Merge pull request #10326 from chrismeyersfsu/fix-iso_path_sharing

when sharing paths use little z

AWX_ISOLATION_SHOW_PATHS will be shared between containers. Strange
file not found error can crop up when concurrently accessing shared
directories between multiple containers that are bind mounted with big
Z. So make sure we use little z.

Fixes errors like below:
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote file:///opt/tmpawx/at_DrunkMail525450112299457413919634186288881628802211907645041298254_test/ -h refs/heads/HEAD", "msg": "fatal: '/opt/tmpawx/at_DrunkMail525450112299457413919634186288881628802211907645041298254_test/' does not appear to be a git repository\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.", "rc": 128, "stderr": "fatal: '/opt/tmpawx/at_DrunkMail525450112299457413919634186288881628802211907645041298254_test/' does not appear to be a git repository\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.\\n", "stderr_lines": ["fatal: '/opt/tmpawx/at_DrunkMail525450112299457413919634186288881628802211907645041298254_test/' does not appear to be a git repository", "fatal: Could not read from remote repository.", "", "Please make sure you have the correct access rights", "and the repository exists."], "stdout": "", "stdout_lines": []}```

Reviewed-by: Shane McDonald <me@shanemcd.com>

.github/ISSUE_TEMPLATE.md

@@ -23,8 +23,8 @@ https://www.ansible.com/security
 
 ##### ENVIRONMENT
 * AWX version: X.Y.Z
-* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
-* Ansible version:  X.Y.Z
+* AWX install method: operator, developer environment
+* AWX deployment target: openshift, kubernetes, minikube
 * Operating System:
 * Web Browser:
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -17,7 +17,6 @@ the change does.
 <!--- Name of the module/plugin/module/task -->
  - API
  - UI
- - Installer
 
 ##### AWX VERSION
 <!--- Paste verbatim output from `make VERSION` between quotes below -->

.github/dependabot.yml

@@ -1,7 +0,0 @@
----
-version: 2
-updates:
-  - package-ecosystem: "pip"
-    directory: "/requirements"
-    schedule:
-      interval: "monthly"

API_STANDARDS.md

@@ -1,7 +1,7 @@
 Coding Standards and Practices
 ==============================
 
-This is not meant to be a style document so much as a practices document for ensuring performance and convention in the Ansible Tower API.
+This is not meant to be a style document so much as a practices document for ensuring performance and convention in the AWX API.
 
 Paginate Everything
 ===================

CHANGELOG.md

@@ -2,6 +2,31 @@
 
 This is a list of high-level changes for each release of AWX. A full list of commits can be found at `https://github.com/ansible/awx/releases/tag/<version>`.
 
+# 19.2.0 (June 1, 2021)
+- Fixed race condition that would sometimes cause jobs to error out at the very end of an otherwise successful run (https://github.com/ansible/receptor/pull/328)
+- Fixes bug where users were unable to click on text next to checkboxes in modals (https://github.com/ansible/awx/pull/10279)
+- Have the project update playbook warn if role/collection syncing is disabled. (https://github.com/ansible/awx/pull/10068)
+- Move irc references to point to irc.libera.chat (https://github.com/ansible/awx/pull/10295)
+- Fixes bug where activity stream changes were displaying as [object object] (https://github.com/ansible/awx/pull/10267)
+- Update awxkit to enable export of Galaxy credentials associated to organizations (https://github.com/ansible/awx/pull/10271)
+- Bump receptor and receptorctl versions to 1.0.0a2 (https://github.com/ansible/awx/pull/10261)
+- Add the ability to disable local authentication (https://github.com/ansible/awx/pull/10102)
+- Show error if no Execution Environment is found on project sync/job run (https://github.com/ansible/awx/pull/10183)
+- Allow for editing and deleting managed_by_tower EEs from API/UI (https://github.com/ansible/awx/pull/10173)
+
+
+# 19.1.0 (May 1, 2021)
+
+- Custom inventory scripts have been removed from the API https://github.com/ansible/awx/pull/9822
+  - Old scripts can be exported via `awx-manage export_custom_scripts`
+- Fixed a bug where ad-hoc commands targeted against multiple hosts would run against only 1 host https://github.com/ansible/awx/pull/9973
+- AWX will now look for a top-level requirements.yml when installing collections / roles in project updates https://github.com/ansible/awx/pull/9945
+- Improved error handling when Container Group pods fail to launch https://github.com/ansible/awx/pull/10025
+- Added ability to set server-side password policies using Django's AUTH_PASSWORD_VALIDATORS setting https://github.com/ansible/awx/pull/9999
+- Bumped versions of Ansible Runner & AWX EE https://github.com/ansible/awx/pull/10013
+  - If you have built any custom EEs on top of awx-ee 0.1.0, you will need to rebuild on top of 0.2.0.
+- Remove legacy resource profiling code https://github.com/ansible/awx/pull/9883
+
 # 19.0.0 (April 7, 2021)
 
 - AWX now runs on Python 3.8 (https://github.com/ansible/awx/pull/8778/)

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 Hi there! We're excited to have you as a contributor.
 
-Have questions about this document or anything not covered here? Come chat with us at `#ansible-awx` on webchat.freenode.net, or submit your question to the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
+Have questions about this document or anything not covered here? Come chat with us at `#ansible-awx` on irc.libera.chat, or submit your question to the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 
 ## Table of contents
 
@@ -28,7 +28,7 @@ Have questions about this document or anything not covered here? Come chat with
 - You must use `git commit --signoff` for any commit to be merged, and agree that usage of --signoff constitutes agreement with the terms of [DCO 1.1](./DCO_1_1.md).
 - Take care to make sure no merge commits are in the submission, and use `git rebase` vs `git merge` for this reason.
   - If collaborating with someone else on the same branch, consider using `--force-with-lease` instead of `--force`. This will prevent you from accidentally overwriting commits pushed by someone else. For more information, see https://git-scm.com/docs/git-push#git-push---force-with-leaseltrefnamegt
-- If submitting a large code change, it's a good idea to join the `#ansible-awx` channel on webchat.freenode.net, and talk about what you would like to do or add first. This not only helps everyone know what's going on, it also helps save time and effort, if the community decides some changes are needed.
+- If submitting a large code change, it's a good idea to join the `#ansible-awx` channel on irc.libera.chat, and talk about what you would like to do or add first. This not only helps everyone know what's going on, it also helps save time and effort, if the community decides some changes are needed.
 - We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions, or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
 
 ## Setting up your development environment
@@ -114,7 +114,7 @@ Fixing bugs, adding translations, and updating the documentation are always appr
 
 **NOTE**
 
-> If you work in a part of the codebase that is going through active development, your changes may be rejected, or you may be asked to `rebase`. A good idea before starting work is to have a discussion with us in the `#ansible-awx` channel on webchat.freenode.net, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
+> If you work in a part of the codebase that is going through active development, your changes may be rejected, or you may be asked to `rebase`. A good idea before starting work is to have a discussion with us in the `#ansible-awx` channel on irc.libera.chat, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 
 **NOTE**
 
@@ -136,7 +136,7 @@ Here are a few things you can do to help the visibility of your change, and incr
 * Make the smallest change possible
 * Write good commit messages. See [How to write a Git commit message](https://chris.beams.io/posts/git-commit/).
 
-It's generally a good idea to discuss features with us first by engaging us in the `#ansible-awx` channel on webchat.freenode.net, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
+It's generally a good idea to discuss features with us first by engaging us in the `#ansible-awx` channel on irc.libera.chat, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 
 We like to keep our commit history clean, and will require resubmission of pull requests that contain merge commits. Use `git pull --rebase`, rather than
 `git pull`, and `git rebase`, rather than `git merge`.

