diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py index dd112700cf..0c6ec9627c 100644 --- a/awx/main/migrations/0008_v300_rbac_changes.py +++ b/awx/main/migrations/0008_v300_rbac_changes.py @@ -137,11 +137,6 @@ class Migration(migrations.Migration): name='roleancestorentry', index_together=set([('ancestor', 'content_type_id', 'object_id'), ('ancestor', 'content_type_id', 'role_field'), ('ancestor', 'descendent')]), ), - migrations.AddField( - model_name='credential', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor'], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='credential', name='owner_role', @@ -155,27 +150,17 @@ class Migration(migrations.Migration): migrations.AddField( model_name='credential', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'use_role', b'auditor_role', b'owner_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor', b'use_role', b'owner_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='custominventoryscript', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='custominventoryscript', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='custominventoryscript', - name='member_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.member_role', to='main.Role', null=b'True'), - ), migrations.AddField( model_name='custominventoryscript', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'member_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'organization.member_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='group', @@ -187,11 +172,6 @@ class Migration(migrations.Migration): name='adhoc_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.adhoc_role', b'parents.adhoc_role', b'admin_role'], to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='group', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.auditor_role', b'parents.auditor_role'], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='group', name='execute_role', @@ -205,7 +185,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='group', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'update_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', @@ -215,12 +195,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='inventory', name='adhoc_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='inventory', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', @@ -230,28 +205,23 @@ class Migration(migrations.Migration): migrations.AddField( model_name='inventory', name='update_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', name='use_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='jobtemplate', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='jobtemplate', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.auditor_role', b'inventory.auditor_role')], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='jobtemplate', name='execute_role', @@ -260,7 +230,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='jobtemplate', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='organization', @@ -289,34 +259,24 @@ class Migration(migrations.Migration): ), migrations.AddField( model_name='project', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor'], to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='project', - name='member_role', + name='use_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='project', - name='scm_update_role', + name='update_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='project', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'member_role', b'auditor_role', b'scm_update_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor', b'use_role', b'update_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='team', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='team', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), - ), migrations.AddField( model_name='team', name='member_role', @@ -325,6 +285,6 @@ class Migration(migrations.Migration): migrations.AddField( model_name='team', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'auditor_role', b'member_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'), ), ] diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index 94465084b4..134114dccb 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -219,7 +219,7 @@ def migrate_inventory(apps, schema_editor): if perm.permission_type == 'admin': return inventory.admin_role elif perm.permission_type == 'read': - return inventory.auditor_role + return inventory.read_role elif perm.permission_type == 'write': return inventory.update_role elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create': @@ -320,22 +320,22 @@ def migrate_projects(apps, schema_editor): logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username))) for team in project.deprecated_teams.all(): - team.member_role.children.add(project.member_role) + team.member_role.children.add(project.use_role) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name))) if project.organization is not None: for user in project.organization.deprecated_users.all(): - project.member_role.members.add(user) + project.use_role.members.add(user) logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name))) for perm in Permission.objects.filter(project=project): # All perms at this level just imply a user or team can read if perm.team: - perm.team.member_role.children.add(project.member_role) + perm.team.member_role.children.add(project.use_role) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name))) if perm.user: - project.member_role.members.add(perm.user) + project.use_role.members.add(perm.user) logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name)))