Merge branch '11th-hour' of github.com:anoek/ansible-tower into 11th-hour

awx/api/views.py

@@ -1354,7 +1354,7 @@ class InventoryList(ListCreateAPIView):
 
     def get_queryset(self):
         qs = Inventory.accessible_objects(self.request.user, {'read': True})
-        qs = qs.select_related('admin_role', 'auditor_role', 'updater_role', 'executor_role')
+        qs = qs.select_related('admin_role', 'auditor_role', 'update_role', 'execute_role')
         return qs
 
 class InventoryDetail(RetrieveUpdateDestroyAPIView):

awx/main/migrations/0008_v300_rbac_changes.py

@@ -109,7 +109,7 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='credential',
-            name='usage_role',
+            name='use_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May use this credential, but not read sensitive portions or modify it', parent_role=None, to='main.Role', role_name=b'Credential User', null=b'True', permissions={b'use': True}),
         ),
         migrations.AddField(
@@ -139,13 +139,13 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='group',
-            name='executor_role',
+            name='execute_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.executor_role', b'parents.executor_role'], to='main.Role', role_name=b'Inventory Group Executor', null=b'True', permissions={b'read': True, b'execute': True}),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.execute_role', b'parents.executor_role'], to='main.Role', role_name=b'Inventory Group Executor', null=b'True', permissions={b'read': True, b'execute': True}),
         ),
         migrations.AddField(
             model_name='group',
-            name='updater_role',
+            name='update_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.updater_role', b'parents.updater_role'], to='main.Role', role_name=b'Inventory Group Updater', null=b'True', permissions={b'read': True, b'write': True, b'create': True, b'use': True}),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.update_role', b'parents.updater_role'], to='main.Role', role_name=b'Inventory Group Updater', null=b'True', permissions={b'read': True, b'write': True, b'create': True, b'use': True}),
         ),
         migrations.AddField(
             model_name='inventory',
@@ -159,17 +159,17 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='inventory',
-            name='executor_role',
+            name='execute_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May execute jobs against this inventory', parent_role=None, to='main.Role', role_name=b'Inventory Executor', null=b'True', permissions={b'read': True, b'execute': True}),
         ),
         migrations.AddField(
             model_name='inventory',
-            name='updater_role',
+            name='update_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May update the inventory', parent_role=None, to='main.Role', role_name=b'Inventory Updater', null=b'True', permissions={b'read': True, b'update': True}),
         ),
         migrations.AddField(
             model_name='inventory',
-            name='usage_role',
+            name='use_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May use this inventory, but not read sensitive portions or modify it', parent_role=None, to='main.Role', role_name=b'Inventory User', null=b'True', permissions={b'use': True}),
         ),
         migrations.AddField(
@@ -184,7 +184,7 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='jobtemplate',
-            name='executor_role',
+            name='execute_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May run the job template', parent_role=None, to='main.Role', role_name=b'Job Template Runner', null=b'True', permissions={b'read': True, b'execute': True}),
         ),
         migrations.AddField(

awx/main/migrations/_rbac.py

@@ -113,7 +113,7 @@ def attrfunc(attr_path):
 
 def _update_credential_parents(org, cred):
     org.admin_role.children.add(cred.owner_role)
-    org.member_role.children.add(cred.usage_role)
+    org.member_role.children.add(cred.use_role)
     cred.deprecated_user, cred.deprecated_team = None, None
     cred.save()
 
@@ -147,7 +147,7 @@ def _discover_credentials(instances, cred, orgfunc):
 
                 # Unlink the old information from the new credential
                 cred.deprecated_user, cred.deprecated_team = None, None
-                cred.owner_role, cred.usage_role = None, None
+                cred.owner_role, cred.use_role = None, None
                 cred.save()
 
                 for i in orgs[org]:
@@ -189,7 +189,7 @@ def migrate_credential(apps, schema_editor):
 
         if cred.deprecated_team is not None:
             cred.deprecated_team.admin_role.children.add(cred.owner_role)
-            cred.deprecated_team.member_role.children.add(cred.usage_role)
+            cred.deprecated_team.member_role.children.add(cred.use_role)
             cred.deprecated_user, cred.deprecated_team = None, None
             cred.save()
             logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host)))
@@ -214,7 +214,7 @@ def migrate_inventory(apps, schema_editor):
         elif perm.permission_type == 'read':
             return inventory.auditor_role
         elif perm.permission_type == 'write':
-            return inventory.updater_role
+            return inventory.update_role
         elif perm.permission_type == 'check' or perm.permission_type == 'run':
             # These permission types are handled differntly in RBAC now, nothing to migrate.
             return False
@@ -232,7 +232,7 @@ def migrate_inventory(apps, schema_editor):
                 raise Exception(smart_text(u'Unhandled permission type for inventory: {}'.format( perm.permission_type)))
 
             if perm.run_ad_hoc_commands:
-                execrole = inventory.executor_role
+                execrole = inventory.execute_role
 
             if perm.team:
                 if role:
@@ -392,12 +392,12 @@ def migrate_job_templates(apps, schema_editor):
 
         for team in Team.objects.iterator():
             if permission.filter(team=team).exists():
-                team.member_role.children.add(jt.executor_role)
+                team.member_role.children.add(jt.execute_role)
                 logger.info(smart_text(u'adding Team({}) access to JobTemplate({})'.format(team.name, jt.name)))
 
         for user in User.objects.iterator():
             if permission.filter(user=user).exists():
-                jt.executor_role.members.add(user)
+                jt.execute_role.members.add(user)
                 logger.info(smart_text(u'adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))
 
             if jt.accessible_by(user, {'execute': True}):
@@ -407,5 +407,5 @@ def migrate_job_templates(apps, schema_editor):
                 continue
 
             if old_access.check_user_access(user, jt.__class__, 'start', jt, False):
-                jt.executor_role.members.add(user)
+                jt.execute_role.members.add(user)
                 logger.info(smart_text(u'adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))

awx/main/models/credential.py

@@ -182,7 +182,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
             'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
         ],
     )
-    usage_role = ImplicitRoleField(
+    use_role = ImplicitRoleField(
         role_name='Credential User',
         role_description='May use this credential, but not read sensitive portions or modify it',
     )

awx/main/models/inventory.py

@@ -106,15 +106,15 @@ class Inventory(CommonModel, ResourceMixin):
         role_description='May view but not modify this inventory',
         parent_role='organization.auditor_role',
     )
-    updater_role = ImplicitRoleField(
+    update_role = ImplicitRoleField(
         role_name='Inventory Updater',
         role_description='May update the inventory',
     )
-    usage_role = ImplicitRoleField(
+    use_role = ImplicitRoleField(
         role_name='Inventory User',
         role_description='May use this inventory, but not read sensitive portions or modify it',
     )
-    executor_role = ImplicitRoleField(
+    execute_role = ImplicitRoleField(
         role_name='Inventory Executor',
         role_description='May execute jobs against this inventory',
     )
@@ -525,13 +525,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
         role_name='Inventory Group Auditor',
         parent_role=['inventory.auditor_role', 'parents.auditor_role'],
     )
-    updater_role = ImplicitRoleField(
+    update_role = ImplicitRoleField(
         role_name='Inventory Group Updater',
-        parent_role=['inventory.updater_role', 'parents.updater_role'],
+        parent_role=['inventory.update_role', 'parents.updater_role'],
     )
-    executor_role = ImplicitRoleField(
+    execute_role = ImplicitRoleField(
         role_name='Inventory Group Executor',
-        parent_role=['inventory.executor_role', 'parents.executor_role'],
+        parent_role=['inventory.execute_role', 'parents.executor_role'],
     )
 
     def __unicode__(self):

awx/main/models/jobs.py

@@ -213,7 +213,7 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
         role_description='Read-only access to all settings',
         parent_role='project.auditor_role',
     )
-    executor_role = ImplicitRoleField(
+    execute_role = ImplicitRoleField(
         role_name='Job Template Runner',
         role_description='May run the job template',
     )

awx/main/models/organization.py

@@ -67,6 +67,11 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin):
         role_description='A member of this organization',
         parent_role='admin_role',
     )
+    read_role = ImplicitRoleField(
+        role_name='Organization Read Access',
+        role_description='Read an organization',
+        parent_role='member_role',
+    )
 
 
     def get_absolute_url(self):

awx/main/models/projects.py

@@ -239,7 +239,14 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
     member_role = ImplicitRoleField(
         role_name='Project Member',
         role_description='Implies membership within this project',
+        parent_role='admin_role',
     )
+    read_role = ImplicitRoleField(
+        role_name='Project Read Access',
+        role_description='Read access to this project',
+        parent_role='member_role',
+    )
+
     scm_update_role = ImplicitRoleField(
         role_name='Project Updater',
         role_description='May update this project from the source control management system',

awx/main/tests/functional/test_rbac_api.py

@@ -272,13 +272,11 @@ def test_org_admin_add_user_to_job_template(post, organization, check_jobtemplat
     joe = user('joe')
     organization.admin_role.members.add(org_admin)
 
