Add instance groups roles (#13584)

* adding roles to instance groups
added ResourceMixin to Instancegroup and changed the filtered_queryset

* added necessary changes to rebuild relationship between IG and roles

* added description to InstanceGroupAccess

* preliminary ui plug for demo purposes

* preliminary ui plug for demo purposes
added inventory special logic for use_role to allow attaching instance groups
added more tests to handle those cases

* Add access_list to InstanceGroup

* scratch branch to test migration work

* refactored to shorten logic

* Added migration and am removing logic that enabled Org admin permissions

* Add Obj admin role to JT, Inv, Org

* Changed tests to reflect new permissions

* refactored some of the tests

* cleaned up more tests and reworded help on InstanceGroupAccess

* Removed unnecessary delete of Route for instance group perms change

* Fix UI tests and migration

* fixed permissions on prompt for InstanceGroups

* added related object roles endpoint

* added ui/api function for options instance_groups

* separate the migrations in order to avoid issues with migrations not being finished

* changed migrations parent class to disable the activity stream error in migrations

* Added logging to migration as activitystream is disabled

* added clarifying comment to jobtemlateaccess and linted UI addition

* renamed migrations to avoid collisions

* Rename migrations to avoid collisions

awx/main/migrations/0177_instance_group_role_addition.py

@@ -0,0 +1,48 @@
+# Generated by Django 3.2.16 on 2023-02-17 02:45
+
+import awx.main.fields
+from django.db import migrations
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('main', '0176_inventorysource_scm_branch'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='instancegroup',
+            name='admin_role',
+            field=awx.main.fields.ImplicitRoleField(
+                editable=False,
+                null='True',
+                on_delete=django.db.models.deletion.CASCADE,
+                parent_role=['singleton:system_administrator'],
+                related_name='+',
+                to='main.role',
+            ),
+            preserve_default='True',
+        ),
+        migrations.AddField(
+            model_name='instancegroup',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(
+                editable=False,
+                null='True',
+                on_delete=django.db.models.deletion.CASCADE,
+                parent_role=['singleton:system_auditor', 'use_role', 'admin_role'],
+                related_name='+',
+                to='main.role',
+            ),
+            preserve_default='True',
+        ),
+        migrations.AddField(
+            model_name='instancegroup',
+            name='use_role',
+            field=awx.main.fields.ImplicitRoleField(
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['admin_role'], related_name='+', to='main.role'
+            ),
+            preserve_default='True',
+        ),
+    ]

awx/main/migrations/0178_instance_group_admin_migration.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.2.16 on 2023-02-17 02:45
+
+from django.db import migrations
+from awx.main.migrations import _rbac as rbac
+from awx.main.migrations import _migration_utils as migration_utils
+from awx.main.migrations import _OrgAdmin_to_use_ig as oamigrate
+from awx.main.migrations import ActivityStreamDisabledMigration
+
+
+class Migration(ActivityStreamDisabledMigration):
+    dependencies = [
+        ('main', '0177_instance_group_role_addition'),
+    ]
+    operations = [
+        migrations.RunPython(migration_utils.set_current_apps_for_migrations),
+        migrations.RunPython(rbac.create_roles),
+        migrations.RunPython(oamigrate.migrate_org_admin_to_use),
+    ]

awx/main/migrations/_OrgAdmin_to_use_ig.py

@@ -0,0 +1,20 @@
+import logging
+
+from awx.main.models import Organization
+
+logger = logging.getLogger('awx.main.migrations')
+
+
+def migrate_org_admin_to_use(apps, schema_editor):
+    logger.info('Initiated migration from Org admin to use role')
+    roles_added = 0
+    for org in Organization.objects.prefetch_related('admin_role__members').iterator():
+        igs = list(org.instance_groups.all())
+        if not igs:
+            continue
+        for admin in org.admin_role.members.filter(is_superuser=False):
+            for ig in igs:
+                ig.use_role.members.add(admin)
+                roles_added += 1
+    if roles_added:
+        logger.info(f'Migration converted {roles_added} from organization admin to use role')

awx/main/migrations/_rbac.py

@@ -29,6 +29,7 @@ def create_roles(apps, schema_editor):
             'Project',
             'Credential',
             'JobTemplate',
+            'InstanceGroup',
         ]
     ]