[AAP-72817] Fix cartesian product in organization user/admin count queries (#16501)

* Fix cartesian product in organization user/admin count queries The organizations list and detail endpoints annotated each org with user and admin counts using two Count() calls that traverse the Role.members M2M. Django generated two LEFT JOINs on the same through table, crossing every member row with every admin row before COUNT(DISTINCT) reduced the product. At scale (2,617 members × 46,233 admins) this produced 120M intermediate rows and 96-second query times, causing 504 timeouts. Replace with independent Subquery expressions that each query main_rbac_roles_members separately - no cross product. Fixes: AAP-72817 Fixes: AAP-72480 * Fix variable names which do not meet coding standards * Fix formatting inconsistency in organization detail subquery annotation Break the long .annotate() line across multiple lines to match the style used in mixin.py. * Rewrite org count subqueries to use DAB RBAC models Replace old RBAC Role.members.through subqueries with RoleUserAssignment-based correlated subqueries, querying managed RoleDefinitions ('Organization Member' / 'Organization Admin') directly. This aligns with the DAB RBAC migration direction and eliminates dependency on the deprecated ImplicitRoleField M2M tables for these counts. Update test fixtures to use RoleDefinition.give_permission() and add setup_managed_roles where needed. * Fix collection tests: set up managed role definitions The DAB RBAC migration to use RoleUserAssignment subqueries in organization views requires managed role definitions (Organization Member, Organization Admin) to exist in the test database. Add an autouse fixture to the collection test conftest that calls setup_managed_role_definitions() before each test. * Add setup_managed_roles fixture to functional tests hitting org views Tests that hit organization list/detail views now require the setup_managed_roles fixture to pre-create the Organization Member and Organization Admin RoleDefinition objects used by the DAB RBAC subqueries. * Revert setup_managed_roles from ext_auditor tests The setup_managed_roles fixture conflicts with the ext_auditor_rd fixture by deleting the Alien Auditor role definition. These tests don't need it — the defensive view code handles missing role definitions gracefully. * Handle missing Organization Member/Admin role definitions gracefully Use filter().first() instead of get() for RoleDefinition lookups in organization list and detail views. Returns 0 for user/admin counts when role definitions are not yet created, preventing 500 errors in environments where post_migrate signals haven't run. * Cast OuterRef('pk') to TextField for RoleUserAssignment.object_id comparison RoleUserAssignment.object_id is a TextField, but OuterRef('pk') on Organization produces an integer. PostgreSQL strictly rejects text = integer comparisons. Use Cast() to explicitly convert the PK to text. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-23 07:37:50 -02:30 · 2026-06-18 18:35:22 +02:00
parent 61d17673d9
commit c1bd2eb338
9 changed files with 88 additions and 29 deletions
--- a/awx/api/views/mixin.py
+++ b/awx/api/views/mixin.py
@@ -4,7 +4,8 @@
 import dateutil
 import logging

-from django.db.models import Count
+from django.db.models import Count, OuterRef, Subquery, TextField
+from django.db.models.functions import Cast, Coalesce
 from django.db import transaction
 from django.shortcuts import get_object_or_404
 from django.utils.timezone import now
@@ -15,6 +16,7 @@ from rest_framework.response import Response
 from rest_framework import status

 from awx.main.constants import ACTIVE_STATES
+from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
 from awx.main.models import Organization
 from awx.main.utils import get_object_or_400
 from awx.main.models.ha import Instance, InstanceGroup, schedule_policy_task
@@ -177,10 +179,29 @@ class OrganizationCountsMixin(object):

        db_results['projects'] = project_qs.values('organization').annotate(Count('organization')).order_by('organization')

-        # Other members and admins of organization are always viewable
-        db_results['users'] = org_qs.annotate(users=Count('member_role__members', distinct=True), admins=Count('admin_role__members', distinct=True)).values(
-            'id', 'users', 'admins'
-        )
+        member_rd = RoleDefinition.objects.filter(name='Organization Member').first()
+        admin_rd = RoleDefinition.objects.filter(name='Organization Admin').first()
+
+        if member_rd and admin_rd:
+
+            def assignment_count(rd):
+                return Coalesce(
+                    Subquery(
+                        RoleUserAssignment.objects.filter(
+                            object_id=Cast(OuterRef('pk'), output_field=TextField()),
+                            role_definition=rd,
+                        )
+                        .values('role_definition')
+                        .annotate(c=Count('pk'))
+                        .values('c')
+                    ),
+                    0,
+                )
+
+            db_results['users'] = org_qs.annotate(
+                users=assignment_count(member_rd),
+                admins=assignment_count(admin_rd),
+            ).values('id', 'users', 'admins')

        count_context = {}
        for org in org_id_list:
--- a/awx/api/views/organization.py
+++ b/awx/api/views/organization.py
@@ -5,11 +5,13 @@
 import logging

 # Django
-from django.db.models import Count
+from django.db.models import Count, OuterRef, Subquery, TextField
+from django.db.models.functions import Cast, Coalesce
 from django.contrib.contenttypes.models import ContentType
 from django.utils.translation import gettext_lazy as _

 # AWX
+from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
 from awx.main.models import (
    ActivityStream,
    Inventory,
@@ -77,16 +79,41 @@ class OrganizationDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPI

        org_counts = {}
        access_kwargs = {'accessor': self.request.user, 'role_field': 'read_role'}
-        direct_counts = (
-            Organization.objects.filter(id=org_id)
-            .annotate(users=Count('member_role__members', distinct=True), admins=Count('admin_role__members', distinct=True))
-            .values('users', 'admins')
-        )
+        member_rd = RoleDefinition.objects.filter(name='Organization Member').first()
+        admin_rd = RoleDefinition.objects.filter(name='Organization Admin').first()

-        if not direct_counts:
+        if member_rd and admin_rd:
+
+            def assignment_count(rd):
+                return Coalesce(
+                    Subquery(
+                        RoleUserAssignment.objects.filter(
+                            object_id=Cast(OuterRef('pk'), output_field=TextField()),
+                            role_definition=rd,
+                        )
+                        .values('role_definition')
+                        .annotate(c=Count('pk'))
+                        .values('c')
+                    ),
+                    0,
+                )
+
+            direct_counts = (
+                Organization.objects.filter(id=org_id)
+                .annotate(
+                    users=assignment_count(member_rd),
+                    admins=assignment_count(admin_rd),
+                )
+                .values('users', 'admins')
+            )
+
+            if direct_counts:
+                org_counts = direct_counts[0]
+        else:
+            org_counts = {'users': 0, 'admins': 0}
+
+        if not org_counts:
            return full_context
-
-        org_counts = direct_counts[0]
        org_counts['inventories'] = Inventory.accessible_objects(**access_kwargs).filter(organization__id=org_id).count()
        org_counts['teams'] = Team.accessible_objects(**access_kwargs).filter(organization__id=org_id).count()
        org_counts['projects'] = Project.accessible_objects(**access_kwargs).filter(organization__id=org_id).count()