-    assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
+    assert org_admin in check_jobtemplate.admin_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in check_jobtemplate.execute_role
 
-    res =post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'id': joe.id}, org_admin)
+    post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin)
-
+    assert joe in check_jobtemplate.execute_role
-    print(res.data)
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
 
 
 @pytest.mark.django_db(transaction=True)
@@ -287,14 +285,14 @@ def test_org_admin_remove_user_to_job_template(post, organization, check_jobtemp
     org_admin = user('org-admin')
     joe = user('joe')
     organization.admin_role.members.add(org_admin)
-    check_jobtemplate.executor_role.members.add(joe)
+    check_jobtemplate.execute_role.members.add(joe)
 
-    assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
+    assert org_admin in check_jobtemplate.admin_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
 
-    post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin)
+    post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin)
+    assert joe not in check_jobtemplate.execute
 
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
 
 @pytest.mark.django_db(transaction=True)
 def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemplate, user):
@@ -302,14 +300,13 @@ def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemp
     rando = user('rando')
     joe = user('joe')
 
-    assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
+    assert rando not in check_jobtemplate.admin_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in check_jobtemplate.execute_role
 
-    res = post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'id': joe.id}, rando)
+    res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, rando)
-    print(res.data)
     assert res.status_code == 403
 
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in check_jobtemplate.execute_role
 
 
 @pytest.mark.django_db(transaction=True)
@@ -317,16 +314,15 @@ def test_user_fail_to_remove_user_to_job_template(post, organization, check_jobt
     'Tests that a user without permissions to assign/revoke membership to a particular role cannot do so'
     rando = user('rando')
     joe = user('joe')
-    check_jobtemplate.executor_role.members.add(joe)
+    check_jobtemplate.execute_role.members.add(joe)
 
-    assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
+    assert rando not in check_jobtemplate.admin_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe not in check_jobtemplate.execute_role
 
-    res = post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'disassociate': True, 'id': joe.id}, rando)
+    res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, rando)
     assert res.status_code == 403
 
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
-
 
 #
 # /roles/<id>/teams/

awx/main/tests/functional/test_rbac_credential.py

@@ -16,13 +16,13 @@ def test_credential_migration_user(credential, user, permissions):
 
     rbac.migrate_credential(apps, None)
 
-    assert credential.accessible_by(u, permissions['admin'])
+    assert u in credential.owner_role
 
 @pytest.mark.django_db
-def test_credential_usage_role(credential, user, permissions):
+def test_credential_use_role(credential, user, permissions):
     u = user('user', False)
-    credential.usage_role.members.add(u)
+    credential.use_role.members.add(u)
-    assert credential.accessible_by(u, permissions['usage'])
+    assert u in credential.owner_role
 
 @pytest.mark.django_db
 def test_credential_migration_team_member(credential, team, user, permissions):
@@ -34,13 +34,13 @@ def test_credential_migration_team_member(credential, team, user, permissions):
 
     # No permissions pre-migration (this happens automatically so we patch this)
     team.admin_role.children.remove(credential.owner_role)
-    team.member_role.children.remove(credential.usage_role)
+    team.member_role.children.remove(credential.use_role)
-    assert not credential.accessible_by(u, permissions['admin'])
+    assert u not in credential.owner_role
 
     rbac.migrate_credential(apps, None)
 
     # Admin permissions post migration
-    assert credential.accessible_by(u, permissions['admin'])
+    assert u in credential.owner_role
 
 @pytest.mark.django_db
 def test_credential_migration_team_admin(credential, team, user, permissions):
@@ -49,11 +49,11 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
     credential.deprecated_team = team
     credential.save()
 
-    assert not credential.accessible_by(u, permissions['usage'])
+    assert u not in credential.use_role
 