INSTALL.md

@@ -3,12 +3,6 @@ Table of Contents
 
    * [Installing AWX](#installing-awx)
       * [The AWX Operator](#the-awx-operator)
-         * [Quickstart with minikube](#quickstart-with-minikube)
-            * [Starting minikube](#starting-minikube)
-            * [Deploying the AWX Operator](#deploying-the-awx-operator)
-               * [Verifying the Operator Deployment](#verifying-the-operator-deployment)
-            * [Deploy AWX](#deploy-awx)
-               * [Accessing AWX](#accessing-awx)
    * [Installing the AWX CLI](#installing-the-awx-cli)
       * [Building the CLI Documentation](#building-the-cli-documentation)
 
@@ -22,103 +16,10 @@ If you're attempting to migrate an older Docker-based AWX installation, see: [Mi
 
 ## The AWX Operator
 
-Starting in version 18.0, the [AWX Operator](https://github.com/ansible/awx-operator) is the preferred way to install AWX.
+Starting in version 18.0, the [AWX Operator](https://github.com/ansible/awx-operator) is the preferred way to install AWX. Please refer to the [AWX Operator](https://github.com/ansible/awx-operator) documentation.
 
 AWX can also alternatively be installed and [run in Docker](./tools/docker-compose/README.md), but this install path is only recommended for development/test-oriented deployments, and has no official published release.
 
-### Quickstart with minikube
-
-If you don't have an existing OpenShift or Kubernetes cluster, minikube is a fast and easy way to get up and running.
-
-To install minikube, follow the steps in their [documentation](https://minikube.sigs.k8s.io/docs/start/).
-
-#### Starting minikube
-
-Once you have installed minikube, run the following command to start it. You may wish to customize these options.
-
-```
-$ minikube start --cpus=4 --memory=8g --addons=ingress
-```
-
-#### Deploying the AWX Operator
-
-For a comprehensive overview of features, see [README.md](https://github.com/ansible/awx-operator/blob/devel/README.md) in the awx-operator repo. The following steps are the bare minimum to get AWX up and running. 
-
-```
-$ minikube kubectl -- apply -f https://raw.githubusercontent.com/ansible/awx-operator/devel/deploy/awx-operator.yaml
-```
-
-##### Verifying the Operator Deployment
-
-After a few seconds, the operator should be up and running. Verify it by running the following command:
-
-```
-$ minikube kubectl get pods
-NAME                           READY   STATUS    RESTARTS   AGE
-awx-operator-7c78bfbfd-xb6th   1/1     Running   0          11s
-```
-
-#### Deploy AWX
-
-Once the Operator is running, you can now deploy AWX by creating a simple YAML file:
-
-```
-$ cat myawx.yml
----
-apiVersion: awx.ansible.com/v1beta1
-kind: AWX
-metadata:
-  name: awx
-spec:
-  tower_ingress_type: Ingress
-```
-
-And then creating the AWX object in the Kubernetes API:
-
-```
-$ minikube kubectl apply -- -f myawx.yml
-awx.awx.ansible.com/awx created
-```
-
-After creating the AWX object in the Kubernetes API, the operator will begin running its reconciliation loop. 
-
-To see what's going on, you can tail the logs of the operator pod (note that your pod name will be different):
-
-```
-$ minikube kubectl logs -- -f awx-operator-7c78bfbfd-xb6th
-```
-
-After a few seconds, you will see the database and application pods show up. On a fresh system, it may take a few minutes for the container images to download.
-
-```
-$ minikube kubectl get pods
-NAME                           READY   STATUS    RESTARTS   AGE
-awx-5ffbfd489c-bvtvf           3/3     Running   0          2m54s
-awx-operator-7c78bfbfd-xb6th   1/1     Running   0          6m42s
-awx-postgres-0                 1/1     Running   0          2m58s
-```
-
-##### Accessing AWX
-
-To access the AWX UI, you'll need to grab the service url from minikube:
-
-```
-$ minikube service awx-service --url
-http://192.168.59.2:31868
-```
-
-On fresh installs, you will see the "AWX is currently upgrading." page until database migrations finish.
-
-Once you are redirected to the login screen, you can now log in by obtaining the generated admin password (note: do not copy the trailing `%`):
-
-```
-$ minikube kubectl -- get secret awx-admin-password -o jsonpath='{.data.password}' | base64 --decode
-b6ChwVmqEiAsil2KSpH4xGaZPeZvWnWj%
-```
-
-Now you can log in at the URL above with the username "admin" and the password above. Happy Automating!
-
-
 # Installing the AWX CLI
 
 `awx` is the official command-line client for AWX.  It:

ISSUES.md

@@ -5,7 +5,7 @@
 Use the GitHub [issue tracker](https://github.com/ansible/awx/issues) for filing bugs. In order to save time, and help us respond to issues quickly, make sure to fill out as much of the issue template
 as possible. Version information, and an accurate reproducing scenario are critical to helping us identify the problem.
 
-Please don't use the issue tracker as a way to ask how to do something. Instead, use the [mailing list](https://groups.google.com/forum/#!forum/awx-project) , and the `#ansible-awx` channel on irc.freenode.net to get help.
+Please don't use the issue tracker as a way to ask how to do something. Instead, use the [mailing list](https://groups.google.com/forum/#!forum/awx-project) , and the `#ansible-awx` channel on irc.libera.chat to get help.
 
 Before opening a new issue, please use the issue search feature to see if what you're experiencing has already been reported. If you have any extra detail to provide, please comment. Otherwise, rather than posting a "me too" comment, please consider giving it a ["thumbs up"](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comment) to give us an indication of the severity of the problem.
 

Makefile

@@ -13,7 +13,6 @@ MANAGEMENT_COMMAND ?= awx-manage
 IMAGE_REPOSITORY_AUTH ?=
 IMAGE_REPOSITORY_BASE ?= https://gcr.io
 VERSION := $(shell cat VERSION)
-PYCURL_SSL_LIBRARY ?= openssl
 
 # NOTE: This defaults the container image version to the branch that's active
 COMPOSE_TAG ?= $(GIT_BRANCH)
@@ -28,7 +27,7 @@ DEVEL_IMAGE_NAME ?= $(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG)
 
 # Python packages to install only from source (not from binary wheels)
 # Comma separated list
-SRC_ONLY_PKGS ?= cffi,pycparser,psycopg2,twilio,pycurl
+SRC_ONLY_PKGS ?= cffi,pycparser,psycopg2,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
 VENV_BOOTSTRAP ?= pip==19.3.1 setuptools==41.6.0 wheel==0.36.2
@@ -65,7 +64,8 @@ I18N_FLAG_FILE = .i18n_built
 	receiver test test_unit test_coverage coverage_html \
 	dev_build release_build sdist \
 	ui-release ui-devel \
-	VERSION docker-compose-sources
+	VERSION docker-compose-sources \
+	.git/hooks/pre-commit
 
 clean-tmp:
 	rm -rf tmp/
@@ -173,12 +173,7 @@ init:
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
 	$(MANAGEMENT_COMMAND) provision_instance --hostname=$(COMPOSE_HOST); \
-	$(MANAGEMENT_COMMAND) register_queue --queuename=tower --instance_percent=100;\
-	if [ "$(AWX_GROUP_QUEUES)" == "tower,thepentagon" ]; then \
-		$(MANAGEMENT_COMMAND) provision_instance --hostname=isolated; \
-		$(MANAGEMENT_COMMAND) register_queue --queuename='thepentagon' --hostnames=isolated --controller=tower; \
-		$(MANAGEMENT_COMMAND) generate_isolated_key > /awx_devel/awx/main/isolated/authorized_keys; \
-	fi;
+	$(MANAGEMENT_COMMAND) register_queue --queuename=tower --instance_percent=100;
 
 # Refresh development environment after pulling new code.
 refresh: clean requirements_dev version_file develop migrate
@@ -276,7 +271,9 @@ black: reports
 	@(set -o pipefail && $@ $(BLACK_ARGS) awx awxkit awx_collection | tee reports/$@.report)
 
