Merge pull request #1507 from wwitzel3/rbac-bug-1422

RBAC Job Fixes
2026-01-20 06:01:25 -03:30 · 2016-04-12 16:22:47 -04:00 · 2016-04-12 16:22:47 -04:00 · 6bc765d1b5
commit 6bc765d1b5
parent e3ebbab17d e5b9766c8f
4 changed files with 74 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -312,8 +312,15 @@ class InventoryAccess(BaseAccess):
        return qs.select_related('created_by', 'modified_by', 'organization').all()

    def can_read(self, obj):
+        if self.user.is_superuser:
+            return True
        return obj.accessible_by(self.user, {'read': True})

+    def can_use(self, obj):
+        if self.user.is_superuser:
+            return True
+        return obj.accessible_by(self.user, {'use': True})
+
    def can_add(self, data):
        # If no data is specified, just checking for generic add permission?
        if not data:
@ -551,6 +558,11 @@ class CredentialAccess(BaseAccess):
        # Access enforced in our view where we have context enough to make a decision
        return True

+    def can_use(self, obj):
+        if self.user.is_superuser:
+            return True
+        return obj.accessible_by(self.user, {'use': True})
+
    def can_change(self, obj, data):
        if self.user.is_superuser:
            return True
@ -770,6 +782,11 @@ class JobTemplateAccess(BaseAccess):
                return False
        if obj.project is None:
            return False
+
+        # Given explicit execute access to this JobTemplate
+        if obj.accessible_by(self.user, {'execute':True}):
+            return True
+
        # If the user has admin access to the project they can start a job
        if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
            return True
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@ -141,6 +141,11 @@ class Migration(migrations.Migration):
            name='updater_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
        ),
+        migrations.AddField(
+            model_name='inventory',
+            name='usage_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
        migrations.AddField(
            model_name='custominventoryscript',
            name='admin_role',
--- a/awx/main/models/inventory.py
+++ b/awx/main/models/inventory.py
@ -113,6 +113,11 @@ class Inventory(CommonModel, ResourceMixin):
        role_description='May update the inventory',
        permissions = {'read': True, 'update': True}
    )
+    usage_role = ImplicitRoleField(
+        role_name='Inventory User',
+        role_description='May use this inventory, but not read sensitive portions or modify it',
+        permissions = {'use': True}
+    )
    executor_role = ImplicitRoleField(
        role_name='Inventory Executor',
        role_description='May execute jobs against this inventory',
--- a/awx/main/tests/functional/test_rbac_job_start.py
+++ b/awx/main/tests/functional/test_rbac_job_start.py
@ -0,0 +1,47 @@
+import pytest
+
+from awx.main.models.inventory import Inventory
+from awx.main.models.credential import Credential
+from awx.main.models.jobs import JobTemplate
+
+@pytest.fixture
+def machine_credential():
+    return Credential.objects.create(name='machine-cred', kind='ssh', username='test_user', password='pas4word')
+
+@pytest.mark.django_db
+@pytest.mark.job_permissions
+def test_admin_executing_permissions(deploy_jobtemplate, inventory, machine_credential, user):
+
+    admin_user = user('admin-user', True)
+
+    assert admin_user.can_access(Inventory, 'use', inventory)
+    assert admin_user.can_access(Inventory, 'run_ad_hoc_commands', inventory)  # for ad_hoc
+    assert admin_user.can_access(JobTemplate, 'start', deploy_jobtemplate)
+    assert admin_user.can_access(Credential, 'use', machine_credential)
+
+@pytest.mark.django_db
+@pytest.mark.job_permissions
+def test_job_template_start_access(deploy_jobtemplate, user):
+
+    common_user = user('test-user', False)
+    deploy_jobtemplate.executor_role.members.add(common_user)
+
+    assert common_user.can_access(JobTemplate, 'start', deploy_jobtemplate)
+
+@pytest.mark.django_db
+@pytest.mark.job_permissions
+def test_credential_use_access(machine_credential, user):
+
+    common_user = user('test-user', False)
+    machine_credential.usage_role.members.add(common_user)
+
+    assert common_user.can_access(Credential, 'use', machine_credential)
+
+@pytest.mark.django_db
+@pytest.mark.job_permissions
+def test_inventory_use_access(inventory, user):
+
+    common_user = user('test-user', False)
+    inventory.usage_role.members.add(common_user)
+
+    assert common_user.can_access(Inventory, 'use', inventory)