diff --git a/awx/api/serializers.py b/awx/api/serializers.py index d6e47e129c..b1f11268eb 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -358,6 +358,7 @@ class BaseSerializer(serializers.ModelSerializer): roles[field.name] = { 'id': role.id, 'name': role.name, + 'description': role.description, 'url': role.get_absolute_url(), } if len(roles) > 0: @@ -1540,7 +1541,7 @@ class ResourceAccessListElementSerializer(UserSerializer): ret['summary_fields']['permissions'] = resource.get_permissions(user) def format_role_perm(role): - role_dict = { 'id': role.id, 'name': role.name} + role_dict = { 'id': role.id, 'name': role.name, 'description': role.description} try: role_dict['resource_name'] = role.content_object.name role_dict['resource_type'] = role.content_type.name diff --git a/awx/main/fields.py b/awx/main/fields.py index 1db59e296f..b3efcd20e6 100644 --- a/awx/main/fields.py +++ b/awx/main/fields.py @@ -134,8 +134,9 @@ def resolve_role_field(obj, field): class ImplicitRoleDescriptor(ReverseSingleRelatedObjectDescriptor): """Descriptor Implict Role Fields. Auto-creates the appropriate role entry on first access""" - def __init__(self, role_name, permissions, parent_role, *args, **kwargs): + def __init__(self, role_name, role_description, permissions, parent_role, *args, **kwargs): self.role_name = role_name + self.role_description = role_description if role_description else "" self.permissions = permissions self.parent_role = parent_role @@ -152,7 +153,7 @@ class ImplicitRoleDescriptor(ReverseSingleRelatedObjectDescriptor): if connection.needs_rollback: raise TransactionManagementError('Current transaction has failed, cannot create implicit role') - role = Role.objects.create(name=self.role_name, content_object=instance) + role = Role.objects.create(name=self.role_name, description=self.role_description, content_object=instance) if self.parent_role: # Add all non-null parent roles as parents @@ -195,8 +196,9 @@ class ImplicitRoleDescriptor(ReverseSingleRelatedObjectDescriptor): class ImplicitRoleField(models.ForeignKey): """Implicitly creates a role entry for a resource""" - def __init__(self, role_name=None, permissions=None, parent_role=None, *args, **kwargs): + def __init__(self, role_name=None, role_description=None, permissions=None, parent_role=None, *args, **kwargs): self.role_name = role_name + self.role_description = role_description self.permissions = permissions self.parent_role = parent_role @@ -211,6 +213,7 @@ class ImplicitRoleField(models.ForeignKey): self.name, ImplicitRoleDescriptor( self.role_name, + self.role_description, self.permissions, self.parent_role, self diff --git a/awx/main/models/credential.py b/awx/main/models/credential.py index cf2dd262ed..ec47cb1fbb 100644 --- a/awx/main/models/credential.py +++ b/awx/main/models/credential.py @@ -157,11 +157,13 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): ) owner_role = ImplicitRoleField( role_name='Credential Owner', + role_description='Owner of the credential', parent_role='team.admin_role', permissions = {'all': True} ) usage_role = ImplicitRoleField( role_name='Credential User', + role_description='May use this credential, but not read sensitive portions or modify it', parent_role= 'team.member_role', permissions = {'use': True} ) diff --git a/awx/main/models/inventory.py b/awx/main/models/inventory.py index c289827400..32175b19d9 100644 --- a/awx/main/models/inventory.py +++ b/awx/main/models/inventory.py @@ -98,19 +98,23 @@ class Inventory(CommonModel, ResourceMixin): ) admin_role = ImplicitRoleField( role_name='Inventory Administrator', + role_description='May manage this inventory', parent_role='organization.admin_role', permissions = {'all': True} ) auditor_role = ImplicitRoleField( role_name='Inventory Auditor', + role_description='May view but not modify this inventory', parent_role='organization.auditor_role', permissions = {'read': True} ) updater_role = ImplicitRoleField( role_name='Inventory Updater', + role_description='May update the inventory', ) executor_role = ImplicitRoleField( role_name='Inventory Executor', + role_description='May execute jobs against this inventory', ) def get_absolute_url(self): diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py index 1db5faa2b1..ba0170bf69 100644 --- a/awx/main/models/jobs.py +++ b/awx/main/models/jobs.py @@ -185,16 +185,19 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin): ) admin_role = ImplicitRoleField( role_name='Job Template Administrator', + role_description='Full access to all settings', parent_role='project.admin_role', permissions = {'all': True} ) auditor_role = ImplicitRoleField( role_name='Job Template Auditor', + role_description='Read-only access to all settings', parent_role='project.auditor_role', permissions = {'read': True} ) executor_role = ImplicitRoleField( - role_name='Job Template Executor', + role_name='Job Template Runner', + role_description='May run the job template', permissions = {'read': True, 'execute': True} ) diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py index 025ac49c6c..f04ee7ea1d 100644 --- a/awx/main/models/organization.py +++ b/awx/main/models/organization.py @@ -51,16 +51,19 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin): ) admin_role = ImplicitRoleField( role_name='Organization Administrator', + role_description='May manage all aspects of this organization', parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, permissions = {'all': True} ) auditor_role = ImplicitRoleField( role_name='Organization Auditor', + role_description='May read all settings associated with this organization', parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, permissions = {'read': True} ) member_role = ImplicitRoleField( role_name='Organization Member', + role_description='A member of this organization', parent_role='admin_role', permissions = {'read': True} ) @@ -108,16 +111,19 @@ class Team(CommonModelNameNotUnique, ResourceMixin): ) admin_role = ImplicitRoleField( role_name='Team Administrator', + role_description='May manage this team', parent_role='organization.admin_role', permissions = {'all': True} ) auditor_role = ImplicitRoleField( role_name='Team Auditor', + role_description='May read all settings associated with this team', parent_role='organization.auditor_role', permissions = {'read': True} ) member_role = ImplicitRoleField( role_name='Team Member', + role_description='A member of this team', parent_role='admin_role', permissions = {'read':True}, ) diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py index cf7f269e63..4bb66c24d6 100644 --- a/awx/main/models/projects.py +++ b/awx/main/models/projects.py @@ -211,20 +211,24 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin): ) admin_role = ImplicitRoleField( role_name='Project Administrator', + role_description='May manage this project', parent_role='organizations.admin_role', permissions = {'all': True} ) auditor_role = ImplicitRoleField( role_name='Project Auditor', + role_description='May read all settings associated with this project', parent_role='organizations.auditor_role', permissions = {'read': True} ) member_role = ImplicitRoleField( role_name='Project Member', + role_description='Implies membership within this project', permissions = {'read': True} ) scm_update_role = ImplicitRoleField( role_name='Project Updater', + role_description='May update this project from the source control management system', parent_role='admin_role', permissions = {'scm_update': True} ) diff --git a/awx/main/models/user.py b/awx/main/models/user.py index c30696bdb1..fad82ba182 100644 --- a/awx/main/models/user.py +++ b/awx/main/models/user.py @@ -26,5 +26,6 @@ class UserResource(CommonModelNameNotUnique, ResourceMixin): admin_role = ImplicitRoleField( role_name='User Administrator', + role_description='May manage this user', permissions = {'all': True}, )