External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 14:57:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Add Org Execute

Browse Source
This commit is contained in:
Wayne Witzel III
2018-02-02 17:25:33 +00:00
parent 9e7bd55579
commit 819b318fe5
7 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
awx/main/access.py
View File

@@ -1792,8 +1792,8 @@ class WorkflowJobTemplateAccess(BaseAccess):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return (self.check_related('organization', Organization, data, role_field='workflow_admin_field', obj=obj) return (self.check_related('organization', Organization, data, role_field='workflow_admin_field', obj=obj) and
and self.user in obj.admin_role) self.user in obj.admin_role)
def can_delete(self, obj): def can_delete(self, obj):
is_delete_allowed = self.user.is_superuser or self.user in obj.admin_role is_delete_allowed = self.user.is_superuser or self.user in obj.admin_role

17
awx/main/migrations/0020_declare_new_rbac_roles.py
View File

@@ -15,6 +15,11 @@ class Migration(migrations.Migration):
] ]
operations = [ operations = [
migrations.AddField(
model_name='organization',
name='execute_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=b'admin_role', related_name='+', to='main.Role'),
),
migrations.AddField( migrations.AddField(
model_name='organization', model_name='organization',
name='credential_admin_role', name='credential_admin_role',
@@ -60,14 +65,24 @@ class Migration(migrations.Migration):
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'singleton:system_administrator', b'organization.workflow_admin_role'], related_name='+', to='main.Role'), field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'singleton:system_administrator', b'organization.workflow_admin_role'], related_name='+', to='main.Role'),
), ),
migrations.AlterField(
model_name='workflowjobtemplate',
name='execute_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'organization.execute_role'], related_name='+', to='main.Role'),
),
migrations.AlterField( migrations.AlterField(
model_name='jobtemplate', model_name='jobtemplate',
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'project.organization.project_admin_role', b'inventory.organization.inventory_admin_role'], related_name='+', to='main.Role'), field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'project.organization.project_admin_role', b'inventory.organization.inventory_admin_role'], related_name='+', to='main.Role'),
), ),
migrations.AlterField(
model_name='jobtemplate',
name='execute_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project.organization.execute_role', b'inventory.organization.execute_role'], related_name='+', to='main.Role'),
),
migrations.AlterField( migrations.AlterField(
model_name='organization', model_name='organization',
name='member_role', name='member_role',
field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project_admin_role', b'inventory_admin_role', b'workflow_admin_role', b'notification_admin_role'], related_name='+', to='main.Role'), field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project_admin_role', b'inventory_admin_role', b'workflow_admin_role', b'notification_admin_role', b'execute_role'], related_name='+', to='main.Role'),
), ),
] ]

2
awx/main/models/jobs.py
View File

@@ -273,7 +273,7 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
parent_role=['project.organization.project_admin_role', 'inventory.organization.inventory_admin_role'] parent_role=['project.organization.project_admin_role', 'inventory.organization.inventory_admin_role']
) )
execute_role = ImplicitRoleField( execute_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role=['admin_role', 'project.organization.execute_role', 'inventory.organization.execute_role'],
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(
parent_role=['project.organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'], parent_role=['project.organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],

5
awx/main/models/organization.py
View File

@@ -43,6 +43,9 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
) )
execute_role = ImplicitRoleField(
parent_role='admin_role',
)
project_admin_role = ImplicitRoleField( project_admin_role = ImplicitRoleField(
parent_role='admin_role', parent_role='admin_role',
) )
@@ -62,7 +65,7 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
) )
member_role = ImplicitRoleField( member_role = ImplicitRoleField(
parent_role=['admin_role', 'project_admin_role', parent_role=['admin_role', 'execute_role', 'project_admin_role',
'inventory_admin_role', 'workflow_admin_role', 'inventory_admin_role', 'workflow_admin_role',
'notification_admin_role'] 'notification_admin_role']
) )

3
awx/main/models/workflow.py
View File

@@ -309,7 +309,8 @@ class WorkflowJobTemplate(UnifiedJobTemplate, WorkflowJobOptions, SurveyJobTempl
'organization.workflow_admin_role' 'organization.workflow_admin_role'
]) ])
execute_role = ImplicitRoleField(parent_role=[ execute_role = ImplicitRoleField(parent_role=[
'admin_role' 'admin_role',
'organization.execute_role',
]) ])
read_role = ImplicitRoleField(parent_role=[ read_role = ImplicitRoleField(parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,

2
awx/main/tests/functional/test_rbac_notifications.py
View File

@@ -32,12 +32,14 @@ def test_notification_template_get_queryset_orgadmin(notification_template, user
notification_template.organization.admin_role.members.add(user('admin', False)) notification_template.organization.admin_role.members.add(user('admin', False))
assert access.get_queryset().count() == 1 assert access.get_queryset().count() == 1
@pytest.mark.django_db @pytest.mark.django_db
def test_notification_template_get_queryset_notificationadmin(notification_template, user): def test_notification_template_get_queryset_notificationadmin(notification_template, user):
access = NotificationTemplateAccess(user('admin', False)) access = NotificationTemplateAccess(user('admin', False))
notification_template.organization.notification_admin_role.members.add(user('admin', False)) notification_template.organization.notification_admin_role.members.add(user('admin', False))
assert access.get_queryset().count() == 1 assert access.get_queryset().count() == 1
@pytest.mark.django_db @pytest.mark.django_db
def test_notification_template_get_queryset_org_auditor(notification_template, org_auditor): def test_notification_template_get_queryset_org_auditor(notification_template, org_auditor):
access = NotificationTemplateAccess(org_auditor) access = NotificationTemplateAccess(org_auditor)

1
awx/main/tests/unit/test_access.py
View File

@@ -245,6 +245,7 @@ class TestWorkflowAccessMethods:
organization = Organization(name='test-org') organization = Organization(name='test-org')
workflow.organization = organization workflow.organization = organization
organization.workflow_admin_role = Role() organization.workflow_admin_role = Role()
def mock_get_object(Class, **kwargs): def mock_get_object(Class, **kwargs):
if Class == Organization: if Class == Organization:
return organization return organization