[DAB RBAC] Re-implement system auditor as a singleton role in new system (#14963)

* Add new enablement settings from DAB RBAC * Initial implementation of system auditor as role without testing * Fix system auditor role, remove duplicate assignments * Make the system auditor role managed * Flake8 fix * Remove another thing from old solution * Fix a few test failures * Add extra setting to disable custom system roles via API * Add test for custom role prohibition
2026-05-14 21:07:39 -02:30 · 2024-03-11 12:16:49 -04:00
parent 74ce21fa54
commit 9dcc11d54c
15 changed files with 70 additions and 47 deletions
--- a/awx/main/migrations/0190_add_django_permissions.py
+++ b/awx/main/migrations/0190_add_django_permissions.py
@@ -7,6 +7,7 @@ import django.db.models.deletion
 class Migration(migrations.Migration):
    dependencies = [
        ('main', '0189_inbound_hop_nodes'),
+        ('dab_rbac', '__first__'),
    ]

    operations = [
--- a/awx/main/migrations/0191_custom_roles.py
+++ b/awx/main/migrations/0191_custom_roles.py
@@ -9,7 +9,7 @@ from ansible_base.rbac.migrations._managed_definitions import setup_managed_role

 class Migration(migrations.Migration):
    dependencies = [
-        ('main', '0191_profile_is_system_auditor'),
+        ('main', '0190_add_django_permissions'),
        ('dab_rbac', '__first__'),
    ]

--- a/awx/main/migrations/0191_profile_is_system_auditor.py
+++ b/awx/main/migrations/0191_profile_is_system_auditor.py
@@ -1,20 +0,0 @@
-# Generated by Django 4.2.6 on 2023-11-20 16:30
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('main', '0190_add_django_permissions'),
-    ]
-    run_before = [
-        ('dab_rbac', '__first__'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='profile',
-            name='is_system_auditor',
-            field=models.BooleanField(default=False, help_text='Can view everying in the system, proxies to User model'),
-        ),
-    ]
--- a/awx/main/migrations/_dab_rbac.py
+++ b/awx/main/migrations/_dab_rbac.py
@@ -144,6 +144,7 @@ def migrate_to_new_rbac(apps, schema_editor):
    """
    Role = apps.get_model('main', 'Role')
    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
+    RoleUserAssignment = apps.get_model('dab_rbac', 'RoleUserAssignment')
    Permission = apps.get_model('auth', 'Permission')
    migration_time = now()

@@ -224,14 +225,25 @@ def migrate_to_new_rbac(apps, schema_editor):
            content_type_id=role.content_type_id,
        )

+    # Create new replacement system auditor role
+    new_system_auditor, created = RoleDefinition.objects.get_or_create(
+        name='System Auditor',
+        defaults={
+            'description': 'Migrated singleton role giving read permission to everything',
+            'managed': True,
+            'created_on': migration_time,
+            'modified_on': migration_time,
+        },
+    )
+    new_system_auditor.permissions.add(*list(Permission.objects.filter(codename__startswith='view')))
+
    # migrate is_system_auditor flag, because it is no longer handled by a system role
-    role = Role.objects.filter(singleton_name='system_auditor').first()
-    if role:
+    old_system_auditor = Role.objects.filter(singleton_name='system_auditor').first()
+    if old_system_auditor:
        # if the system auditor role is not present, this is a new install and no users should exist
        ct = 0
        for user in role.members.all():
-            user.profile.is_system_auditor = True
-            user.profile.save(update_fields=['is_system_auditor'])
+            RoleUserAssignment.objects.create(user=user, role_definition=new_system_auditor)
            ct += 1
        if ct:
            logger.info(f'Migrated {ct} users to new system auditor flag')