     # Usage permissions post migration
     rbac.migrate_credential(apps, None)
-    assert credential.accessible_by(u, permissions['usage'])
+    assert u in credential.use_role
 
 def test_credential_access_superuser():
     u = User(username='admin', is_superuser=True)
@@ -166,10 +166,10 @@ def test_cred_inventory_source(user, inventory, credential):
         inventory=inventory,
     )
 
-    assert not credential.accessible_by(u, {'use':True})
+    assert u not in credential.use_role
 
     rbac.migrate_credential(apps, None)
-    assert credential.accessible_by(u, {'use':True})
+    assert u in credential.use_role
 
 @pytest.mark.django_db
 def test_cred_project(user, credential, project):
@@ -178,10 +178,10 @@ def test_cred_project(user, credential, project):
     project.credential = credential
     project.save()
 
-    assert not credential.accessible_by(u, {'use':True})
+    assert u not in credential.use_role
 
     rbac.migrate_credential(apps, None)
-    assert credential.accessible_by(u, {'use':True})
+    assert u in credential.use_role
 
 @pytest.mark.django_db
 def test_cred_no_org(user, credential):
@@ -196,7 +196,7 @@ def test_cred_team(user, team, credential):
     credential.deprecated_team = team
     credential.save()
 
-    assert not credential.accessible_by(u, {'use':True})
+    assert u not in credential.use_role
 
     rbac.migrate_credential(apps, None)
-    assert credential.accessible_by(u, {'use':True})
+    assert u in credential.use_role

awx/main/tests/functional/test_rbac_inventory.py

@@ -32,8 +32,8 @@ def test_inventory_admin_user(inventory, permissions, user):
     rbac.migrate_inventory(apps, None)
 
     assert inventory.accessible_by(u, permissions['admin'])
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
 
 @pytest.mark.django_db
 def test_inventory_auditor_user(inventory, permissions, user):
@@ -48,8 +48,8 @@ def test_inventory_auditor_user(inventory, permissions, user):
 
     assert inventory.accessible_by(u, permissions['admin']) is False
     assert inventory.accessible_by(u, permissions['auditor']) is True
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
 
 @pytest.mark.django_db
 def test_inventory_updater_user(inventory, permissions, user):
@@ -63,8 +63,8 @@ def test_inventory_updater_user(inventory, permissions, user):
     rbac.migrate_inventory(apps, None)
 
     assert inventory.accessible_by(u, permissions['admin']) is False
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists()
+    assert inventory.update_role.members.filter(id=u.id).exists()
 
 @pytest.mark.django_db
 def test_inventory_executor_user(inventory, permissions, user):
@@ -79,8 +79,8 @@ def test_inventory_executor_user(inventory, permissions, user):
 
     assert inventory.accessible_by(u, permissions['admin']) is False
     assert inventory.accessible_by(u, permissions['auditor']) is True
-    assert inventory.executor_role.members.filter(id=u.id).exists()
+    assert inventory.execute_role.members.filter(id=u.id).exists()
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
 
 
 
@@ -99,8 +99,8 @@ def test_inventory_admin_team(inventory, permissions, user, team):
     assert team.member_role.members.count() == 1
     assert inventory.admin_role.members.filter(id=u.id).exists() is False
     assert inventory.auditor_role.members.filter(id=u.id).exists() is False
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
     assert inventory.accessible_by(u, permissions['auditor'])
     assert inventory.accessible_by(u, permissions['admin'])
 
@@ -121,8 +121,8 @@ def test_inventory_auditor(inventory, permissions, user, team):
     assert team.member_role.members.count() == 1
     assert inventory.admin_role.members.filter(id=u.id).exists() is False
     assert inventory.auditor_role.members.filter(id=u.id).exists() is False
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
     assert inventory.accessible_by(u, permissions['auditor'])
     assert inventory.accessible_by(u, permissions['admin']) is False
 
@@ -142,10 +142,10 @@ def test_inventory_updater(inventory, permissions, user, team):
     assert team.member_role.members.count() == 1
     assert inventory.admin_role.members.filter(id=u.id).exists() is False
     assert inventory.auditor_role.members.filter(id=u.id).exists() is False
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
-    assert team.member_role.is_ancestor_of(inventory.updater_role)
+    assert team.member_role.is_ancestor_of(inventory.update_role)
-    assert team.member_role.is_ancestor_of(inventory.executor_role) is False
+    assert team.member_role.is_ancestor_of(inventory.execute_role) is False
 
