External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-06 17:07:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1358 from wwitzel3/rbac

Browse Source 
RBAC PR Fixes
This commit is contained in:
Wayne Witzel III
2016-03-31 11:21:04 -04:00
parent 0360093622 24e20abb1b
commit 55b06e4d8b
4 changed files with 36 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
awx/api/views.py
View File

@@ -2211,15 +2211,15 @@ class JobTemplateCallback(GenericAPIView):
return set() return set()
# Find the host objects to search for a match. # Find the host objects to search for a match.
obj = self.get_object() obj = self.get_object()
qs = obj.inventory.hosts hosts = obj.inventory.hosts.all()
# First try for an exact match on the name. # First try for an exact match on the name.
try: try:
return set([qs.get(name__in=remote_hosts)]) return set([hosts.get(name__in=remote_hosts)])
except (Host.DoesNotExist, Host.MultipleObjectsReturned): except (Host.DoesNotExist, Host.MultipleObjectsReturned):
pass pass
# Next, try matching based on name or ansible_ssh_host variable. # Next, try matching based on name or ansible_ssh_host variable.
matches = set() matches = set()
for host in qs.all(): for host in hosts:
ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '') ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '')
if ansible_ssh_host in remote_hosts: if ansible_ssh_host in remote_hosts:
matches.add(host) matches.add(host)
@@ -2228,8 +2228,9 @@ class JobTemplateCallback(GenericAPIView):
matches.add(host) matches.add(host)
if len(matches) == 1: if len(matches) == 1:
return matches return matches
# Try to resolve forward addresses for each host to find matches. # Try to resolve forward addresses for each host to find matches.
for host in qs.all(): for host in hosts:
hostnames = set([host.name]) hostnames = set([host.name])
ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '') ansible_ssh_host = host.variables_dict.get('ansible_ssh_host', '')
if ansible_ssh_host: if ansible_ssh_host:
@@ -3376,7 +3377,7 @@ class RoleList(ListAPIView):
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser: if self.request.user.is_superuser:
return Role.objects return Role.objects.all()
return Role.visible_roles(self.request.user) return Role.visible_roles(self.request.user)
@@ -3399,7 +3400,7 @@ class RoleUsersList(SubListCreateAttachDetachAPIView):
def get_queryset(self): def get_queryset(self):
role = self.get_parent_object() role = self.get_parent_object()
self.check_parent_access(role) self.check_parent_access(role)
return role.members return role.members.all()
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
# Forbid implicit role creation here # Forbid implicit role creation here
@@ -3455,7 +3456,7 @@ class RoleParentsList(SubListAPIView):
# XXX: This should be the intersection between the roles of the user # XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see # and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk']) role = Role.objects.get(pk=self.kwargs['pk'])
return role.parents return role.parents.all()
class RoleChildrenList(SubListAPIView): class RoleChildrenList(SubListAPIView):

2
awx/main/access.py
View File

@@ -468,7 +468,7 @@ class InventorySourceAccess(BaseAccess):
model = InventorySource model = InventorySource
def get_queryset(self): def get_queryset(self):
qs = self.model.objects qs = self.model.objects.all()
qs = qs.select_related('created_by', 'modified_by', 'group', 'inventory') qs = qs.select_related('created_by', 'modified_by', 'group', 'inventory')
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True)) inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
return qs.filter(Q(inventory_id__in=inventory_ids) | return qs.filter(Q(inventory_id__in=inventory_ids) |

2
awx/main/fields.py
View File

@@ -67,7 +67,7 @@ def resolve_role_field(obj, field):
if len(field_components) == 1: if len(field_components) == 1:
if type(obj) is not ImplicitRoleDescriptor and type(obj) is not Role: if type(obj) is not ImplicitRoleDescriptor and type(obj) is not Role:
raise Exception(smart_text('{} refers to a {}, not an ImplicitRoleField or Role').format(field, type(obj))) raise Exception(smart_text('{} refers to a {}, not an ImplicitRoleField or Role'.format(field, type(obj))))
ret.append(obj) ret.append(obj)
else: else:
if type(obj) is ManyRelatedObjectsDescriptor: if type(obj) is ManyRelatedObjectsDescriptor:

