External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-14 11:20:39 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1996 from anoek/1959

Browse Source 
Executed the inventory execute_role
This commit is contained in:
Akita Noek 2016-05-20 14:29:22 -04:00
commit df62b85a2f
5 changed files with 22 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
awx/main/access.py
View File

@ -931,7 +931,7 @@ class AdHocCommandAccess(BaseAccess):
return qs.all()
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
inventory_qs = Inventory.accessible_objects(self.user, 'execute_role')
inventory_qs = Inventory.accessible_objects(self.user, 'adhoc_role')
return qs.filter(credential_id__in=credential_ids,
inventory__in=inventory_qs)
@ -954,7 +954,7 @@ class AdHocCommandAccess(BaseAccess):
inventory_pk = get_pk_from_dict(data, 'inventory')
if inventory_pk:
inventory = get_object_or_400(Inventory, pk=inventory_pk)
if self.user not in inventory.execute_role:
if self.user not in inventory.adhoc_role:
return False
return True

15
awx/main/migrations/0008_v300_rbac_changes.py
View File

@ -174,8 +174,8 @@ class Migration(migrations.Migration):
),
migrations.AddField(
model_name='group',
name='execute_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.execute_role', b'parents.execute_role', b'adhoc_role'], to='main.Role', null=b'True'),
name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.use_role', b'parents.use_role', b'adhoc_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='group',
@ -185,7 +185,7 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='group',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'use_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
@ -197,11 +197,6 @@ class Migration(migrations.Migration):
name='adhoc_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='execute_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'adhoc_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='update_role',
@ -210,12 +205,12 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='inventory',
name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'adhoc_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='jobtemplate',

2
awx/main/migrations/_rbac.py
View File

@ -238,7 +238,7 @@ def migrate_inventory(apps, schema_editor):
raise Exception(smart_text(u'Unhandled permission type for inventory: {}'.format( perm.permission_type)))
if perm.run_ad_hoc_commands:
execrole = inventory.execute_role
execrole = inventory.use_role
if perm.team:
if role:

12
awx/main/models/inventory.py
View File

@ -102,18 +102,14 @@ class Inventory(CommonModel, ResourceMixin):
update_role = ImplicitRoleField(
parent_role='admin_role',
)
use_role = ImplicitRoleField(
parent_role='admin_role',
)
adhoc_role = ImplicitRoleField(
parent_role='admin_role',
)
execute_role = ImplicitRoleField(
use_role = ImplicitRoleField(
parent_role='adhoc_role',
)
read_role = ImplicitRoleField(parent_role=[
'organization.auditor_role',
'execute_role',
'update_role',
'use_role',
'admin_role',
@ -526,13 +522,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
adhoc_role = ImplicitRoleField(
parent_role=['inventory.adhoc_role', 'parents.adhoc_role', 'admin_role'],
)
execute_role = ImplicitRoleField(
parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'],
use_role = ImplicitRoleField(
parent_role=['inventory.use_role', 'parents.use_role', 'adhoc_role'],
)
read_role = ImplicitRoleField(parent_role=[
'inventory.read_role',
'parents.read_role',
'execute_role',
'use_role',
'update_role',
'admin_role'
])

20
awx/main/tests/functional/test_rbac_inventory.py
View File

@ -32,7 +32,7 @@ def test_inventory_admin_user(inventory, permissions, user):
rbac.migrate_inventory(apps, None)
assert u in inventory.admin_role
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
@pytest.mark.django_db
@ -48,7 +48,7 @@ def test_inventory_auditor_user(inventory, permissions, user):
assert u not in inventory.admin_role
assert u in inventory.read_role
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
@pytest.mark.django_db
@ -63,7 +63,7 @@ def test_inventory_updater_user(inventory, permissions, user):
rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists()
@pytest.mark.django_db
@ -79,7 +79,7 @@ def test_inventory_executor_user(inventory, permissions, user):
assert u not in inventory.admin_role
assert u in inventory.read_role
assert inventory.execute_role.members.filter(id=u.id).exists()
assert inventory.use_role.members.filter(id=u.id).exists()
assert inventory.update_role.members.filter(id=u.id).exists() is False
@ -99,7 +99,7 @@ def test_inventory_admin_team(inventory, permissions, user, team):
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
assert u in inventory.admin_role
@ -121,7 +121,7 @@ def test_inventory_auditor(inventory, permissions, user, team):
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
assert u not in inventory.admin_role
@ -142,10 +142,10 @@ def test_inventory_updater(inventory, permissions, user, team):
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role)
assert team.member_role.is_ancestor_of(inventory.execute_role) is False
assert team.member_role.is_ancestor_of(inventory.use_role) is False
@pytest.mark.django_db
@ -164,10 +164,10 @@ def test_inventory_executor(inventory, permissions, user, team):
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role) is False
assert team.member_role.is_ancestor_of(inventory.execute_role)
assert team.member_role.is_ancestor_of(inventory.use_role)
@pytest.mark.django_db
def test_group_parent_admin(group_factory, permissions, user):