 
 @pytest.mark.django_db
@@ -164,10 +164,10 @@ def test_inventory_executor(inventory, permissions, user, team):
     assert team.member_role.members.count() == 1
     assert inventory.admin_role.members.filter(id=u.id).exists() is False
     assert inventory.auditor_role.members.filter(id=u.id).exists() is False
-    assert inventory.executor_role.members.filter(id=u.id).exists() is False
+    assert inventory.execute_role.members.filter(id=u.id).exists() is False
-    assert inventory.updater_role.members.filter(id=u.id).exists() is False
+    assert inventory.update_role.members.filter(id=u.id).exists() is False
-    assert team.member_role.is_ancestor_of(inventory.updater_role) is False
+    assert team.member_role.is_ancestor_of(inventory.update_role) is False
-    assert team.member_role.is_ancestor_of(inventory.executor_role)
+    assert team.member_role.is_ancestor_of(inventory.execute_role)
 
 @pytest.mark.django_db
 def test_group_parent_admin(group, permissions, user):

awx/main/tests/functional/test_rbac_job_start.py

@@ -24,7 +24,7 @@ def test_admin_executing_permissions(deploy_jobtemplate, inventory, machine_cred
 def test_job_template_start_access(deploy_jobtemplate, user):
 
     common_user = user('test-user', False)
-    deploy_jobtemplate.executor_role.members.add(common_user)
+    deploy_jobtemplate.execute_role.members.add(common_user)
 
     assert common_user.can_access(JobTemplate, 'start', deploy_jobtemplate)
 
@@ -33,7 +33,7 @@ def test_job_template_start_access(deploy_jobtemplate, user):
 def test_credential_use_access(machine_credential, user):
 
     common_user = user('test-user', False)
-    machine_credential.usage_role.members.add(common_user)
+    machine_credential.use_role.members.add(common_user)
 
     assert common_user.can_access(Credential, 'use', machine_credential)
 
@@ -42,6 +42,6 @@ def test_credential_use_access(machine_credential, user):
 def test_inventory_use_access(inventory, user):
 
     common_user = user('test-user', False)
-    inventory.usage_role.members.add(common_user)
+    inventory.use_role.members.add(common_user)
 
     assert common_user.can_access(Inventory, 'use', inventory)

awx/main/tests/functional/test_rbac_job_templates.py

@@ -27,16 +27,16 @@ def test_job_template_migration_check(deploy_jobtemplate, check_jobtemplate, use
     rbac.migrate_projects(apps, None)
     rbac.migrate_inventory(apps, None)
 
-    assert check_jobtemplate.project.accessible_by(joe, {'read': True})
+    assert joe in check_jobtemplate.project.read_role
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in check_jobtemplate.execute_role
 
     rbac.migrate_job_templates(apps, None)
 
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in deploy_jobtemplate.execute_role
 
 @pytest.mark.django_db
 def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, user):
@@ -55,16 +55,16 @@ def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, us
     rbac.migrate_projects(apps, None)
     rbac.migrate_inventory(apps, None)
 
-    assert deploy_jobtemplate.project.accessible_by(joe, {'read': True})
+    assert joe in deploy_jobtemplate.project.read_role
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in deploy_jobtemplate.execute_role
 
     rbac.migrate_job_templates(apps, None)
 
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in deploy_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
 
 
 @pytest.mark.django_db
@@ -87,17 +87,17 @@ def test_job_template_team_migration_check(deploy_jobtemplate, check_jobtemplate
     rbac.migrate_projects(apps, None)
     rbac.migrate_inventory(apps, None)
 
-    assert check_jobtemplate.project.accessible_by(joe, {'read': True})
+    assert joe in check_jobtemplate.read_role
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in check_jobtemplate.execute_role
 
     rbac.migrate_job_templates(apps, None)
 
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
 
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in deploy_jobtemplate.execute_role
 
 
 @pytest.mark.django_db
@@ -120,17 +120,17 @@ def test_job_template_team_deploy_migration(deploy_jobtemplate, check_jobtemplat
     rbac.migrate_projects(apps, None)
     rbac.migrate_inventory(apps, None)
 
-    assert deploy_jobtemplate.project.accessible_by(joe, {'read': True})
+    assert joe in deploy_jobtemplate.read_role
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
+    assert joe not in deploy_jobtemplate.execute_role
 
     rbac.migrate_job_templates(apps, None)
 
