adjusting Credential model and migrations

2026-01-13 19:10:07 -03:30 · 2016-06-10 13:23:32 -04:00 · 2016-06-10 13:23:32 -04:00 · 5754b4bb2c
commit 5754b4bb2c
parent 2c05df064b
4 changed files with 55 additions and 13 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -600,6 +600,10 @@ class CredentialAccess(BaseAccess):
                if not self.can_add(data):
                    return False

+        if obj.organization:
+            if self.user in obj.organization.admin_role:
+                return True
+
        return self.user in obj.owner_role

    def can_delete(self, obj):
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@ -86,7 +86,11 @@ class Migration(migrations.Migration):
            name='credential',
            unique_together=set([]),
        ),
-
+        migrations.AddField(
+            model_name='credential',
+            name='organization',
+            field=models.ForeignKey(related_name='credentials', default=None, blank=True, to='main.Organization', null=True),
+        ),

        #
        # New RBAC models and fields
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@ -123,10 +123,10 @@ def attrfunc(attr_path):
    return attr

 def _update_credential_parents(org, cred):
-    org.admin_role.children.add(cred.owner_role)
+    cred.organization = org
    cred.save()

-def _discover_credentials(instances, cred, orgfunc):
+def _discover_credentials(apps, instances, cred, orgfunc):
    '''_discover_credentials will find shared credentials across
    organizations. If a shared credential is found, it will duplicate
    the credential, ensure the proper role permissions are added to the new
@ -139,6 +139,8 @@ def _discover_credentials(instances, cred, orgfunc):
    orgfunc is a function that when called with an instance from instances
    will produce an Organization object.
    '''
+    Credential = apps.get_model('main', "Credential")
+
    orgs = defaultdict(list)
    for inst in instances:
        try:
@ -161,17 +163,38 @@ def _discover_credentials(instances, cred, orgfunc):
                _update_credential_parents(org, cred)
            else:
                # Create a new credential
-                cred.pk = None
-                cred.save()
-
-                # Unlink the old information from the new credential
-                cred.owner_role, cred.use_role = None, None
-                cred.save()
+                new_cred = Credential.objects.create(
+                    kind = cred.kind,
+                    cloud = cred.cloud,
+                    host = cred.host,
+                    username = cred.username,
+                    password = cred.password,
+                    security_token = cred.security_token,
+                    project = cred.project,
+                    domain = cred.domain,
+                    ssh_key_data = cred.ssh_key_data,
+                    ssh_key_unlock = cred.ssh_key_unlock,
+                    become_method = cred.become_method,
+                    become_username = cred.become_username,
+                    become_password = cred.become_password,
+                    vault_password = cred.vault_password,
+                    authorize = cred.authorize,
+                    authorize_password = cred.authorize_password,
+                    client = cred.client,
+                    secret = cred.secret,
+                    subscription = cred.subscription,
+                    tenant = cred.tenant,
+                    created = cred.created,
+                    modified = cred.modified,
+                    created_by_id = cred.created_by_id,
+                    modified_by_id = cred.modified_by_id,
+                )

                for i in orgs[org]:
-                    i.credential = cred
+                    i.credential = new_cred
                    i.save()
-                _update_credential_parents(org, cred)
+
+                _update_credential_parents(org, new_cred)

@log_migration
 def migrate_credential(apps, schema_editor):
@ -187,7 +210,7 @@ def migrate_credential(apps, schema_editor):
            if len(results) == 1:
                _update_credential_parents(results[0].inventory.organization, cred)
            else:
-                _discover_credentials(results, cred, attrfunc('inventory.organization'))
+                _discover_credentials(apps, results, cred, attrfunc('inventory.organization'))
            logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))

        projs = Project.objects.filter(credential=cred).all()
--- a/awx/main/models/credential.py
+++ b/awx/main/models/credential.py
@ -78,6 +78,14 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        on_delete=models.CASCADE,
        related_name='deprecated_credentials',
    )
+    organization = models.ForeignKey(
+        'Organization',
+        null=True,
+        default=None,
+        blank=True,
+        on_delete=models.CASCADE,
+        related_name='credentials',
+    )
    kind = models.CharField(
        max_length=32,
        choices=KIND_CHOICES,
@ -209,7 +217,10 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        ],
    )
    use_role = ImplicitRoleField(
-        parent_role=['owner_role']
+        parent_role=[
+            'organization.admin_role',
+            'owner_role',
+        ]
    )
    read_role = ImplicitRoleField(parent_role=[
        'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,