diff --git a/awx/main/access.py b/awx/main/access.py index 4ea49e92c7..42c9a5c1e7 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -931,7 +931,7 @@ class AdHocCommandAccess(BaseAccess): return qs.all() credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True)) - inventory_qs = Inventory.accessible_objects(self.user, 'execute_role') + inventory_qs = Inventory.accessible_objects(self.user, 'adhoc_role') return qs.filter(credential_id__in=credential_ids, inventory__in=inventory_qs) @@ -954,7 +954,7 @@ class AdHocCommandAccess(BaseAccess): inventory_pk = get_pk_from_dict(data, 'inventory') if inventory_pk: inventory = get_object_or_400(Inventory, pk=inventory_pk) - if self.user not in inventory.execute_role: + if self.user not in inventory.adhoc_role: return False return True diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py index 31a33c36a0..9c4b193d47 100644 --- a/awx/main/migrations/0008_v300_rbac_changes.py +++ b/awx/main/migrations/0008_v300_rbac_changes.py @@ -174,8 +174,8 @@ class Migration(migrations.Migration): ), migrations.AddField( model_name='group', - name='execute_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.execute_role', b'parents.execute_role', b'adhoc_role'], to='main.Role', null=b'True'), + name='use_role', + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.use_role', b'parents.use_role', b'adhoc_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='group', @@ -185,7 +185,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='group', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'use_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', @@ -197,11 +197,6 @@ class Migration(migrations.Migration): name='adhoc_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='inventory', - name='execute_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'adhoc_role', to='main.Role', null=b'True'), - ), migrations.AddField( model_name='inventory', name='update_role', @@ -210,12 +205,12 @@ class Migration(migrations.Migration): migrations.AddField( model_name='inventory', name='use_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'adhoc_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='jobtemplate', diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index 134114dccb..e16b3575d3 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -238,7 +238,7 @@ def migrate_inventory(apps, schema_editor): raise Exception(smart_text(u'Unhandled permission type for inventory: {}'.format( perm.permission_type))) if perm.run_ad_hoc_commands: - execrole = inventory.execute_role + execrole = inventory.use_role if perm.team: if role: diff --git a/awx/main/models/inventory.py b/awx/main/models/inventory.py index 18033d11ce..d07b0c65b6 100644 --- a/awx/main/models/inventory.py +++ b/awx/main/models/inventory.py @@ -102,18 +102,14 @@ class Inventory(CommonModel, ResourceMixin): update_role = ImplicitRoleField( parent_role='admin_role', ) - use_role = ImplicitRoleField( - parent_role='admin_role', - ) adhoc_role = ImplicitRoleField( parent_role='admin_role', ) - execute_role = ImplicitRoleField( + use_role = ImplicitRoleField( parent_role='adhoc_role', ) read_role = ImplicitRoleField(parent_role=[ 'organization.auditor_role', - 'execute_role', 'update_role', 'use_role', 'admin_role', @@ -526,13 +522,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin): adhoc_role = ImplicitRoleField( parent_role=['inventory.adhoc_role', 'parents.adhoc_role', 'admin_role'], ) - execute_role = ImplicitRoleField( - parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'], + use_role = ImplicitRoleField( + parent_role=['inventory.use_role', 'parents.use_role', 'adhoc_role'], ) read_role = ImplicitRoleField(parent_role=[ 'inventory.read_role', 'parents.read_role', - 'execute_role', + 'use_role', 'update_role', 'admin_role' ]) diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index dcb996e301..cefb989e6f 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -32,7 +32,7 @@ def test_inventory_admin_user(inventory, permissions, user): rbac.migrate_inventory(apps, None) assert u in inventory.admin_role - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False @pytest.mark.django_db @@ -48,7 +48,7 @@ def test_inventory_auditor_user(inventory, permissions, user): assert u not in inventory.admin_role assert u in inventory.read_role - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False @pytest.mark.django_db @@ -63,7 +63,7 @@ def test_inventory_updater_user(inventory, permissions, user): rbac.migrate_inventory(apps, None) assert u not in inventory.admin_role - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() @pytest.mark.django_db @@ -79,7 +79,7 @@ def test_inventory_executor_user(inventory, permissions, user): assert u not in inventory.admin_role assert u in inventory.read_role - assert inventory.execute_role.members.filter(id=u.id).exists() + assert inventory.use_role.members.filter(id=u.id).exists() assert inventory.update_role.members.filter(id=u.id).exists() is False @@ -99,7 +99,7 @@ def test_inventory_admin_team(inventory, permissions, user, team): assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert u in inventory.read_role assert u in inventory.admin_role @@ -121,7 +121,7 @@ def test_inventory_auditor(inventory, permissions, user, team): assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert u in inventory.read_role assert u not in inventory.admin_role @@ -142,10 +142,10 @@ def test_inventory_updater(inventory, permissions, user, team): assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert team.member_role.is_ancestor_of(inventory.update_role) - assert team.member_role.is_ancestor_of(inventory.execute_role) is False + assert team.member_role.is_ancestor_of(inventory.use_role) is False @pytest.mark.django_db @@ -164,10 +164,10 @@ def test_inventory_executor(inventory, permissions, user, team): assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.execute_role.members.filter(id=u.id).exists() is False + assert inventory.use_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert team.member_role.is_ancestor_of(inventory.update_role) is False - assert team.member_role.is_ancestor_of(inventory.execute_role) + assert team.member_role.is_ancestor_of(inventory.use_role) @pytest.mark.django_db def test_group_parent_admin(group_factory, permissions, user):