-    assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in deploy_jobtemplate.execute_role
-    assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in deploy_jobtemplate.execute_role
 
-    assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
+    assert admin in check_jobtemplate.execute_role
-    assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
+    assert joe in check_jobtemplate.execute_role
 
 
 @mock.patch.object(BaseAccess, 'check_license', return_value=None)

awx/main/tests/functional/test_rbac_organization.py

@@ -16,11 +16,11 @@ def test_organization_migration_admin(organization, permissions, user):
 
     # Undo some automatic work that we're supposed to be testing with our migration
     organization.admin_role.members.remove(u)
-    assert not organization.accessible_by(u, permissions['admin'])
+    assert u not in organization.admin_role
 
     rbac.migrate_organization(apps, None)
 
-    assert organization.accessible_by(u, permissions['admin'])
+    assert u in organization.admin_role
 
 @pytest.mark.django_db
 def test_organization_migration_user(organization, permissions, user):
@@ -29,11 +29,11 @@ def test_organization_migration_user(organization, permissions, user):
 
     # Undo some automatic work that we're supposed to be testing with our migration
     organization.member_role.members.remove(u)
-    assert not organization.accessible_by(u, permissions['auditor'])
+    assert u not in organization.read_role
 
     rbac.migrate_organization(apps, None)
 
-    assert organization.accessible_by(u, permissions['auditor'])
+    assert u in organization.read_role
 
 
 @mock.patch.object(BaseAccess, 'check_license', return_value=None)

awx/main/tests/functional/test_rbac_project.py

@@ -138,11 +138,11 @@ def test_project_user_project(user_project, project, user):
     assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
     assert old_access.check_user_access(u, project.__class__, 'read', project) is False
 
-    assert user_project.accessible_by(u, {'read': True}) is False
+    assert u not in user_project.read_role
-    assert project.accessible_by(u, {'read': True}) is False
+    assert u not in project.read_role
     rbac.migrate_projects(apps, None)
-    assert user_project.accessible_by(u, {'read': True}) is True
+    assert u in user_project.read_role
-    assert project.accessible_by(u, {'read': True}) is False
+    assert u not in project.read_role
 
 @pytest.mark.django_db
 def test_project_accessible_by_sa(user, project):
@@ -150,21 +150,21 @@ def test_project_accessible_by_sa(user, project):
     # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
     Role.singleton('System Administrator').members.remove(u)
 
-    assert project.accessible_by(u, {'read': True}) is False
+    assert u not in project.read_role
     rbac.migrate_organization(apps, None)
     rbac.migrate_users(apps, None)
     rbac.migrate_projects(apps, None)
     print(project.admin_role.ancestors.all())
     print(project.admin_role.ancestors.all())
-    assert project.accessible_by(u, {'read': True, 'write': True}) is True
+    assert u in project.admin_role
 
 @pytest.mark.django_db
 def test_project_org_members(user, organization, project):
     admin = user('orgadmin')
     member = user('orgmember')
 
-    assert project.accessible_by(admin, {'read': True}) is False
+    assert admin not in project.read_role
-    assert project.accessible_by(member, {'read': True}) is False
+    assert member not in project.read_role
 
     organization.deprecated_admins.add(admin)
     organization.deprecated_users.add(member)
@@ -172,8 +172,8 @@ def test_project_org_members(user, organization, project):
     rbac.migrate_organization(apps, None)
     rbac.migrate_projects(apps, None)
 
-    assert project.accessible_by(admin, {'read': True, 'write': True}) is True
+    assert admin in project.admin_role
-    assert project.accessible_by(member, {'read': True})
+    assert member in project.read_role
 
 @pytest.mark.django_db
 def test_project_team(user, team, project):
@@ -183,15 +183,15 @@ def test_project_team(user, team, project):
     team.deprecated_users.add(member)
     project.deprecated_teams.add(team)
 
-    assert project.accessible_by(nonmember, {'read': True}) is False
+    assert nonmember not in project.read_role
-    assert project.accessible_by(member, {'read': True}) is False
+    assert member not in project.read_role
 
     rbac.migrate_team(apps, None)
     rbac.migrate_organization(apps, None)
     rbac.migrate_projects(apps, None)
 