52
awx/main/migrations/_rbac.py
View File

@@ -35,10 +35,10 @@ def migrate_users(apps, schema_editor):
for user in User.objects.iterator(): for user in User.objects.iterator():
try: try:
Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id) Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id)
logger.info(smart_text("found existing role for user: {}").format(user.username)) logger.info(smart_text("found existing role for user: {}".format(user.username)))
except Role.DoesNotExist: except Role.DoesNotExist:
role = Role.objects.create( role = Role.objects.create(
singleton_name = smart_text('{}-admin_role').format(user.username), singleton_name = smart_text('{}-admin_role'.format(user.username)),
content_object = user, content_object = user,
) )
role.members.add(user) role.members.add(user)
@@ -48,11 +48,11 @@ def migrate_users(apps, schema_editor):
create=1, read=1, write=1, delete=1, update=1, create=1, read=1, write=1, delete=1, update=1,
execute=1, scm_update=1, use=1, execute=1, scm_update=1, use=1,
) )
logger.info(smart_text("migrating to new role for user: {}").format(user.username)) logger.info(smart_text("migrating to new role for user: {}".format(user.username)))
if user.is_superuser: if user.is_superuser:
Role.singleton('System Administrator').members.add(user) Role.singleton('System Administrator').members.add(user)
logger.warning(smart_text("added superuser: {}").format(user.username)) logger.warning(smart_text("added superuser: {}".format(user.username)))
@log_migration @log_migration
def migrate_organization(apps, schema_editor): def migrate_organization(apps, schema_editor):
@@ -60,10 +60,10 @@ def migrate_organization(apps, schema_editor):
for org in Organization.objects.iterator(): for org in Organization.objects.iterator():
for admin in org.deprecated_admins.all(): for admin in org.deprecated_admins.all():
org.admin_role.members.add(admin) org.admin_role.members.add(admin)
logger.info(smart_text("added admin: {}, {}").format(org.name, admin.username)) logger.info(smart_text("added admin: {}, {}".format(org.name, admin.username)))
for user in org.deprecated_users.all(): for user in org.deprecated_users.all():
org.auditor_role.members.add(user) org.auditor_role.members.add(user)
logger.info(smart_text("added auditor: {}, {}").format(org.name, user.username)) logger.info(smart_text("added auditor: {}, {}".format(org.name, user.username)))
@log_migration @log_migration
def migrate_team(apps, schema_editor): def migrate_team(apps, schema_editor):
@@ -71,7 +71,7 @@ def migrate_team(apps, schema_editor):
for t in Team.objects.iterator(): for t in Team.objects.iterator():
for user in t.deprecated_users.all(): for user in t.deprecated_users.all():
t.member_role.members.add(user) t.member_role.members.add(user)
logger.info(smart_text("team: {}, added user: {}").format(t.name, user.username)) logger.info(smart_text("team: {}, added user: {}".format(t.name, user.username)))
def attrfunc(attr_path): def attrfunc(attr_path):
'''attrfunc returns a function that will '''attrfunc returns a function that will
@@ -145,7 +145,7 @@ def migrate_credential(apps, schema_editor):
_update_credential_parents(results[0].inventory.organization, cred) _update_credential_parents(results[0].inventory.organization, cred)
else: else:
_discover_credentials(results, cred, attrfunc('inventory.organization')) _discover_credentials(results, cred, attrfunc('inventory.organization'))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level").format(cred.name, cred.kind, cred.host)) logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
continue continue
projs = Project.objects.filter(credential=cred).all() projs = Project.objects.filter(credential=cred).all()
@@ -154,7 +154,7 @@ def migrate_credential(apps, schema_editor):
_update_credential_parents(projs[0].organization, cred) _update_credential_parents(projs[0].organization, cred)
else: else:
_discover_credentials(projs, cred, attrfunc('organization')) _discover_credentials(projs, cred, attrfunc('organization'))
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level").format(cred.name, cred.kind, cred.host)) logger.info(smart_text("added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
continue continue
if cred.deprecated_team is not None: if cred.deprecated_team is not None:
