[2.6] Remove controller specific role definitions (#7002)

Remove Controller specific roles Removes - Controller Organization Admin - Controller Organization Member - Controller Team Admin - Controller Team Member - Controller System Auditor Going forward the platform role definitions will be used, e.g. Organization Member The migration will take care of any assignments with those controller specific roles and use the platform roles instead. Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-03-07 19:51:08 -03:30 · 2025-07-09 14:00:59 -04:00
parent 534549139c
commit c2c0f2b828
12 changed files with 142 additions and 137 deletions
--- a/awx/main/migrations/0202_convert_controller_role_definitions.py
+++ b/awx/main/migrations/0202_convert_controller_role_definitions.py
@@ -0,0 +1,102 @@
+# Generated by Django migration for converting Controller role definitions
+
+from ansible_base.rbac.migrations._utils import give_permissions
+from django.db import migrations
+
+
+def convert_controller_role_definitions(apps, schema_editor):
+    """
+    Convert Controller role definitions to regular role definitions:
+    - Controller Organization Admin -> Organization Admin
+    - Controller Organization Member -> Organization Member
+    - Controller Team Admin -> Team Admin
+    - Controller Team Member -> Team Member
+    - Controller System Auditor -> Platform Auditor
+
+    Then delete the old Controller role definitions.
+    """
+    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
+    RoleUserAssignment = apps.get_model('dab_rbac', 'RoleUserAssignment')
+    RoleTeamAssignment = apps.get_model('dab_rbac', 'RoleTeamAssignment')
+    Permission = apps.get_model('dab_rbac', 'DABPermission')
+
+    # Mapping of old Controller role names to new role names
+    role_mappings = {
+        'Controller Organization Admin': 'Organization Admin',
+        'Controller Organization Member': 'Organization Member',
+        'Controller Team Admin': 'Team Admin',
+        'Controller Team Member': 'Team Member',
+    }
+
+    for old_name, new_name in role_mappings.items():
+        # Find the old Controller role definition
+        old_role = RoleDefinition.objects.filter(name=old_name).first()
+        if not old_role:
+            continue  # Skip if the old role doesn't exist
+
+        # Find the new role definition
+        new_role = RoleDefinition.objects.get(name=new_name)
+
+        # Collect all the assignments that need to be migrated
+        # Group by object (content_type + object_id) to batch the give_permissions calls
+        assignments_by_object = {}
+
+        # Get user assignments
+        user_assignments = RoleUserAssignment.objects.filter(role_definition=old_role).select_related('object_role')
+        for assignment in user_assignments:
+            key = (assignment.object_role.content_type_id, assignment.object_role.object_id)
+            if key not in assignments_by_object:
+                assignments_by_object[key] = {'users': [], 'teams': []}
+            assignments_by_object[key]['users'].append(assignment.user)
+
+        # Get team assignments
+        team_assignments = RoleTeamAssignment.objects.filter(role_definition=old_role).select_related('object_role')
+        for assignment in team_assignments:
+            key = (assignment.object_role.content_type_id, assignment.object_role.object_id)
+            if key not in assignments_by_object:
+                assignments_by_object[key] = {'users': [], 'teams': []}
+            assignments_by_object[key]['teams'].append(assignment.team.id)
+
+        # Use give_permissions to create new assignments with the new role definition
+        for (content_type_id, object_id), data in assignments_by_object.items():
+            if data['users'] or data['teams']:
+                give_permissions(
+                    apps,
+                    new_role,
+                    users=data['users'],
+                    teams=data['teams'],
+                    object_id=object_id,
+                    content_type_id=content_type_id,
+                )
+
+        # Delete the old role definition (this will cascade to delete old assignments and ObjectRoles)
+        old_role.delete()
+
+    # Create or get Platform Auditor
+    auditor_rd, created = RoleDefinition.objects.get_or_create(
+        name='Platform Auditor',
+        defaults={'description': 'Migrated singleton role giving read permission to everything', 'managed': True},
+    )
+    if created:
+        auditor_rd.permissions.add(*list(Permission.objects.filter(codename__startswith='view')))
+
+    old_rd = RoleDefinition.objects.filter(name='Controller System Auditor').first()
+    if old_rd:
+        for assignment in RoleUserAssignment.objects.filter(role_definition=old_rd):
+            RoleUserAssignment.objects.create(
+                user=assignment.user,
+                role_definition=auditor_rd,
+            )
+
+    # Delete the Controller System Auditor role
+    RoleDefinition.objects.filter(name='Controller System Auditor').delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('main', '0201_create_managed_creds'),
+    ]
+
+    operations = [
+        migrations.RunPython(convert_controller_role_definitions),
+    ]
--- a/awx/main/migrations/_dab_rbac.py
+++ b/awx/main/migrations/_dab_rbac.py
@@ -167,7 +167,7 @@ def migrate_to_new_rbac(apps, schema_editor):
            perm.delete()

