'''attrfunc returns a function that will
@@ -145,7 +145,7 @@ def migrate_credential(apps, schema_editor):
_update_credential_parents(results[0].inventory.organization, cred)
else:
_discover_credentials(results, cred, attrfunc('inventory.organization'))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level").format(cred.name, cred.kind, cred.host))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
continue
projs = Project.objects.filter(credential=cred).all()
@@ -154,7 +154,7 @@ def migrate_credential(apps, schema_editor):
_update_credential_parents(projs[0].organization, cred)
else:
_discover_credentials(projs, cred, attrfunc('organization'))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level").format(cred.name, cred.kind, cred.host))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
continue
if cred.deprecated_team is not None:
@@ -162,14 +162,14 @@ def migrate_credential(apps, schema_editor):
cred.deprecated_team.member_role.children.add(cred.usage_role)
cred.deprecated_user, cred.deprecated_team = None, None
cred.save()
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level").format(cred.name, cred.kind, cred.host))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host)))
elif cred.deprecated_user is not None:
cred.deprecated_user.admin_role.children.add(cred.owner_role)
cred.deprecated_user, cred.deprecated_team = None, None
cred.save()
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level").format(cred.name, cred.kind, cred.host, ))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host, )))
else:
logger.warning(smart_text("orphaned credential found Credential(name={}, kind={}, host={}), superuser only").format(cred.name, cred.kind, cred.host, ))
logger.warning(smart_text("orphaned credential found Credential(name={}, kind={}, host={}), superuser only".format(cred.name, cred.kind, cred.host, )))
@log_migration
@@ -195,7 +195,7 @@ def migrate_inventory(apps, schema_editor):
elif perm.permission_type == 'run':
pass
else:
raise Exception(smart_text('Unhandled permission type for inventory: {}').format( perm.permission_type))
raise Exception(smart_text('Unhandled permission type for inventory: {}'.format( perm.permission_type)))
if perm.run_ad_hoc_commands:
execrole = inventory.executor_role
@@ -204,14 +204,14 @@ def migrate_inventory(apps, schema_editor):
perm.team.member_role.children.add(role)
if execrole:
perm.team.member_role.children.add(execrole)
logger.info(smart_text('added Team({}) access to Inventory({})').format(perm.team.name, inventory.name))
logger.info(smart_text('added Team({}) access to Inventory({})'.format(perm.team.name, inventory.name)))
if perm.user:
if role:
role.members.add(perm.user)
if execrole:
execrole.members.add(perm.user)
logger.info(smart_text('added User({}) access to Inventory({})').format(perm.user.username, inventory.name))
logger.info(smart_text('added User({}) access to Inventory({})'.format(perm.user.username, inventory.name)))
@log_migration
def migrate_projects(apps, schema_editor):
@@ -244,14 +244,14 @@ def migrate_projects(apps, schema_editor):
if first_org is None:
# For the first org, re-use our existing Project object, so don't do the below duplication effort
first_org = org
project.name = first_org.name + ' - ' + original_project_name
project.name = smart_text('{} - {}'.format(first_org.name, original_project_name))
project.organization = first_org
project.save()
else:
new_prj = Project.objects.create(
created = project.created,
description = project.description,
name = org.name + ' - ' + original_project_name,
name = smart_text('{} - {}'.format(org.name, original_project_name)),
old_pk = project.old_pk,
created_by_id = project.created_by_id,
scm_type = project.scm_type,
@@ -265,7 +265,7 @@ def migrate_projects(apps, schema_editor):
credential = project.credential,
organization = org
)
logger.warning(smart_text('cloning Project({}) onto {} as Project({})').format(original_project_name, org, new_prj))
logger.warning(smart_text('cloning Project({}) onto {} as Project({})'.format(original_project_name, org, new_prj)))
job_templates = JobTemplate.objects.filter(inventory__organization=org).all()
for jt in job_templates:
jt.project = new_prj
@@ -275,26 +275,26 @@ def migrate_projects(apps, schema_editor):
for project in Project.objects.iterator():
if project.organization is None and project.created_by is not None:
project.admin_role.members.add(project.created_by)
logger.warn(smart_text('adding Project({}) admin: {}').format(project.name, project.created_by.username))
logger.warn(smart_text('adding Project({}) admin: {}'.format(project.name, project.created_by.username)))
for team in project.deprecated_teams.all():
team.member_role.children.add(project.member_role)
logger.info(smart_text('adding Team({}) access for Project({})').format(team.name, project.name))
logger.info(smart_text('adding Team({}) access for Project({})'.format(team.name, project.name)))
if project.organization is not None:
for user in project.organization.deprecated_users.all():
project.member_role.members.add(user)
logger.info(smart_text('adding Organization({}) member access to Project({})').format(project.organization.name, project.name))
logger.info(smart_text('adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
for perm in Permission.objects.filter(project=project):
# All perms at this level just imply a user or team can read
if perm.team:
perm.team.member_role.children.add(project.member_role)
logger.info(smart_text('adding Team({}) access for Project({})').format(perm.team.name, project.name))
logger.info(smart_text('adding Team({}) access for Project({})'.format(perm.team.name, project.name)))
if perm.user:
project.member_role.members.add(perm.user)
logger.info(smart_text('adding User({}) access for Project({})').format(perm.user.username, project.name))
logger.info(smart_text('adding User({}) access for Project({})'.format(perm.user.username, project.name)))
@log_migration
@@ -355,12 +355,12 @@ def migrate_job_templates(apps, schema_editor):
for team in Team.objects.iterator():
if permission.filter(team=team).exists():
team.member_role.children.add(jt.executor_role)
logger.info(smart_text('adding Team({}) access to JobTemplate({})').format(team.name, jt.name))
logger.info(smart_text('adding Team({}) access to JobTemplate({})'.format(team.name, jt.name)))
for user in User.objects.iterator():
if permission.filter(user=user).exists():
jt.executor_role.members.add(user)
logger.info(smart_text('adding User({}) access to JobTemplate({})').format(user.username, jt.name))
logger.info(smart_text('adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))
if jt.accessible_by(user, {'execute': True}):
# If the job template is already accessible by the user, because they
@@ -370,4 +370,4 @@ def migrate_job_templates(apps, schema_editor):
if old_access.check_user_access(user, jt.__class__, 'start', jt, False):
jt.executor_role.members.add(user)
logger.info(smart_text('adding User({}) access to JobTemplate({})').format(user.username, jt.name))
logger.info(smart_text('adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))