 .git/hooks/pre-commit:
-	@echo "[ -z \$$AWX_IGNORE_BLACK ] && (black --check \`git diff --cached --name-only --diff-filter=AM | grep -E '\.py$\'\` || (echo 'To fix this, run \`make black\` to auto-format your code prior to commit, or set AWX_IGNORE_BLACK=1' && exit 1))" > .git/hooks/pre-commit
+	@echo "if [ -x pre-commit.sh ]; then" > .git/hooks/pre-commit
+	@echo "    ./pre-commit.sh;" >> .git/hooks/pre-commit
+	@echo "fi" >> .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 
 genschema: reports
@@ -391,7 +388,7 @@ clean-ui:
 	rm -rf $(UI_BUILD_FLAG_FILE)
 
 awx/ui_next/node_modules:
-	$(NPM_BIN) --prefix awx/ui_next --loglevel warn --ignore-scripts install
+	NODE_OPTIONS=--max-old-space-size=4096 $(NPM_BIN) --prefix awx/ui_next --loglevel warn ci
 
 $(UI_BUILD_FLAG_FILE):
 	$(NPM_BIN) --prefix awx/ui_next --loglevel warn run compile-strings
@@ -473,7 +470,7 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e cluster_node_count=$(CLUSTER_NODE_COUNT)
 
 docker-compose: docker-auth awx/projects docker-compose-sources
-	docker-compose -f tools/docker-compose/_sources/docker-compose.yml up $(COMPOSE_UP_OPTS)
+	docker-compose -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_UP_OPTS) up
 
 docker-compose-credential-plugins: docker-auth awx/projects docker-compose-sources
 	echo -e "\033[0;31mTo generate a CyberArk Conjur API key: docker exec -it tools_conjur_1 conjurctl account create quick-start\033[0m"

README.md

@@ -1,9 +1,9 @@
 [![Gated by Zuul](https://zuul-ci.org/gated.svg)](https://ansible.softwarefactory-project.io/zuul/status) [![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html) [![Apache v2 License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](https://github.com/ansible/awx/blob/devel/LICENSE.md) [![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
-[![IRC Chat](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://webchat.freenode.net/#ansible-awx)
+[![IRC Chat](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](irc.libera.chat - #ansible-awx)
 
 <img src="https://raw.githubusercontent.com/ansible/awx-logos/master/awx/ui/client/assets/logo-login.svg?sanitize=true" width=200 alt="AWX" />
 
-AWX provides a web-based user interface, REST API, and task engine built on top of [Ansible](https://github.com/ansible/ansible). It is the upstream project for [Tower](https://www.ansible.com/tower), a commercial derivative of AWX.  
+AWX provides a web-based user interface, REST API, and task engine built on top of [Ansible](https://github.com/ansible/ansible). It is one of the upstream projects for [Red Hat Ansible Automation Platform](https://www.ansible.com/products/automation-platform).
 
 To install AWX, please view the [Install guide](./INSTALL.md).
 

VERSION

@@ -1 +1 @@
-19.0.0
+19.2.0

awx/__init__.py

@@ -85,7 +85,7 @@ def oauth2_getattribute(self, attr):
         # setting lookups for references to model classes (e.g.,
         # oauth2_settings.REFRESH_TOKEN_MODEL)
         # If we're doing an OAuth2 setting lookup *while running* a migration,
-        # don't do our usual "Configure Tower in Tower" database setting lookup
+        # don't do our usual database settings lookup
         val = settings.OAUTH2_PROVIDER.get(attr)
     if val is None:
         val = object.__getattribute__(self, attr)

awx/api/conf.py

@@ -1,8 +1,12 @@
 # Django
+from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
+# Django REST Framework
+from rest_framework import serializers
+
 # AWX
-from awx.conf import fields, register
+from awx.conf import fields, register, register_validate
 from awx.api.fields import OAuth2ProviderField
 from oauth2_provider.settings import oauth2_settings
 
@@ -27,6 +31,17 @@ register(
     category=_('Authentication'),
     category_slug='authentication',
 )
+register(
+    'DISABLE_LOCAL_AUTH',
+    field_class=fields.BooleanField,
+    label=_('Disable the built-in authentication system'),
+    help_text=_(
+        "Controls whether users are prevented from using the built-in authentication system. "
+        "You probably want to do this if you are using an LDAP or SAML integration."
+    ),
+    category=_('Authentication'),
+    category_slug='authentication',
+)
 register(
     'AUTH_BASIC_ENABLED',
     field_class=fields.BooleanField,
@@ -77,7 +92,27 @@ register(
     required=False,
     default='',
     label=_('Login redirect override URL'),
-    help_text=_('URL to which unauthorized users will be redirected to log in.  If blank, users will be sent to the Tower login page.'),
+    help_text=_('URL to which unauthorized users will be redirected to log in.  If blank, users will be sent to the login page.'),
     category=_('Authentication'),
     category_slug='authentication',
 )
+
+
+def authentication_validate(serializer, attrs):
+    remote_auth_settings = [
+        'AUTH_LDAP_SERVER_URI',
+        'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
+        'SOCIAL_AUTH_GITHUB_KEY',
+        'SOCIAL_AUTH_GITHUB_ORG_KEY',
+        'SOCIAL_AUTH_GITHUB_TEAM_KEY',
+        'SOCIAL_AUTH_SAML_ENABLED_IDPS',
+        'RADIUS_SERVER',
+        'TACACSPLUS_HOST',
+    ]
+    if attrs.get('DISABLE_LOCAL_AUTH', False):
+        if not any(getattr(settings, s, None) for s in remote_auth_settings):
+            raise serializers.ValidationError(_("There are no remote authentication systems configured."))
+    return attrs
+
+
+register_validate('authentication', authentication_validate)

awx/api/generics.py

@@ -789,7 +789,7 @@ class RetrieveUpdateAPIView(RetrieveAPIView, generics.RetrieveUpdateAPIView):
         return super(RetrieveUpdateAPIView, self).partial_update(request, *args, **kwargs)
 
     def update_filter(self, request, *args, **kwargs):
-        ''' scrub any fields the user cannot/should not put/patch, based on user context.  This runs after read-only serialization filtering '''
+        '''scrub any fields the user cannot/should not put/patch, based on user context.  This runs after read-only serialization filtering'''
         pass
 
 

awx/api/metadata.py

@@ -26,6 +26,9 @@ from awx.main.fields import JSONField, ImplicitRoleField
 from awx.main.models import NotificationTemplate
 from awx.main.tasks import AWXReceptorJob
 
+# Polymorphic
+from polymorphic.models import PolymorphicModel
+
 
 class Metadata(metadata.SimpleMetadata):
     def get_field_info(self, field):
@@ -78,7 +81,9 @@ class Metadata(metadata.SimpleMetadata):
                 field_info['help_text'] = field_help_text[field.field_name].format(verbose_name)
 
             if field.field_name == 'type':
-                field_info['filterable'] = True
+                # Only include model classes with `type` field.
+                if issubclass(serializer.Meta.model, PolymorphicModel):
+                    field_info['filterable'] = True
             else:
                 for model_field in serializer.Meta.model._meta.fields:
                     if field.field_name == model_field.name:

awx/api/serializers.py

@@ -21,6 +21,7 @@ from jinja2.exceptions import TemplateSyntaxError, UndefinedError, SecurityError
 from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import User
+from django.contrib.auth.password_validation import validate_password as django_validate_password
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ObjectDoesNotExist, ValidationError as DjangoValidationError
 from django.db import models
@@ -43,7 +44,7 @@ from polymorphic.models import PolymorphicModel
 
