* There isn't a great reason to allow the UI to edit these meta-data
fields that denote the last time an analytics job ran.
* The only reason I hesitate to mark them uneditable in the API is that
they are useful to change in order to influence when the jobs run.
Mostly for debug purposes or 1-off.
Adding credential and execution environment roles
validates that the user belongs to the same org
as the credential or EE.
In some situations, the user-org membership has not
yet been synced from gateway to controller.
In this case, controller will make a request to
gateway to check if the user is part of the org.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
# Add a postfix to the UI URL patterns for UI URL generated by the API
# example if set to '' UI URL generated by the API for jobs would be $TOWER_URL/jobs
# example if set to 'execution' UI URL generated by the API for jobs would be $TOWER_URL/execution/jobs
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
User and Team assignments using the DAB
RBAC system will be translated back to the old
Role system.
This ensures better backward compatibility and
addresses some inconsistences in the UI that were
relying on older RBAC endpoints.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Alan Rominger <arominge@redhat.com>
This is to emphasize that this role is specific
to controller component. That is, not an auditor
for the entire AAP platform.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Fixes bug where creating a new user will
request a new awx_sessionid cookie, invalidating
the previous session.
Do not refresh session if updating or
creating a password for a different user.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* Prevent job pod from mounting serviceaccount token
* Add serializer validation for cg pod_spec_override
Prevent automountServiceAccountToken to be set to true and provide an error message when automountServiceAccountToken is being set to true
* Fallback to use subscription cred for analytic
Fall back to use SUBSCRIPTION_USERNAME/PASSWORD to upload analytic to if REDHAT_USERNAME/PASSWORD are not set
* Improve error message
* Guard against request with no query or data
* Add test for _send_to_analytics
Focus on credentials
* Supress sonarcloud warning about password
* Add test for analytic ship
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Adds the following managed Role Definitions
Controller Team Admin
Controller Team Member
Controller Organization Admin
Controller Organization Member
These have the same permission set as the
platform roles (without the Controller prefix)
Adding members to teams and orgs via the legacy RBAC system
will use these role definitions.
Other changes:
- Bump DAB to 2024.08.22
- Set ALLOW_LOCAL_ASSIGNING_JWT_ROLES to False in defaults.py.
This setting prevents assignments to the platform roles (e.g. Team Member).
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* Rewrite more access logic in terms of permissions instead of roles
* Cut down supported logic because that would not work anyway
* Remove methods not needed anymore
* Create managed roles in test before delegating permissions
I had the luck of running into this race condition that broke my deployment. No instance was ever able to register because on running "awx-manage" in some check of a setting, it would end up failing here with
```
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/conf/license.py", line 10, in _get_validated_license_data
return get_licenser().validate()
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/main/utils/licensing.py", line 453, in validate
automated_since = int(Instance.objects.order_by('id').first().created.timestamp())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'created'
```
* unpin channels-redis
The bug that initially caused the upgrade block has been resolved https://github.com/django/channels_redis/issues/332
* replace aioredis Exception with a redis Exception
Version 4.0.0 of channel-redis migrated the underlying Redis library from aioredis to redis-py. The Exception has been changed to an equivalent
* remove unused license
* remove UPGRADE BLOCKER in README
* remove hiredis
it was an indirect dependency from aioredis which was removed
* remove unused license
* add back hiredis
it's potentially providing a performance boost. install explicitly as a part of redis. upgrade to more recent version
* remove UPGRADE BLOCKER for hiredis
it was also addressed as a part of this PR
- use asyncio.get_running_loop() instead of passing around event_loops
- add name to all of the asyncio tasks for easier debugging
we are trying to figure out which task is
```
Task was destroyed but it is pending!
task: <Task pending name='Task-<id>' coro=<RedisConnection._read_data() done, defined at /var/lib/awx/venv/awx/lib64/python3.9/site-packages/aioredis/connection.py:180> wait_for=<Future pending cb=[<TaskWakeupMethWrapper object at 0x7fba77bf1700>()]> cb=[RedisConnection.__init__.<locals>.<lambda>() at /var/lib/awx/venv/awx/lib64/python3.9/site-packages/aioredis/connection.py:168]>
```
is referring to
If RECEPTOR_KEEP_WORK_ON_ERROR is set to true receptor work unit will not be automatically released
Co-Authored-By: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
Old RBAC system hits DOESNOTEXIST query errors
if a user deletes an org while a workflow job is active.
The error is triggered by
1. starting workflow job
2. delete the org that the workflow job is a part of
3. The workflow changes status (e.g. pending to waiting)
This error message would surface
awx.main.models.rbac.Role.DoesNotExist: Role matching
query does not exist.
The fix is wrap the query in a try catch, and skip
over some logic if the roles don't exist.
---------
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
A user needs to be a member of the org
in order to use a credential in that org.
We were incorrectly checking for "change"
permission of the org, instead of "member".
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Fix command to set db session timeout
Add quote around the value of the setting
Example failures
```
2024-07-10 13:33:29,237 ERROR [a7e55a64e6744a0e920bb1fd78615e5f] awx.main.dispatch Worker failed to run task awx.main.tasks.system.awx_periodic_scheduler(*[], **{}
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/backends/utils.py", line 87, in _execute
return self.cursor.execute(sql)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/psycopg/cursor.py", line 732, in execute
raise ex.with_traceback(None)
psycopg.errors.SyntaxError: trailing junk after numeric literal at or near "1d"
LINE 1: SET idle_in_transaction_session_timeout = 1d
^
```
Timestamp for activity stream is not indexed result in slow query. switching to ID (which effectively will is order by created time) to improve performance
Validate role assignment if org defined
Check that organization is defined on credential
before running queries.
Fixes a "None type does not have attribute id" error.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* Add test that we got all permissions right for every role
* Fix missing Org execute role and missing adhoc role permission
* Add in missing Organization Approval Role as well
* Remove Role from role names
Utilizes the `validate_role_assignment` callback
from dab (see dab PR #490) to prevent granting credential
access to a user of another organization.
This logic will work for role_user_assignments
and role_team_assignments endpoints.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