-    assert project.accessible_by(member, {'read': True}) is True
+    assert member in project.read_role
-    assert project.accessible_by(nonmember, {'read': True}) is False
+    assert nonmember not in project.read_role
 
 @pytest.mark.django_db
 def test_project_explicit_permission(user, team, project, organization):
@@ -203,9 +203,9 @@ def test_project_explicit_permission(user, team, project, organization):
     p = Permission(user=u, project=project, permission_type='create', name='Perm name')
     p.save()
 
-    assert project.accessible_by(u, {'read': True}) is False
+    assert u not in project.read_role
 
     rbac.migrate_organization(apps, None)
     rbac.migrate_projects(apps, None)
 
-    assert project.accessible_by(u, {'read': True}) is True
+    assert u in project.read_role

awx/main/tests/functional/test_rbac_team.py

@@ -54,11 +54,11 @@ def test_team_accessible_by(team, user, project):
     u = user('team_member', False)
 
     team.member_role.children.add(project.member_role)
-    assert project.accessible_by(team, {'read':True})
+    assert team in project.read_role
-    assert not project.accessible_by(u, {'read':True})
+    assert u not in project.read_role
 
     team.member_role.members.add(u)
-    assert project.accessible_by(u, {'read':True})
+    assert u in project.read_role
 
 @pytest.mark.django_db
 def test_team_accessible_objects(team, user, project):

awx/main/tests/functional/test_rbac_user.py

@@ -55,13 +55,13 @@ def test_org_user_admin(user, organization):
     member = user('orgmember')
 
     organization.member_role.members.add(member)
-    assert not member.accessible_by(admin, {'write':True})
+    assert admin not in member.admin_role
 
     organization.admin_role.members.add(admin)
-    assert member.accessible_by(admin, {'write':True})
+    assert admin in member.admin_role
 
     organization.admin_role.members.remove(admin)
-    assert not member.accessible_by(admin, {'write':True})
+    assert admin not in member.admin_role
 
 @pytest.mark.django_db
 def test_org_user_removed(user, organization):
@@ -71,7 +71,7 @@ def test_org_user_removed(user, organization):
     organization.admin_role.members.add(admin)
     organization.member_role.members.add(member)
 
-    assert member.accessible_by(admin, {'write':True})
+    assert admin in member.admin_role
 
     organization.member_role.members.remove(member)
-    assert not member.accessible_by(admin, {'write':True})
+    assert admin not in member.admin_role

awx/main/tests/job_base.py

@@ -295,14 +295,14 @@ class BaseJobTestMixin(BaseTestMixin):
             password='ASK',
             created_by=self.user_sue,
         )
-        self.cred_bob.usage_role.members.add(self.user_bob)
+        self.cred_bob.use_role.members.add(self.user_bob)
 
         self.cred_chuck = Credential.objects.create(
             username='chuck',
             ssh_key_data=TEST_SSH_KEY_DATA,
             created_by=self.user_sue,
         )
-        self.cred_chuck.usage_role.members.add(self.user_chuck)
+        self.cred_chuck.use_role.members.add(self.user_chuck)
 
         self.cred_doug = Credential.objects.create(
             username='doug',
@@ -310,7 +310,7 @@ class BaseJobTestMixin(BaseTestMixin):
                      'is why we dont\'t let doug actually run jobs.',
             created_by=self.user_sue,
         )
-        self.cred_doug.usage_role.members.add(self.user_doug)
+        self.cred_doug.use_role.members.add(self.user_doug)
 
         self.cred_eve = Credential.objects.create(
             username='eve',
@@ -320,14 +320,14 @@ class BaseJobTestMixin(BaseTestMixin):
             become_password='ASK',
             created_by=self.user_sue,
         )
-        self.cred_eve.usage_role.members.add(self.user_eve)
+        self.cred_eve.use_role.members.add(self.user_eve)
 
         self.cred_frank = Credential.objects.create(
             username='frank',
             password='fr@nk the t@nk',
             created_by=self.user_sue,
         )
-        self.cred_frank.usage_role.members.add(self.user_frank)
+        self.cred_frank.use_role.members.add(self.user_frank)
 
         self.cred_greg = Credential.objects.create(
             username='greg',
@@ -335,21 +335,21 @@ class BaseJobTestMixin(BaseTestMixin):
             ssh_key_unlock='ASK',
             created_by=self.user_sue,
         )
-        self.cred_greg.usage_role.members.add(self.user_greg)
+        self.cred_greg.use_role.members.add(self.user_greg)
 