    managed_definitions = dict()
-    for role_definition in RoleDefinition.objects.filter(managed=True).exclude(name__in=(settings.ANSIBLE_BASE_JWT_MANAGED_ROLES)):
+    for role_definition in RoleDefinition.objects.filter(managed=True):
        permissions = frozenset(role_definition.permissions.values_list('id', flat=True))
        managed_definitions[permissions] = role_definition

@@ -239,11 +239,14 @@ def migrate_to_new_rbac(apps, schema_editor):

    # Create new replacement system auditor role
    new_system_auditor, created = RoleDefinition.objects.get_or_create(
-        name='Controller System Auditor',
+        name='Platform Auditor',
        defaults={'description': 'Migrated singleton role giving read permission to everything', 'managed': True},
    )
    new_system_auditor.permissions.add(*list(Permission.objects.filter(codename__startswith='view')))

+    if created:
+        logger.info(f'Created RoleDefinition {new_system_auditor.name} pk={new_system_auditor.pk} with {new_system_auditor.permissions.count()} permissions')
+
    # migrate is_system_auditor flag, because it is no longer handled by a system role
    old_system_auditor = Role.objects.filter(singleton_name='system_auditor').first()
    if old_system_auditor:
@@ -272,7 +275,7 @@ def get_or_create_managed(name, description, ct, permissions, RoleDefinition):

 def setup_managed_role_definitions(apps, schema_editor):
    """
-    Idepotent method to create or sync the managed role definitions
+    Idempotent method to create or sync the managed role definitions
    """
    to_create = {
        'object_admin': '{cls.__name__} Admin',
@@ -309,16 +312,6 @@ def setup_managed_role_definitions(apps, schema_editor):
                    to_create['object_admin'].format(cls=cls), f'Has all permissions to a single {cls._meta.verbose_name}', ct, indiv_perms, RoleDefinition
                )
            )
-            if cls_name == 'team':
-                managed_role_definitions.append(
-                    get_or_create_managed(
-                        'Controller Team Admin',
-                        f'Has all permissions to a single {cls._meta.verbose_name}',
-                        ct,
-                        indiv_perms,
-                        RoleDefinition,
-                    )
-                )

        if 'org_children' in to_create and (cls_name not in ('organization', 'instancegroup', 'team')):
            org_child_perms = object_perms.copy()
@@ -359,18 +352,6 @@ def setup_managed_role_definitions(apps, schema_editor):
                        RoleDefinition,
                    )
                )
-                if action == 'member' and cls_name in ('organization', 'team'):
-                    suffix = to_create['special'].format(cls=cls, action=action.title())
-                    rd_name = f'Controller {suffix}'
-                    managed_role_definitions.append(
-                        get_or_create_managed(
-                            rd_name,
-                            f'Has {action} permissions to a single {cls._meta.verbose_name}',
-                            ct,
-                            perm_list,
-                            RoleDefinition,
-                        )
-                    )

    if 'org_admin' in to_create:
        managed_role_definitions.append(
@@ -382,15 +363,6 @@ def setup_managed_role_definitions(apps, schema_editor):
                RoleDefinition,
            )
        )
-        managed_role_definitions.append(
-            get_or_create_managed(
-                'Controller Organization Admin',
-                'Has all permissions to a single organization and all objects inside of it',
-                org_ct,
-                org_perms,
-                RoleDefinition,
-            )
-        )

    # Special "organization action" roles
    audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]