 # AWX
 from awx.main.access import get_user_capabilities
-from awx.main.constants import SCHEDULEABLE_PROVIDERS, ACTIVE_STATES, CENSOR_VALUE
+from awx.main.constants import ACTIVE_STATES, CENSOR_VALUE
 from awx.main.models import (
     ActivityStream,
     AdHocCommand,
@@ -51,7 +52,6 @@ from awx.main.models import (
     Credential,
     CredentialInputSource,
     CredentialType,
-    CustomInventoryScript,
     ExecutionEnvironment,
     Group,
     Host,
@@ -92,6 +92,7 @@ from awx.main.models import (
     WorkflowJobTemplate,
     WorkflowJobTemplateNode,
     StdoutMaxBytesExceeded,
+    CLOUD_INVENTORY_SOURCES,
 )
 from awx.main.models.base import VERBOSITY_CHOICES, NEW_JOB_TYPE_CHOICES
 from awx.main.models.rbac import get_roles_on_resource, role_summary_fields_generator
@@ -149,7 +150,7 @@ SUMMARIZABLE_FK_FIELDS = {
     'group': DEFAULT_SUMMARY_FIELDS,
     'default_environment': DEFAULT_SUMMARY_FIELDS + ('image',),
     'execution_environment': DEFAULT_SUMMARY_FIELDS + ('image',),
-    'project': DEFAULT_SUMMARY_FIELDS + ('status', 'scm_type'),
+    'project': DEFAULT_SUMMARY_FIELDS + ('status', 'scm_type', 'allow_override'),
     'source_project': DEFAULT_SUMMARY_FIELDS + ('status', 'scm_type'),
     'project_update': DEFAULT_SUMMARY_FIELDS + ('status', 'failed'),
     'credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'cloud', 'kubernetes', 'credential_type_id'),
@@ -167,11 +168,9 @@ SUMMARIZABLE_FK_FIELDS = {
     'current_update': DEFAULT_SUMMARY_FIELDS + ('status', 'failed', 'license_error'),
     'current_job': DEFAULT_SUMMARY_FIELDS + ('status', 'failed', 'license_error'),
     'inventory_source': ('id', 'name', 'source', 'last_updated', 'status'),
-    'custom_inventory_script': DEFAULT_SUMMARY_FIELDS,
-    'source_script': DEFAULT_SUMMARY_FIELDS,
     'role': ('id', 'role_field'),
     'notification_template': DEFAULT_SUMMARY_FIELDS,
-    'instance_group': ('id', 'name', 'controller_id', 'is_container_group'),
+    'instance_group': ('id', 'name', 'is_container_group'),
     'insights_credential': DEFAULT_SUMMARY_FIELDS,
     'source_credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'cloud', 'credential_type_id'),
     'target_credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'cloud', 'credential_type_id'),
@@ -963,6 +962,7 @@ class UserSerializer(BaseSerializer):
         return ret
 
     def validate_password(self, value):
+        django_validate_password(value)
         if not self.instance and value in (None, ''):
             raise serializers.ValidationError(_('Password required for new User.'))
         return value
@@ -1350,6 +1350,7 @@ class ProjectOptionsSerializer(BaseSerializer):
             'scm_branch',
             'scm_refspec',
             'scm_clean',
+            'scm_track_submodules',
             'scm_delete_on_update',
             'credential',
             'timeout',
@@ -1384,6 +1385,8 @@ class ProjectOptionsSerializer(BaseSerializer):
             errors['scm_branch'] = _('SCM branch cannot be used with archive projects.')
         if attrs.get('scm_refspec') and scm_type != 'git':
             errors['scm_refspec'] = _('SCM refspec can only be used with git projects.')
+        if attrs.get('scm_track_submodules') and scm_type != 'git':
+            errors['scm_track_submodules'] = _('SCM track_submodules can only be used with git projects.')
 
         if errors:
             raise serializers.ValidationError(errors)
@@ -1412,6 +1415,19 @@ class ExecutionEnvironmentSerializer(BaseSerializer):
             res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential.pk})
         return res
 
+    def validate_credential(self, value):
+        if value and value.kind != 'registry':
+            raise serializers.ValidationError(_('Only Container Registry credentials can be associated with an Execution Environment'))
+        return value
+
+    def validate(self, attrs):
+        # prevent changing organization of ee. Unsetting (change to null) is allowed
+        if self.instance:
+            org = attrs.get('organization', None)
+            if org and org.pk != self.instance.organization_id:
+                raise serializers.ValidationError({"organization": _("Cannot change the organization of an execution environment")})
+        return super(ExecutionEnvironmentSerializer, self).validate(attrs)
+
 
 class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
 
@@ -1497,7 +1513,7 @@ class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
                     )
 
         if get_field_from_model_or_attrs('scm_type') == '':
-            for fd in ('scm_update_on_launch', 'scm_delete_on_update', 'scm_clean'):
+            for fd in ('scm_update_on_launch', 'scm_delete_on_update', 'scm_track_submodules', 'scm_clean'):
                 if get_field_from_model_or_attrs(fd):
                     raise serializers.ValidationError({fd: _('Update options must be set to false for manual projects.')})
         return super(ProjectSerializer, self).validate(attrs)
@@ -1968,49 +1984,6 @@ class GroupVariableDataSerializer(BaseVariableDataSerializer):
         model = Group
 
 
-class CustomInventoryScriptSerializer(BaseSerializer):
-
-    script = serializers.CharField(trim_whitespace=False)
-    show_capabilities = ['edit', 'delete', 'copy']
-    capabilities_prefetch = [{'edit': 'admin'}]
-
-    class Meta:
-        model = CustomInventoryScript
-        fields = ('*', "script", "organization")
-
-    def validate_script(self, value):
-        if not value.startswith("#!"):
-            raise serializers.ValidationError(_('Script must begin with a hashbang sequence: i.e.... #!/usr/bin/env python'))
-        return value
-
-    def to_representation(self, obj):
-        ret = super(CustomInventoryScriptSerializer, self).to_representation(obj)
-        if obj is None:
-            return ret
-        request = self.context.get('request', None)
-        if (
-            request.user not in obj.admin_role
-            and not request.user.is_superuser
-            and not request.user.is_system_auditor
-            and not (obj.organization is not None and request.user in obj.organization.auditor_role)
-        ):
-            ret['script'] = None
-        return ret
-
-    def get_related(self, obj):
-        res = super(CustomInventoryScriptSerializer, self).get_related(obj)
-        res.update(
-            dict(
-                object_roles=self.reverse('api:inventory_script_object_roles_list', kwargs={'pk': obj.pk}),
-                copy=self.reverse('api:inventory_script_copy', kwargs={'pk': obj.pk}),
-            )
-        )
-
-        if obj.organization:
-            res['organization'] = self.reverse('api:organization_detail', kwargs={'pk': obj.organization.pk})
-        return res
-
-
 class InventorySourceOptionsSerializer(BaseSerializer):
     credential = DeprecatedCredentialField(help_text=_('Cloud credential to use for inventory updates.'))
 
@@ -2019,7 +1992,6 @@ class InventorySourceOptionsSerializer(BaseSerializer):
             '*',
             'source',
             'source_path',
-            'source_script',
             'source_vars',
             'credential',
             'enabled_var',
@@ -2037,8 +2009,6 @@ class InventorySourceOptionsSerializer(BaseSerializer):
         res = super(InventorySourceOptionsSerializer, self).get_related(obj)
         if obj.credential:  # TODO: remove when 'credential' field is removed
             res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential})
-        if obj.source_script:
-            res['source_script'] = self.reverse('api:inventory_script_detail', kwargs={'pk': obj.source_script.pk})
         return res
 
     def validate_source_vars(self, value):
@@ -2048,34 +2018,6 @@ class InventorySourceOptionsSerializer(BaseSerializer):
                 raise serializers.ValidationError(_("`{}` is a prohibited environment variable".format(env_k)))
         return ret
 
-    def validate(self, attrs):
-        # TODO: Validate source
-        errors = {}
-
-        source = attrs.get('source', self.instance and self.instance.source or '')
-        source_script = attrs.get('source_script', self.instance and self.instance.source_script or '')
-        if source == 'custom':
-            if source_script is None or source_script == '':
-                errors['source_script'] = _("If 'source' is 'custom', 'source_script' must be provided.")
-            else:
-                try:
-                    if not self.instance:
-                        dest_inventory = attrs.get('inventory', None)
-                        if not dest_inventory:
-                            errors['inventory'] = _("Must provide an inventory.")
-                    else:
-                        dest_inventory = self.instance.inventory
-                    if dest_inventory and source_script.organization != dest_inventory.organization:
-                        errors['source_script'] = _("The 'source_script' does not belong to the same organization as the inventory.")
-                except Exception:
-                    errors['source_script'] = _("'source_script' doesn't exist.")
-                    logger.exception('Problem processing source_script validation.')
-
-        if errors:
-            raise serializers.ValidationError(errors)
-
-        return super(InventorySourceOptionsSerializer, self).validate(attrs)
-
     # TODO: remove when old 'credential' fields are removed
     def get_summary_fields(self, obj):
         summary_fields = super(InventorySourceOptionsSerializer, self).get_summary_fields(obj)
@@ -2265,6 +2207,7 @@ class InventoryUpdateSerializer(UnifiedJobSerializer, InventorySourceOptionsSeri
             'org_host_limit_error',
             'source_project_update',
             'custom_virtualenv',
+            'instance_group',
             '-controller_node',
         )
 