@@ -162,14 +162,14 @@ def migrate_credential(apps, schema_editor):
cred.deprecated_team.member_role.children.add(cred.usage_role) cred.deprecated_team.member_role.children.add(cred.usage_role)
cred.deprecated_user, cred.deprecated_team = None, None cred.deprecated_user, cred.deprecated_team = None, None
cred.save() cred.save()
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level").format(cred.name, cred.kind, cred.host)) logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host)))
elif cred.deprecated_user is not None: elif cred.deprecated_user is not None:
cred.deprecated_user.admin_role.children.add(cred.owner_role) cred.deprecated_user.admin_role.children.add(cred.owner_role)
cred.deprecated_user, cred.deprecated_team = None, None cred.deprecated_user, cred.deprecated_team = None, None
cred.save() cred.save()
logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level").format(cred.name, cred.kind, cred.host, )) logger.info(smart_text("added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host, )))
else: else:
logger.warning(smart_text("orphaned credential found Credential(name={}, kind={}, host={}), superuser only").format(cred.name, cred.kind, cred.host, )) logger.warning(smart_text("orphaned credential found Credential(name={}, kind={}, host={}), superuser only".format(cred.name, cred.kind, cred.host, )))
@log_migration @log_migration
@@ -195,7 +195,7 @@ def migrate_inventory(apps, schema_editor):
elif perm.permission_type == 'run': elif perm.permission_type == 'run':
pass pass
else: else:
raise Exception(smart_text('Unhandled permission type for inventory: {}').format( perm.permission_type)) raise Exception(smart_text('Unhandled permission type for inventory: {}'.format( perm.permission_type)))
if perm.run_ad_hoc_commands: if perm.run_ad_hoc_commands:
execrole = inventory.executor_role execrole = inventory.executor_role
@@ -204,14 +204,14 @@ def migrate_inventory(apps, schema_editor):
perm.team.member_role.children.add(role) perm.team.member_role.children.add(role)
if execrole: if execrole:
perm.team.member_role.children.add(execrole) perm.team.member_role.children.add(execrole)
logger.info(smart_text('added Team({}) access to Inventory({})').format(perm.team.name, inventory.name)) logger.info(smart_text('added Team({}) access to Inventory({})'.format(perm.team.name, inventory.name)))
if perm.user: if perm.user:
if role: if role:
role.members.add(perm.user) role.members.add(perm.user)
if execrole: if execrole:
execrole.members.add(perm.user) execrole.members.add(perm.user)
logger.info(smart_text('added User({}) access to Inventory({})').format(perm.user.username, inventory.name)) logger.info(smart_text('added User({}) access to Inventory({})'.format(perm.user.username, inventory.name)))
@log_migration @log_migration
def migrate_projects(apps, schema_editor): def migrate_projects(apps, schema_editor):
@@ -244,14 +244,14 @@ def migrate_projects(apps, schema_editor):
if first_org is None: if first_org is None:
# For the first org, re-use our existing Project object, so don't do the below duplication effort # For the first org, re-use our existing Project object, so don't do the below duplication effort
first_org = org first_org = org
project.name = first_org.name + ' - ' + original_project_name project.name = smart_text('{} - {}'.format(first_org.name, original_project_name))
project.organization = first_org project.organization = first_org
project.save() project.save()
else: else:
new_prj = Project.objects.create( new_prj = Project.objects.create(
created = project.created, created = project.created,
description = project.description, description = project.description,
name = org.name + ' - ' + original_project_name, name = smart_text('{} - {}'.format(org.name, original_project_name)),
old_pk = project.old_pk, old_pk = project.old_pk,
created_by_id = project.created_by_id, created_by_id = project.created_by_id,
scm_type = project.scm_type, scm_type = project.scm_type,
@@ -265,7 +265,7 @@ def migrate_projects(apps, schema_editor):
credential = project.credential, credential = project.credential,
organization = org organization = org
) )
logger.warning(smart_text('cloning Project({}) onto {} as Project({})').format(original_project_name, org, new_prj)) logger.warning(smart_text('cloning Project({}) onto {} as Project({})'.format(original_project_name, org, new_prj)))
