Replace role system with permissions-based DB roles

Develop ability to list permissions for existing roles Create a model registry for RBAC-tracked models Write the data migration logic for creating the preloaded role definitions Write migration to migrate old Role into ObjectRole model This loops over the old Role model, knowing it is unique on object and role_field Most of the logic is concerned with identifying the needed permissions, and then corresponding role definition As needed, object roles are created and users then teams are assigned Write re-computation of cache logic for teams and then for object role permissions Migrate new RBAC internals to ansible_base Migrate tests to ansible_base Implement solution for visible_roles Expose URLs for DAB RBAC
2026-05-14 12:57:40 -02:30 · 2023-11-13 15:13:25 -05:00
parent 1859a6ae69
commit 817c3b36b9
46 changed files with 1046 additions and 614 deletions
--- a/awx/main/models/init.py
+++ b/awx/main/models/init.py
@@ -1,6 +1,8 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.

+import json
+
 # Django
 from django.conf import settings  # noqa
 from django.db import connection
@@ -8,7 +10,9 @@ from django.db.models.signals import pre_delete  # noqa

 # django-ansible-base
 from ansible_base.resource_registry.fields import AnsibleResourceField
+from ansible_base.rbac import permission_registry
 from ansible_base.lib.utils.models import prevent_search
+from ansible_base.lib.utils.models import user_summary_fields

 # AWX
 from awx.main.models.base import BaseModel, PrimordialModel, accepts_json, CLOUD_INVENTORY_SOURCES, VERBOSITY_CHOICES  # noqa
@@ -102,6 +106,7 @@ User.add_to_class('get_queryset', get_user_queryset)
 User.add_to_class('can_access', check_user_access)
 User.add_to_class('can_access_with_errors', check_user_access_with_errors)
 User.add_to_class('resource', AnsibleResourceField(primary_key_field="id"))
+User.add_to_class('summary_fields', user_summary_fields)


 def convert_jsonfields():
@@ -198,7 +203,7 @@ User.add_to_class('created', created)
 def user_is_system_auditor(user):
    if not hasattr(user, '_is_system_auditor'):
        if user.pk:
-            user._is_system_auditor = user.roles.filter(singleton_name='system_auditor', role_field='system_auditor').exists()
+            user._is_system_auditor = user.profile.is_system_auditor
        else:
            # Odd case where user is unsaved, this should never be relied on
            return False
@@ -212,17 +217,13 @@ def user_is_system_auditor(user, tf):
        # time they've logged in, and we've just created the new User in this
        # request), we need one to set up the system auditor role
        user.save()
-    if tf:
-        role = Role.singleton('system_auditor')
-        # must check if member to not duplicate activity stream
-        if user not in role.members.all():
-            role.members.add(user)
-        user._is_system_auditor = True
-    else:
-        role = Role.singleton('system_auditor')
-        if user in role.members.all():
-            role.members.remove(user)
-        user._is_system_auditor = False
+    if user.profile.is_system_auditor != bool(tf):
+        prior_value = user.profile.is_system_auditor
+        user.profile.is_system_auditor = bool(tf)
+        user.profile.save(update_fields=['is_system_auditor'])
+        user._is_system_auditor = user.profile.is_system_auditor
+        entry = ActivityStream.objects.create(changes=json.dumps({"is_system_auditor": [prior_value, bool(tf)]}), object1='user', operation='update')
+        entry.user.add(user)


 User.add_to_class('is_system_auditor', user_is_system_auditor)
@@ -290,6 +291,10 @@ activity_stream_registrar.connect(WorkflowApprovalTemplate)
 activity_stream_registrar.connect(OAuth2Application)
 activity_stream_registrar.connect(OAuth2AccessToken)

+# Register models
+permission_registry.register(Project, Team, WorkflowJobTemplate, JobTemplate, Inventory, Organization, Credential, NotificationTemplate, ExecutionEnvironment)
+permission_registry.register(InstanceGroup, parent_field_name=None)  # Not part of an organization
+
 # prevent API filtering on certain Django-supplied sensitive fields
 prevent_search(User._meta.get_field('password'))
 prevent_search(OAuth2AccessToken._meta.get_field('token'))