@@ -4432,7 +4375,7 @@ class NotificationTemplateSerializer(BaseSerializer):
         return res
 
     def _recent_notifications(self, obj):
-        return [{'id': x.id, 'status': x.status, 'created': x.created} for x in obj.notifications.all().order_by('-created')[:5]]
+        return [{'id': x.id, 'status': x.status, 'created': x.created, 'error': x.error} for x in obj.notifications.all().order_by('-created')[:5]]
 
     def get_summary_fields(self, obj):
         d = super(NotificationTemplateSerializer, self).get_summary_fields(obj)
@@ -4792,7 +4735,7 @@ class ScheduleSerializer(LaunchConfigurationBaseSerializer, SchedulePreviewSeria
         return summary_fields
 
     def validate_unified_job_template(self, value):
-        if type(value) == InventorySource and value.source not in SCHEDULEABLE_PROVIDERS:
+        if type(value) == InventorySource and value.source not in CLOUD_INVENTORY_SOURCES:
             raise serializers.ValidationError(_('Inventory Source must be a cloud resource.'))
         elif type(value) == Project and value.scm_type == '':
             raise serializers.ValidationError(_('Manual Project cannot have a schedule set.'))
@@ -4805,6 +4748,14 @@ class ScheduleSerializer(LaunchConfigurationBaseSerializer, SchedulePreviewSeria
             )
         return value
 
+    def validate(self, attrs):
+        # if the schedule is being disabled, there's no need
+        # validate the related UnifiedJobTemplate
+        # see: https://github.com/ansible/awx/issues/8641
+        if self.context['request'].method == 'PATCH' and attrs == {'enabled': False}:
+            return attrs
+        return super(ScheduleSerializer, self).validate(attrs)
+
 
 class InstanceSerializer(BaseSerializer):
 
@@ -4868,10 +4819,6 @@ class InstanceGroupSerializer(BaseSerializer):
     )
     jobs_total = serializers.IntegerField(help_text=_('Count of all jobs that target this instance group'), read_only=True)
     instances = serializers.SerializerMethodField()
-    is_controller = serializers.BooleanField(help_text=_('Indicates whether instance group controls any other group'), read_only=True)
-    is_isolated = serializers.BooleanField(
-        help_text=_('Indicates whether instances in this group are isolated.' 'Isolated groups have a designated controller group.'), read_only=True
-    )
     is_container_group = serializers.BooleanField(
         required=False,
         help_text=_('Indicates whether instances in this group are containerized.' 'Containerized groups have a designated Openshift or Kubernetes cluster.'),
@@ -4919,9 +4866,6 @@ class InstanceGroupSerializer(BaseSerializer):
             "jobs_running",
             "jobs_total",
             "instances",
-            "controller",
-            "is_controller",
-            "is_isolated",
             "is_container_group",
             "credential",
             "policy_instance_percentage",
@@ -4935,8 +4879,6 @@ class InstanceGroupSerializer(BaseSerializer):
         res = super(InstanceGroupSerializer, self).get_related(obj)
         res['jobs'] = self.reverse('api:instance_group_unified_jobs_list', kwargs={'pk': obj.pk})
         res['instances'] = self.reverse('api:instance_group_instance_list', kwargs={'pk': obj.pk})
-        if obj.controller_id:
-            res['controller'] = self.reverse('api:instance_group_detail', kwargs={'pk': obj.controller_id})
         if obj.credential:
             res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential_id})
 
@@ -4948,10 +4890,6 @@ class InstanceGroupSerializer(BaseSerializer):
                 raise serializers.ValidationError(_('Duplicate entry {}.').format(instance_name))
             if not Instance.objects.filter(hostname=instance_name).exists():
                 raise serializers.ValidationError(_('{} is not a valid hostname of an existing instance.').format(instance_name))
-            if Instance.objects.get(hostname=instance_name).is_isolated():
-                raise serializers.ValidationError(_('Isolated instances may not be added or removed from instances groups via the API.'))
-            if self.instance and self.instance.controller_id is not None:
-                raise serializers.ValidationError(_('Isolated instance group membership may not be managed via the API.'))
         if value and self.instance and self.instance.is_container_group:
             raise serializers.ValidationError(_('Containerized instances may not be managed via the API'))
         return value

awx/api/swagger.py

@@ -62,7 +62,7 @@ class SwaggerSchemaView(APIView):
     renderer_classes = [CoreJSONRenderer, renderers.OpenAPIRenderer, renderers.SwaggerUIRenderer]
 
     def get(self, request):
-        generator = SuperUserSchemaGenerator(title='Ansible Tower API', patterns=None, urlconf=None)
+        generator = SuperUserSchemaGenerator(title='Ansible Automation Platform controller API', patterns=None, urlconf=None)
         schema = generator.get_schema(request=request)
         # python core-api doesn't support the deprecation yet, so track it
         # ourselves and return it in a response header

awx/api/urls/inventory_script.py

@@ -1,16 +0,0 @@
-# Copyright (c) 2017 Ansible, Inc.
-# All Rights Reserved.
-
-from django.conf.urls import url
-
-from awx.api.views import InventoryScriptList, InventoryScriptDetail, InventoryScriptObjectRolesList, InventoryScriptCopy
-
-
-urls = [
-    url(r'^$', InventoryScriptList.as_view(), name='inventory_script_list'),
-    url(r'^(?P<pk>[0-9]+)/$', InventoryScriptDetail.as_view(), name='inventory_script_detail'),
-    url(r'^(?P<pk>[0-9]+)/object_roles/$', InventoryScriptObjectRolesList.as_view(), name='inventory_script_object_roles_list'),
-    url(r'^(?P<pk>[0-9]+)/copy/$', InventoryScriptCopy.as_view(), name='inventory_script_copy'),
-]
-
-__all__ = ['urls']

awx/api/urls/urls.py

@@ -43,7 +43,6 @@ from .host import urls as host_urls
 from .group import urls as group_urls
 from .inventory_source import urls as inventory_source_urls
 from .inventory_update import urls as inventory_update_urls
-from .inventory_script import urls as inventory_script_urls
 from .credential_type import urls as credential_type_urls
 from .credential import urls as credential_urls
 from .credential_input_source import urls as credential_input_source_urls
@@ -111,7 +110,6 @@ v2_urls = [
     url(r'^groups/', include(group_urls)),
     url(r'^inventory_sources/', include(inventory_source_urls)),
     url(r'^inventory_updates/', include(inventory_update_urls)),
-    url(r'^inventory_scripts/', include(inventory_script_urls)),
     url(r'^credentials/', include(credential_urls)),
     url(r'^roles/', include(role_urls)),
     url(r'^job_templates/', include(job_template_urls)),

awx/api/views/__init__.py

@@ -152,10 +152,6 @@ from awx.api.views.inventory import (  # noqa
     InventoryList,
     InventoryDetail,
     InventoryUpdateEventsList,
-    InventoryScriptList,
-    InventoryScriptDetail,
-    InventoryScriptObjectRolesList,
-    InventoryScriptCopy,
     InventoryList,
     InventoryDetail,
     InventoryActivityStreamList,
@@ -211,7 +207,7 @@ class DashboardView(APIView):
     swagger_topic = 'Dashboard'
 
     def get(self, request, format=None):
-        ''' Show Dashboard Details '''
+        '''Show Dashboard Details'''
         data = OrderedDict()
         data['related'] = {'jobs_graph': reverse('api:dashboard_jobs_graph_view', request=request)}
         user_inventory = get_user_queryset(request.user, models.Inventory)
@@ -422,14 +418,6 @@ class InstanceGroupDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAP
             data.pop('policy_instance_list', None)
         return super(InstanceGroupDetail, self).update_raw_data(data)
 
-    def destroy(self, request, *args, **kwargs):
-        instance = self.get_object()
-        if instance.controller is not None:
-            raise PermissionDenied(detail=_("Isolated Groups can not be removed from the API"))
-        if instance.controlled_groups.count():
-            raise PermissionDenied(detail=_("Instance Groups acting as a controller for an Isolated Group can not be removed from the API"))
-        return super(InstanceGroupDetail, self).destroy(request, *args, **kwargs)
-
 
 class InstanceGroupUnifiedJobsList(SubListAPIView):
 
@@ -546,7 +534,7 @@ class ScheduleUnifiedJobsList(SubListAPIView):
 
 
 class AuthView(APIView):
-    ''' List enabled single-sign-on endpoints '''
+    '''List enabled single-sign-on endpoints'''
 
     authentication_classes = []
     permission_classes = (AllowAny,)
@@ -697,7 +685,6 @@ class TeamAccessList(ResourceAccessList):
 
 class ExecutionEnvironmentList(ListCreateAPIView):
 
-    always_allow_superuser = False
     model = models.ExecutionEnvironment
     serializer_class = serializers.ExecutionEnvironmentSerializer
     swagger_topic = "Execution Environments"
@@ -705,7 +692,6 @@ class ExecutionEnvironmentList(ListCreateAPIView):
 
 class ExecutionEnvironmentDetail(RetrieveUpdateDestroyAPIView):
 
-    always_allow_superuser = False
     model = models.ExecutionEnvironment
     serializer_class = serializers.ExecutionEnvironmentSerializer
     swagger_topic = "Execution Environments"
@@ -1237,7 +1223,7 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
     serializer_class = serializers.UserSerializer
 
     def update_filter(self, request, *args, **kwargs):
-        ''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
+        '''make sure non-read-only fields that can only be edited by admins, are only edited by admins'''
         obj = self.get_object()
         can_change = request.user.can_access(models.User, 'change', obj, request.data)
         can_admin = request.user.can_access(models.User, 'admin', obj, request.data)
@@ -1600,7 +1586,7 @@ class InventoryHostsList(HostRelatedSearchMixin, SubListCreateAttachDetachAPIVie
 
 
 class HostGroupsList(ControlledByScmMixin, SubListCreateAttachDetachAPIView):
-    ''' the list of groups a host is directly a member of '''
+    '''the list of groups a host is directly a member of'''
 
     model = models.Group
     serializer_class = serializers.GroupSerializer
@@ -1622,7 +1608,7 @@ class HostGroupsList(ControlledByScmMixin, SubListCreateAttachDetachAPIView):
 
 
 class HostAllGroupsList(SubListAPIView):
-    ''' the list of all groups of which the host is directly or indirectly a member '''
+    '''the list of all groups of which the host is directly or indirectly a member'''
 
     model = models.Group
     serializer_class = serializers.GroupSerializer
@@ -1862,7 +1848,7 @@ class GroupPotentialChildrenList(SubListAPIView):
 
 
 class GroupHostsList(HostRelatedSearchMixin, ControlledByScmMixin, SubListCreateAttachDetachAPIView):
-    ''' the list of hosts directly below a group '''
+    '''the list of hosts directly below a group'''
 
     model = models.Host
     serializer_class = serializers.HostSerializer
@@ -1887,7 +1873,7 @@ class GroupHostsList(HostRelatedSearchMixin, ControlledByScmMixin, SubListCreate
 
 
 class GroupAllHostsList(HostRelatedSearchMixin, SubListAPIView):
-    ''' the list of all hosts below a group, even including subgroups '''
+    '''the list of all hosts below a group, even including subgroups'''
 
     model = models.Host
     serializer_class = serializers.HostSerializer
@@ -4262,13 +4248,13 @@ class NotificationTemplateTest(GenericAPIView):
 
     def post(self, request, *args, **kwargs):
         obj = self.get_object()
-        msg = "Tower Notification Test {} {}".format(obj.id, settings.TOWER_URL_BASE)
+        msg = "Notification Test {} {}".format(obj.id, settings.TOWER_URL_BASE)
         if obj.notification_type in ('email', 'pagerduty'):
-            body = "Ansible Tower Test Notification {} {}".format(obj.id, settings.TOWER_URL_BASE)
+            body = "Test Notification {} {}".format(obj.id, settings.TOWER_URL_BASE)
         elif obj.notification_type in ('webhook', 'grafana'):
-            body = '{{"body": "Ansible Tower Test Notification {} {}"}}'.format(obj.id, settings.TOWER_URL_BASE)
+            body = '{{"body": "Test Notification {} {}"}}'.format(obj.id, settings.TOWER_URL_BASE)
         else:
-            body = {"body": "Ansible Tower Test Notification {} {}".format(obj.id, settings.TOWER_URL_BASE)}
+            body = {"body": "Test Notification {} {}".format(obj.id, settings.TOWER_URL_BASE)}
         notification = obj.generate_notification(msg, body)
 
         if not notification:

awx/api/views/inventory.py

@@ -25,8 +25,6 @@ from awx.main.models import (
     InstanceGroup,
     InventoryUpdateEvent,
     InventoryUpdate,
-    InventorySource,
-    CustomInventoryScript,
 )
 from awx.api.generics import ListCreateAPIView, RetrieveUpdateDestroyAPIView, SubListAPIView, SubListAttachDetachAPIView, ResourceAccessList, CopyAPIView
 
@@ -36,7 +34,6 @@ from awx.api.serializers import (
     RoleSerializer,
     InstanceGroupSerializer,
     InventoryUpdateEventSerializer,
-    CustomInventoryScriptSerializer,
     JobTemplateSerializer,
 )
 from awx.api.views.mixin import RelatedJobsPreventDeleteMixin, ControlledByScmMixin
@@ -58,55 +55,6 @@ class InventoryUpdateEventsList(SubListAPIView):
         return super(InventoryUpdateEventsList, self).finalize_response(request, response, *args, **kwargs)
 
 
-class InventoryScriptList(ListCreateAPIView):
-
-    deprecated = True
-
-    model = CustomInventoryScript
-    serializer_class = CustomInventoryScriptSerializer
-
-
-class InventoryScriptDetail(RetrieveUpdateDestroyAPIView):
-
-    deprecated = True
-
-    model = CustomInventoryScript
-    serializer_class = CustomInventoryScriptSerializer
-
-    def destroy(self, request, *args, **kwargs):
-        instance = self.get_object()
-        can_delete = request.user.can_access(self.model, 'delete', instance)
-        if not can_delete:
-            raise PermissionDenied(_("Cannot delete inventory script."))
-        for inv_src in InventorySource.objects.filter(source_script=instance):
-            inv_src.source_script = None
-            inv_src.save()
-        return super(InventoryScriptDetail, self).destroy(request, *args, **kwargs)
-
-
-class InventoryScriptObjectRolesList(SubListAPIView):
-
-    deprecated = True
-
-    model = Role
-    serializer_class = RoleSerializer
-    parent_model = CustomInventoryScript
-    search_fields = ('role_field', 'content_type__model')
-
-    def get_queryset(self):
-        po = self.get_parent_object()
-        content_type = ContentType.objects.get_for_model(self.parent_model)
-        return Role.objects.filter(content_type=content_type, object_id=po.pk)
-
-
-class InventoryScriptCopy(CopyAPIView):
-
-    deprecated = True
-
-    model = CustomInventoryScript
-    copy_return_serializer_class = CustomInventoryScriptSerializer
-
-
 class InventoryList(ListCreateAPIView):
 
     model = Inventory

awx/api/views/metrics.py

@@ -32,7 +32,7 @@ class MetricsView(APIView):
     renderer_classes = [renderers.PlainTextRenderer, renderers.PrometheusJSONRenderer, renderers.BrowsableAPIRenderer]
 
     def get(self, request):
-        ''' Show Metrics Details '''
+        '''Show Metrics Details'''
         if request.user.is_superuser or request.user.is_system_auditor:
             metrics_to_show = ''
             if not request.query_params.get('subsystemonly', "0") == "1":

awx/api/views/mixin.py

@@ -85,15 +85,6 @@ class InstanceGroupMembershipMixin(object):
                     ig_obj.save(update_fields=['policy_instance_list'])
         return response
 
