Basic runtime enforcement of policy as code part 2 (#6875)

* Add `opa_query_path field` for Inventory, Organization and JobTemplate models (#6850) Add `opa_query_path` model field to Inventory, Organizatio and JobTemplate. Add migration file and expose opa_query_path field in the related API serializers. * Gather and evaluate `opa_query_path` fields and raise violation exceptions (#6864) gather and evaluate all opa query related to a job execution during policy evaluation phase * Add OPA_AUTH_CUSTOM_HEADERS support (#6863) * Extend policy input data serializers (#6890) * Extend policy input data serializers * Update help text for PaC related fields (#6891) * Remove encrypted from OPA_AUTH_CUSTOMER_HEADER Unable to encrypt a dict field --------- Co-authored-by: Jiří Jeřábek (Jiri Jerabek) <Jerabekjirka@email.cz> Co-authored-by: Alexander Saprykin <cutwatercore@gmail.com> Co-authored-by: Tina Tien <98424339+tiyiprh@users.noreply.github.com>
2026-03-22 19:35:02 -02:30 · 2025-03-17 22:39:26 -04:00
parent e9f2a14ebd
commit bad4e630ba
11 changed files with 472 additions and 95 deletions
--- a/awx/main/migrations/0197_add_opa_query_path.py
+++ b/awx/main/migrations/0197_add_opa_query_path.py
@@ -0,0 +1,46 @@
+# Generated by Django 4.2.18 on 2025-03-17 16:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0196_indirect_managed_node_audit'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='inventory',
+            name='opa_query_path',
+            field=models.CharField(
+                blank=True,
+                default=None,
+                help_text='The query path for the OPA policy to evaluate prior to job execution. The query path should be formatted as package/rule.',
+                max_length=128,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name='jobtemplate',
+            name='opa_query_path',
+            field=models.CharField(
+                blank=True,
+                default=None,
+                help_text='The query path for the OPA policy to evaluate prior to job execution. The query path should be formatted as package/rule.',
+                max_length=128,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name='organization',
+            name='opa_query_path',
+            field=models.CharField(
+                blank=True,
+                default=None,
+                help_text='The query path for the OPA policy to evaluate prior to job execution. The query path should be formatted as package/rule.',
+                max_length=128,
+                null=True,
+            ),
+        ),
+    ]
--- a/awx/main/migrations/_OrgAdmin_to_use_ig.py
+++ b/awx/main/migrations/_OrgAdmin_to_use_ig.py
@@ -1,6 +1,5 @@
 import logging

-from awx.main.models import Organization

 logger = logging.getLogger('awx.main.migrations')

@@ -8,6 +7,7 @@ logger = logging.getLogger('awx.main.migrations')
 def migrate_org_admin_to_use(apps, schema_editor):
    logger.info('Initiated migration from Org admin to use role')
    roles_added = 0
+    Organization = apps.get_model('main', 'Organization')
    for org in Organization.objects.prefetch_related('admin_role__members').iterator(chunk_size=1000):
        igs = list(org.instance_groups.all())
        if not igs: