External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-25 00:18:07 -02:30
Code Issues Packages Projects Releases Wiki Activity

Adding EE/IG/labels/forks/timeout/job_slice_count to schedules

Browse Source 
Modifying schedules to work with related fields

Updating awx.awx.workflow_job_template_node
This commit is contained in:
John Westcott IV
2022-08-24 14:31:05 -04:00
committed by Alan Rominger
parent 2e217ed466
commit 809df74050
15 changed files with 686 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
awx/main/access.py
View File

@@ -1924,18 +1924,80 @@ class JobLaunchConfigAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
if isinstance(sub_obj, Credential) and relationship == 'credentials':
return self.user in sub_obj.use_role
else:
raise NotImplementedError('Only credentials can be attached to launch configurations.')
if not self.user in sub_obj.use_role:
logger.debug(
"User {} not allowed access to credential {} for {} {} ({})".format(self.user.username, sub_obj.name, obj.__class__, obj.name, obj.id)
)
return False
return True
if isinstance(sub_obj, Label) and relationship == 'labels':
if not self.user.can_access(Label, 'read', sub_obj):
logger.debug("User {} not allowed access to label {} for {} {} ({})".format(self.user.username, sub_obj.name, obj.__class__, obj.name, obj.id))
return False
return True
if isinstance(sub_obj, InstanceGroup) and relationship == 'instance_groups':
if not sub_obj in self.user.get_queryset(InstanceGroup):
logger.debug(
"User {} not allowed access to instance_group {} for {} {} ({})".format(self.user.username, sub_obj.name, obj.__class__, obj.name, obj.id)
)
return False
return True
raise NotImplementedError('Only credentials, labels and instance groups can be attached to launch configurations.')
def can_unattach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
if isinstance(sub_obj, Credential) and relationship == 'credentials':
if skip_sub_obj_read_check:
if not skip_sub_obj_read_check:
logger.debug(
"Skipping check if user {} can access credential {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return True
else:
return self.user in sub_obj.read_role
else:
raise NotImplementedError('Only credentials can be attached to launch configurations.')
if not self.user in sub_obj.read_role:
logger.debug(
"User {} can not read credential {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
return True
if isinstance(sub_obj, Label) and relationship == 'labels':
if skip_sub_obj_read_check:
logger.debug(
"Skipping check if user {} can access label {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return True
if self.user.can_access(Label, 'read', sub_obj):
return True
logger.debug(
"User {} can not read label {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
if isinstance(sub_obj, InstanceGroup) and relationship == 'instance_groups':
if skip_sub_obj_read_check:
logger.debug(
"Skipping check if user {} can access instance_group {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return True
if sub_obj in self.user.get_queryset(InstanceGroup):
return True
logger.debug(
"User {} can not read instance_group {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
raise NotImplementedError('Only credentials, labels and instance groups can be attached to launch configurations.')
class WorkflowJobTemplateNodeAccess(BaseAccess):
@@ -2014,6 +2076,24 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
return JobLaunchConfigAccess(self.user).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
elif relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
return self.check_same_WFJT(obj, sub_obj)
elif relationship == 'labels':
if self.user.can_access(Label, 'read', sub_obj):
return True
logger.debug(
"User {} can not read label {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
elif relationship == 'instance_groups':
if sub_obj in self.user.get_queryset(InstanceGroup):
return True
logger.debug(
"User {} can not read instance_group {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
else:
raise NotImplementedError('Relationship {} not understood for WFJT nodes.'.format(relationship))
@@ -2026,6 +2106,24 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
return JobLaunchConfigAccess(self.user).can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
elif relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
return self.check_same_WFJT(obj, sub_obj)
elif relationship == 'labels':
if self.user.can_access(Label, 'read', sub_obj):
return True
logger.debug(
"User {} can not read label {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
elif relationship == 'instance_groups':
if sub_obj in self.user.get_queryset(InstanceGroup):
return True
logger.debug(
"User {} can not read instance_group {} ({}) for removal from {} {} ({})".format(
self.user.username, sub_obj.name, sub_obj.id, obj.__class__, obj.name, obj.id
)
)
return False
else:
raise NotImplementedError('Relationship {} not understood for WFJT nodes.'.format(relationship))