-    def is_valid_relation(self, parent, sub, created=False):
-        if sub.is_isolated():
-            return {'error': _('Isolated instances may not be added or removed from instances groups via the API.')}
-        if self.parent_model is InstanceGroup:
-            ig_obj = self.get_parent_object()
-            if ig_obj.controller_id is not None:
-                return {'error': _('Isolated instance group membership may not be managed via the API.')}
-        return None
-
     def unattach_validate(self, request):
         (sub_id, res) = super(InstanceGroupMembershipMixin, self).unattach_validate(request)
         if res:

awx/api/views/root.py

@@ -24,7 +24,7 @@ from awx.api.generics import APIView
 from awx.conf.registry import settings_registry
 from awx.main.analytics import all_collectors
 from awx.main.ha import is_ha_environment
-from awx.main.utils import get_awx_version, get_custom_venv_choices, to_python_boolean
+from awx.main.utils import get_awx_version, get_custom_venv_choices
 from awx.main.utils.licensing import validate_entitlement_manifest
 from awx.api.versioning import reverse, drf_reverse
 from awx.main.constants import PRIVILEGE_ESCALATION_METHODS
@@ -43,7 +43,7 @@ class ApiRootView(APIView):
 
     @method_decorator(ensure_csrf_cookie)
     def get(self, request, format=None):
-        ''' List supported API versions '''
+        '''List supported API versions'''
 
         v2 = reverse('api:api_v2_root_view', kwargs={'version': 'v2'})
         data = OrderedDict()
@@ -78,7 +78,7 @@ class ApiVersionRootView(APIView):
     swagger_topic = 'Versioning'
 
     def get(self, request, format=None):
-        ''' List top level resources '''
+        '''List top level resources'''
         data = OrderedDict()
         data['ping'] = reverse('api:api_v2_ping_view', request=request)
         data['instances'] = reverse('api:instance_list', request=request)
@@ -100,7 +100,6 @@ class ApiVersionRootView(APIView):
         data['tokens'] = reverse('api:o_auth2_token_list', request=request)
         data['metrics'] = reverse('api:metrics_view', request=request)
         data['inventory'] = reverse('api:inventory_list', request=request)
-        data['inventory_scripts'] = reverse('api:inventory_script_list', request=request)
         data['inventory_sources'] = reverse('api:inventory_source_list', request=request)
         data['inventory_updates'] = reverse('api:inventory_update_list', request=request)
         data['groups'] = reverse('api:group_list', request=request)
@@ -314,16 +313,6 @@ class ApiV2ConfigView(APIView):
     def post(self, request):
         if not isinstance(request.data, dict):
             return Response({"error": _("Invalid subscription data")}, status=status.HTTP_400_BAD_REQUEST)
-        if "eula_accepted" not in request.data:
-            return Response({"error": _("Missing 'eula_accepted' property")}, status=status.HTTP_400_BAD_REQUEST)
-        try:
-            eula_accepted = to_python_boolean(request.data["eula_accepted"])
-        except ValueError:
-            return Response({"error": _("'eula_accepted' value is invalid")}, status=status.HTTP_400_BAD_REQUEST)
-
-        if not eula_accepted:
-            return Response({"error": _("'eula_accepted' must be True")}, status=status.HTTP_400_BAD_REQUEST)
-        request.data.pop("eula_accepted")
         try:
             data_actual = json.dumps(request.data)
         except Exception:

awx/asgi.py

@@ -30,8 +30,8 @@ if MODE == 'production':
     except FileNotFoundError:
         pass
     except ValueError as e:
-        logger.error("Missing or incorrect metadata for Tower version.  Ensure Tower was installed using the setup playbook.")
-        raise Exception("Missing or incorrect metadata for Tower version.  Ensure Tower was installed using the setup playbook.") from e
+        logger.error("Missing or incorrect metadata for controller version.  Ensure controller was installed using the setup playbook.")
+        raise Exception("Missing or incorrect metadata for controller version.  Ensure controller was installed using the setup playbook.") from e
 
 
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "awx.settings")

awx/conf/__init__.py

@@ -4,7 +4,7 @@
 # Django
 from django.utils.module_loading import autodiscover_modules
 
-# Tower
+# AWX
 from .registry import settings_registry
 
 default_app_config = 'awx.conf.apps.ConfConfig'

awx/conf/access.py

@@ -4,7 +4,7 @@
 # Django
 from django.db.models import Q
 
-# Tower
+# AWX
 from awx.main.access import BaseAccess, register_access
 from awx.conf.models import Setting
 

awx/conf/conf.py

@@ -2,7 +2,7 @@
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
-# Tower
+# AWX
 from awx.conf import fields, register
 from awx.conf import settings_registry
 

awx/conf/license.py

@@ -11,5 +11,5 @@ def _get_validated_license_data():
 
 
 def get_license():
-    """Return a dictionary representing the active license on this Tower instance."""
+    """Return a dictionary representing the active license on this instance."""
     return _get_validated_license_data()

awx/conf/models.py

@@ -7,7 +7,7 @@ import json
 # Django
 from django.db import models
 
-# Tower
+# AWX
 from awx.main.models.base import CreatedModifiedModel, prevent_search
 from awx.main.fields import JSONField
 from awx.main.utils import encrypt_field

awx/conf/registry.py

@@ -92,11 +92,7 @@ class SettingsRegistry(object):
                 continue
             if kwargs.get('category_slug', None) in slugs_to_ignore:
                 continue
-            if (
-                read_only in {True, False}
-                and kwargs.get('read_only', False) != read_only
-                and setting not in ('INSTALL_UUID', 'AWX_ISOLATED_PRIVATE_KEY', 'AWX_ISOLATED_PUBLIC_KEY')
-            ):
+            if read_only in {True, False} and kwargs.get('read_only', False) != read_only and setting != 'INSTALL_UUID':
                 # Note: Doesn't catch fields that set read_only via __init__;
                 # read-only field kwargs should always include read_only=True.
                 continue

awx/conf/serializers.py

@@ -1,7 +1,7 @@
 # Django REST Framework
 from rest_framework import serializers
 
-# Tower
+# AWX
 from awx.api.fields import VerbatimField
 from awx.api.serializers import BaseSerializer
 from awx.conf.models import Setting
@@ -28,7 +28,7 @@ class SettingSerializer(BaseSerializer):
 
 
 class SettingCategorySerializer(serializers.Serializer):
-    """Serialize setting category """
+    """Serialize setting category"""
 
     url = serializers.CharField(read_only=True)
     slug = serializers.CharField(read_only=True)
@@ -81,10 +81,8 @@ class SettingSingletonSerializer(serializers.Serializer):
             if self.instance and not hasattr(self.instance, key):
                 continue
             extra_kwargs = {}
-            # Make LICENSE and AWX_ISOLATED_KEY_GENERATION read-only here;
-            # LICENSE is only updated via /api/v2/config/
-            # AWX_ISOLATED_KEY_GENERATION is only set/unset via the setup playbook
-            if key in ('LICENSE', 'AWX_ISOLATED_KEY_GENERATION'):
+            # Make LICENSE read-only here; LICENSE is only updated via /api/v2/config/
+            if key == 'LICENSE':
                 extra_kwargs['read_only'] = True
             field = settings_registry.get_setting_field(key, mixin_class=SettingFieldMixin, for_user=bool(category_slug == 'user'), **extra_kwargs)
             fields[key] = field

awx/conf/settings.py

@@ -20,7 +20,7 @@ from rest_framework.fields import empty, SkipField
 
 import cachetools
 
-# Tower
+# AWX
 from awx.main.utils import encrypt_field, decrypt_field
 from awx.conf import settings_registry
 from awx.conf.models import Setting
@@ -350,13 +350,8 @@ class SettingsWrapper(UserSettingsHolder):
         if value is empty:
             setting = None
             setting_id = None
-            if not field.read_only or name in (
-                # these values are read-only - however - we *do* want
-                # to fetch their value from the database
-                'INSTALL_UUID',
-                'AWX_ISOLATED_PRIVATE_KEY',
-                'AWX_ISOLATED_PUBLIC_KEY',
-            ):
+            # this value is read-only, however we *do* want to fetch its value from the database
+            if not field.read_only or name == 'INSTALL_UUID':
                 setting = Setting.objects.filter(key=name, user__isnull=True).order_by('pk').first()
             if setting:
                 if getattr(field, 'encrypted', False):

awx/conf/signals.py

@@ -3,12 +3,12 @@ import logging
 
 # Django
 from django.conf import settings
+from django.core.cache import cache
 from django.core.signals import setting_changed
 from django.db.models.signals import post_save, pre_delete, post_delete
-from django.core.cache import cache
 from django.dispatch import receiver
 