job_templates = JobTemplate.objects.filter(inventory__organization=org).all() job_templates = JobTemplate.objects.filter(inventory__organization=org).all()
for jt in job_templates: for jt in job_templates:
jt.project = new_prj jt.project = new_prj
@@ -275,26 +275,26 @@ def migrate_projects(apps, schema_editor):
for project in Project.objects.iterator(): for project in Project.objects.iterator():
if project.organization is None and project.created_by is not None: if project.organization is None and project.created_by is not None:
project.admin_role.members.add(project.created_by) project.admin_role.members.add(project.created_by)
logger.warn(smart_text('adding Project({}) admin: {}').format(project.name, project.created_by.username)) logger.warn(smart_text('adding Project({}) admin: {}'.format(project.name, project.created_by.username)))
for team in project.deprecated_teams.all(): for team in project.deprecated_teams.all():
team.member_role.children.add(project.member_role) team.member_role.children.add(project.member_role)
logger.info(smart_text('adding Team({}) access for Project({})').format(team.name, project.name)) logger.info(smart_text('adding Team({}) access for Project({})'.format(team.name, project.name)))
if project.organization is not None: if project.organization is not None:
for user in project.organization.deprecated_users.all(): for user in project.organization.deprecated_users.all():
project.member_role.members.add(user) project.member_role.members.add(user)
logger.info(smart_text('adding Organization({}) member access to Project({})').format(project.organization.name, project.name)) logger.info(smart_text('adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
for perm in Permission.objects.filter(project=project): for perm in Permission.objects.filter(project=project):
# All perms at this level just imply a user or team can read # All perms at this level just imply a user or team can read
if perm.team: if perm.team:
perm.team.member_role.children.add(project.member_role) perm.team.member_role.children.add(project.member_role)
logger.info(smart_text('adding Team({}) access for Project({})').format(perm.team.name, project.name)) logger.info(smart_text('adding Team({}) access for Project({})'.format(perm.team.name, project.name)))
if perm.user: if perm.user:
project.member_role.members.add(perm.user) project.member_role.members.add(perm.user)
logger.info(smart_text('adding User({}) access for Project({})').format(perm.user.username, project.name)) logger.info(smart_text('adding User({}) access for Project({})'.format(perm.user.username, project.name)))
@log_migration @log_migration
@@ -355,12 +355,12 @@ def migrate_job_templates(apps, schema_editor):
for team in Team.objects.iterator(): for team in Team.objects.iterator():
if permission.filter(team=team).exists(): if permission.filter(team=team).exists():
team.member_role.children.add(jt.executor_role) team.member_role.children.add(jt.executor_role)
logger.info(smart_text('adding Team({}) access to JobTemplate({})').format(team.name, jt.name)) logger.info(smart_text('adding Team({}) access to JobTemplate({})'.format(team.name, jt.name)))
for user in User.objects.iterator(): for user in User.objects.iterator():
if permission.filter(user=user).exists(): if permission.filter(user=user).exists():
jt.executor_role.members.add(user) jt.executor_role.members.add(user)
logger.info(smart_text('adding User({}) access to JobTemplate({})').format(user.username, jt.name)) logger.info(smart_text('adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))
if jt.accessible_by(user, {'execute': True}): if jt.accessible_by(user, {'execute': True}):
# If the job template is already accessible by the user, because they # If the job template is already accessible by the user, because they
@@ -370,4 +370,4 @@ def migrate_job_templates(apps, schema_editor):
if old_access.check_user_access(user, jt.__class__, 'start', jt, False): if old_access.check_user_access(user, jt.__class__, 'start', jt, False):
jt.executor_role.members.add(user) jt.executor_role.members.add(user)
logger.info(smart_text('adding User({}) access to JobTemplate({})').format(user.username, jt.name)) logger.info(smart_text('adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))