         self.cred_holly = Credential.objects.create(
             username='holly',
             password='holly rocks',
             created_by=self.user_sue,
         )
-        self.cred_holly.usage_role.members.add(self.user_holly)
+        self.cred_holly.use_role.members.add(self.user_holly)
 
         self.cred_iris = Credential.objects.create(
             username='iris',
             password='ASK',
             created_by=self.user_sue,
         )
-        self.cred_iris.usage_role.members.add(self.user_iris)
+        self.cred_iris.use_role.members.add(self.user_iris)
 
         # Each operations team also has shared credentials they can use.
         self.cred_ops_east = Credential.objects.create(
@@ -358,14 +358,14 @@ class BaseJobTestMixin(BaseTestMixin):
             ssh_key_unlock=TEST_SSH_KEY_DATA_UNLOCK,
             created_by = self.user_sue,
         )
-        self.team_ops_east.member_role.children.add(self.cred_ops_east.usage_role)
+        self.team_ops_east.member_role.children.add(self.cred_ops_east.use_role)
 
         self.cred_ops_west = Credential.objects.create(
             username='west',
             password='Heading270',
             created_by = self.user_sue,
         )
-        self.team_ops_west.member_role.children.add(self.cred_ops_west.usage_role)
+        self.team_ops_west.member_role.children.add(self.cred_ops_west.use_role)
 
 
         # FIXME: This code can be removed (probably)
@@ -391,7 +391,7 @@ class BaseJobTestMixin(BaseTestMixin):
             password='HeadingNone',
             created_by = self.user_sue,
         )
-        self.team_ops_testers.member_role.children.add(self.cred_ops_test.usage_role)
+        self.team_ops_testers.member_role.children.add(self.cred_ops_test.use_role)
 
         self.ops_east_permission = Permission.objects.create(
             inventory       = self.inv_ops_east,

awx/main/tests/old/ad_hoc.py

@@ -463,7 +463,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         # not allowed to run ad hoc commands).
         user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
         with self.current_user('admin'):
-            response = self.post(user_roles_list_url, {"id": self.inventory.updater_role.id}, expect=204)
+            response = self.post(user_roles_list_url, {"id": self.inventory.update_role.id}, expect=204)
         with self.current_user('other'):
             self.run_test_ad_hoc_command(expect=403)
         self.check_get_list(url, 'other', qs)
@@ -471,7 +471,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         # Add executor role permissions to other. Fails
         # when other user can't read credential.
         with self.current_user('admin'):
-            response = self.post(user_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
+            response = self.post(user_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
         with self.current_user('other'):
             self.run_test_ad_hoc_command(expect=403)
 
@@ -504,7 +504,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         # Give the nobody user the run_ad_hoc_commands flag, and can now see
         # the one ad hoc command previously run.
         with self.current_user('admin'):
-            response = self.post(nobody_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
+            response = self.post(nobody_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
         qs = AdHocCommand.objects.filter(credential_id=nobody_cred.pk)
         self.assertEqual(qs.count(), 1)
         self.check_get_list(url, 'nobody', qs)
@@ -1006,7 +1006,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         # can_run_ad_hoc_commands = True when we shouldn't.
         nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,))
         with self.current_user('admin'):
-            response = self.post(nobody_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
+            response = self.post(nobody_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
 
         # Create a credential for the other user and explicitly give other
         # user admin permission on the inventory (still not allowed to run ad
@@ -1014,7 +1014,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         other_cred = self.create_test_credential(user=self.other_django_user)
         user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
         with self.current_user('admin'):
-            response = self.post(user_roles_list_url, {"id": self.inventory.updater_role.id}, expect=204)
+            response = self.post(user_roles_list_url, {"id": self.inventory.update_role.id}, expect=204)
         with self.current_user('other'):
             response = self.get(url, expect=200)
             self.assertEqual(response['count'], 0)
@@ -1025,7 +1025,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
         # Update permission to allow other user to run ad hoc commands.  Can
         # only see his own ad hoc commands (because of credential permission).
         with self.current_user('admin'):
-            response = self.post(user_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
+            response = self.post(user_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
         with self.current_user('other'):
             response = self.get(url, expect=200)
             self.assertEqual(response['count'], 0)