[4.6] Make controller specific team and org roles (#6662)

Adds the following managed Role Definitions Controller Team Admin Controller Team Member Controller Organization Admin Controller Organization Member These have the same permission set as the platform roles (without the Controller prefix) Adding members to teams and orgs via the legacy RBAC system will use these role definitions. Other changes: - Bump DAB to 2024.08.22 - Set ALLOW_LOCAL_ASSIGNING_JWT_ROLES to False in defaults.py. This setting prevents assignments to the platform roles (e.g. Team Member). Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-05-17 14:27:42 -02:30 · 2024-08-26 16:31:42 -04:00
parent 77e999f7c8
commit 85bd7c3ca0
8 changed files with 183 additions and 5 deletions
--- a/awx/main/migrations/_dab_rbac.py
+++ b/awx/main/migrations/_dab_rbac.py
@@ -167,7 +167,7 @@ def migrate_to_new_rbac(apps, schema_editor):
            perm.delete()

    managed_definitions = dict()
-    for role_definition in RoleDefinition.objects.filter(managed=True):
+    for role_definition in RoleDefinition.objects.filter(managed=True).exclude(name__in=(settings.ANSIBLE_BASE_JWT_MANAGED_ROLES)):
        permissions = frozenset(role_definition.permissions.values_list('id', flat=True))
        managed_definitions[permissions] = role_definition

@@ -309,6 +309,16 @@ def setup_managed_role_definitions(apps, schema_editor):
                    to_create['object_admin'].format(cls=cls), f'Has all permissions to a single {cls._meta.verbose_name}', ct, indiv_perms, RoleDefinition
                )
            )
+            if cls_name == 'team':
+                managed_role_definitions.append(
+                    get_or_create_managed(
+                        'Controller Team Admin',
+                        f'Has all permissions to a single {cls._meta.verbose_name}',
+                        ct,
+                        indiv_perms,
+                        RoleDefinition,
+                    )
+                )

        if 'org_children' in to_create and (cls_name not in ('organization', 'instancegroup', 'team')):
            org_child_perms = object_perms.copy()
@@ -349,6 +359,18 @@ def setup_managed_role_definitions(apps, schema_editor):
                        RoleDefinition,
                    )
                )
+                if action == 'member' and cls_name in ('organization', 'team'):
+                    suffix = to_create['special'].format(cls=cls, action=action.title())
+                    rd_name = f'Controller {suffix}'
+                    managed_role_definitions.append(
+                        get_or_create_managed(
+                            rd_name,
+                            f'Has {action} permissions to a single {cls._meta.verbose_name}',
+                            ct,
+                            perm_list,
+                            RoleDefinition,
+                        )
+                    )

    if 'org_admin' in to_create:
        managed_role_definitions.append(
@@ -360,6 +382,15 @@ def setup_managed_role_definitions(apps, schema_editor):
                RoleDefinition,
            )
        )
+        managed_role_definitions.append(
+            get_or_create_managed(
+                'Controller Organization Admin',
+                'Has all permissions to a single organization and all objects inside of it',
+                org_ct,
+                org_perms,
+                RoleDefinition,
+            )
+        )

    # Special "organization action" roles
    audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]