External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-15 13:27:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

Update Job start / access permissions

Browse Source
This commit is contained in:
Wayne Witzel III
2016-04-12 13:28:03 -04:00
parent 98dd79775b
commit e5b9766c8f
4 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
awx/main/access.py
View File

@@ -312,8 +312,15 @@ class InventoryAccess(BaseAccess):
return qs.select_related('created_by', 'modified_by', 'organization').all() return qs.select_related('created_by', 'modified_by', 'organization').all()
def can_read(self, obj): def can_read(self, obj):
if self.user.is_superuser:
return True
return obj.accessible_by(self.user, {'read': True}) return obj.accessible_by(self.user, {'read': True})
def can_use(self, obj):
if self.user.is_superuser:
return True
return obj.accessible_by(self.user, {'use': True})
def can_add(self, data): def can_add(self, data):
# If no data is specified, just checking for generic add permission? # If no data is specified, just checking for generic add permission?
if not data: if not data:
@@ -551,6 +558,11 @@ class CredentialAccess(BaseAccess):
# Access enforced in our view where we have context enough to make a decision # Access enforced in our view where we have context enough to make a decision
return True return True
def can_use(self, obj):
if self.user.is_superuser:
return True
return obj.accessible_by(self.user, {'use': True})
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
@@ -770,6 +782,11 @@ class JobTemplateAccess(BaseAccess):
return False return False
if obj.project is None: if obj.project is None:
return False return False
# Given explicit execute access to this JobTemplate
if obj.accessible_by(self.user, {'execute':True}):
return True
# If the user has admin access to the project they can start a job # If the user has admin access to the project they can start a job
if obj.project.accessible_by(self.user, ALL_PERMISSIONS): if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
return True return True

5
awx/main/migrations/0008_v300_rbac_changes.py
View File

@@ -141,6 +141,11 @@ class Migration(migrations.Migration):
name='updater_role', name='updater_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
), ),
migrations.AddField(
model_name='inventory',
name='usage_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
),
migrations.AddField( migrations.AddField(
model_name='custominventoryscript', model_name='custominventoryscript',
name='admin_role', name='admin_role',

5
awx/main/models/inventory.py
View File

@@ -113,6 +113,11 @@ class Inventory(CommonModel, ResourceMixin):
role_description='May update the inventory', role_description='May update the inventory',
permissions = {'read': True, 'update': True} permissions = {'read': True, 'update': True}
) )
usage_role = ImplicitRoleField(
role_name='Inventory User',
role_description='May use this inventory, but not read sensitive portions or modify it',
permissions = {'use': True}
)
executor_role = ImplicitRoleField( executor_role = ImplicitRoleField(
role_name='Inventory Executor', role_name='Inventory Executor',
role_description='May execute jobs against this inventory', role_description='May execute jobs against this inventory',

12
awx/main/tests/functional/api/test_job_start_permissions.py → awx/main/tests/functional/test_rbac_job_start.py
View File

@@ -14,10 +14,10 @@ def test_admin_executing_permissions(deploy_jobtemplate, inventory, machine_cred
admin_user = user('admin-user', True) admin_user = user('admin-user', True)
assert admin_user.can_access(Inventory, 'read', inventory) assert admin_user.can_access(Inventory, 'use', inventory)
assert admin_user.can_access(Inventory, 'execute', inventory) # for ad_hoc assert admin_user.can_access(Inventory, 'run_ad_hoc_commands', inventory) # for ad_hoc
assert admin_user.can_access(JobTemplate, 'start', deploy_jobtemplate) assert admin_user.can_access(JobTemplate, 'start', deploy_jobtemplate)
assert admin_user.can_access(Credential, 'read', machine_credential) assert admin_user.can_access(Credential, 'use', machine_credential)
@pytest.mark.django_db @pytest.mark.django_db
@pytest.mark.job_permissions @pytest.mark.job_permissions
@@ -35,13 +35,13 @@ def test_credential_use_access(machine_credential, user):
common_user = user('test-user', False) common_user = user('test-user', False)
machine_credential.usage_role.members.add(common_user) machine_credential.usage_role.members.add(common_user)
assert common_user.can_access(Credential, 'read', machine_credential) assert common_user.can_access(Credential, 'use', machine_credential)
@pytest.mark.django_db @pytest.mark.django_db
@pytest.mark.job_permissions @pytest.mark.job_permissions
def test_inventory_use_access(inventory, user): def test_inventory_use_access(inventory, user):
common_user = user('test-user', False) common_user = user('test-user', False)
inventory.executor_role.members.add(common_user) inventory.usage_role.members.add(common_user)
assert common_user.can_access(Inventory, 'start', inventory) assert common_user.can_access(Inventory, 'use', inventory)