-# Tower
+# AWX
 from awx.conf import settings_registry
 from awx.conf.models import Setting
 
@@ -25,7 +25,7 @@ def handle_setting_change(key, for_delete=False):
         # Note: Doesn't handle multiple levels of dependencies!
         setting_keys.append(dependent_key)
     # NOTE: This block is probably duplicated.
-    cache_keys = set([Setting.get_cache_key(k) for k in setting_keys])
+    cache_keys = {Setting.get_cache_key(k) for k in setting_keys}
     cache.delete_many(cache_keys)
 
     # Send setting_changed signal with new value for each setting.
@@ -58,3 +58,18 @@ def on_post_delete_setting(sender, **kwargs):
     key = getattr(instance, '_saved_key_', None)
     if key:
         handle_setting_change(key, True)
+
+
+@receiver(setting_changed)
+def disable_local_auth(**kwargs):
+    if (kwargs['setting'], kwargs['value']) == ('DISABLE_LOCAL_AUTH', True):
+        from django.contrib.auth.models import User
+        from oauth2_provider.models import RefreshToken
+        from awx.main.models.oauth import OAuth2AccessToken
+        from awx.main.management.commands.revoke_oauth2_tokens import revoke_tokens
+
+        logger.warning("Triggering token invalidation for local users.")
+
+        qs = User.objects.filter(profile__ldap_dn='', enterprise_auth__isnull=True, social_auth__isnull=True)
+        revoke_tokens(RefreshToken.objects.filter(revoked=None, user__in=qs))
+        revoke_tokens(OAuth2AccessToken.objects.filter(user__in=qs))

awx/conf/views.py

@@ -21,7 +21,7 @@ from rest_framework.response import Response
 from rest_framework import serializers
 from rest_framework import status
 
-# Tower
+# AWX
 from awx.api.generics import APIView, GenericAPIView, ListAPIView, RetrieveUpdateDestroyAPIView
 from awx.api.permissions import IsSuperUser
 from awx.api.versioning import reverse

awx/main/access.py

@@ -34,7 +34,6 @@ from awx.main.models import (
     Credential,
     CredentialType,
     CredentialInputSource,
-    CustomInventoryScript,
     ExecutionEnvironment,
     Group,
     Host,
@@ -465,7 +464,7 @@ class BaseAccess(object):
             if display_method == 'schedule':
                 user_capabilities['schedule'] = user_capabilities['start']
                 continue
-            elif display_method == 'delete' and not isinstance(obj, (User, UnifiedJob, CustomInventoryScript, CredentialInputSource)):
+            elif display_method == 'delete' and not isinstance(obj, (User, UnifiedJob, CredentialInputSource)):
                 user_capabilities['delete'] = user_capabilities['edit']
                 continue
             elif display_method == 'copy' and isinstance(obj, (Group, Host)):
@@ -1031,7 +1030,7 @@ class InventorySourceAccess(NotificationAttachMixin, BaseAccess):
 
     model = InventorySource
     select_related = ('created_by', 'modified_by', 'inventory')
-    prefetch_related = ('credentials__credential_type', 'last_job', 'source_script', 'source_project')
+    prefetch_related = ('credentials__credential_type', 'last_job', 'source_project')
 
     def filtered_queryset(self):
         return self.model.objects.filter(inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role'))
@@ -1093,7 +1092,7 @@ class InventoryUpdateAccess(BaseAccess):
         'modified_by',
         'inventory_source',
     )
-    prefetch_related = ('unified_job_template', 'instance_group', 'credentials__credential_type', 'inventory', 'source_script')
+    prefetch_related = ('unified_job_template', 'instance_group', 'credentials__credential_type', 'inventory')
 
     def filtered_queryset(self):
         return self.model.objects.filter(inventory_source__inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role'))
@@ -1357,11 +1356,8 @@ class ExecutionEnvironmentAccess(BaseAccess):
             return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
         return self.check_related('organization', Organization, data, mandatory=True, role_field='execution_environment_admin_role')
 
+    @check_superuser
     def can_change(self, obj, data):
-        if obj.managed_by_tower:
-            raise PermissionDenied
-        if self.user.is_superuser:
-            return True
         if obj and obj.organization_id is None:
             raise PermissionDenied
         if self.user not in obj.organization.execution_environment_admin_role:
@@ -2627,7 +2623,7 @@ class LabelAccess(BaseAccess):
         return self.model.objects.filter(
             Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role'))
             | Q(unifiedjobtemplate_labels__in=UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role'))
-        )
+        ).distinct()
 
     @check_superuser
     def can_add(self, data):
@@ -2671,7 +2667,6 @@ class ActivityStreamAccess(BaseAccess):
         'role',
         'actor',
         'schedule',
-        'custom_inventory_script',
         'unified_job_template',
         'workflow_job_template_node',
     )
@@ -2755,33 +2750,6 @@ class ActivityStreamAccess(BaseAccess):
         return False
 
 
-class CustomInventoryScriptAccess(BaseAccess):
-
-    model = CustomInventoryScript
-    prefetch_related = ('created_by', 'modified_by', 'organization')
-
-    def filtered_queryset(self):
-        return self.model.accessible_objects(self.user, 'read_role').all()
-
-    @check_superuser
-    def can_add(self, data):
-        if not data:  # So the browseable API will work
-            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return self.check_related('organization', Organization, data, mandatory=True)
-
-    @check_superuser
-    def can_admin(self, obj, data=None):
-        return self.check_related('organization', Organization, data, obj=obj) and self.user in obj.admin_role
-
-    @check_superuser
-    def can_change(self, obj, data):
-        return self.can_admin(obj, data=data)
-
-    @check_superuser
-    def can_delete(self, obj):
-        return self.can_admin(obj)
-
-
 class RoleAccess(BaseAccess):
     """
     - I can see roles when

awx/main/analytics/collectors.py

@@ -36,7 +36,7 @@ data _since_ the last report date - i.e., new data in the last 24 hours)
 """
 
 
-def trivial_slicing(key, since, until):
+def trivial_slicing(key, since, until, last_gather):
     if since is not None:
         return [(since, until)]
 
@@ -45,11 +45,11 @@ def trivial_slicing(key, since, until):
     horizon = until - timedelta(weeks=4)
     last_entries = Setting.objects.filter(key='AUTOMATION_ANALYTICS_LAST_ENTRIES').first()
     last_entries = json.loads((last_entries.value if last_entries is not None else '') or '{}', object_hook=datetime_hook)
-    last_entry = max(last_entries.get(key) or settings.AUTOMATION_ANALYTICS_LAST_GATHER or horizon, horizon)
+    last_entry = max(last_entries.get(key) or last_gather, horizon)
     return [(last_entry, until)]
 
 
-def four_hour_slicing(key, since, until):
+def four_hour_slicing(key, since, until, last_gather):
     if since is not None:
         last_entry = since
     else:
@@ -58,7 +58,7 @@ def four_hour_slicing(key, since, until):
         horizon = until - timedelta(weeks=4)
         last_entries = Setting.objects.filter(key='AUTOMATION_ANALYTICS_LAST_ENTRIES').first()
         last_entries = json.loads((last_entries.value if last_entries is not None else '') or '{}', object_hook=datetime_hook)
-        last_entry = max(last_entries.get(key) or settings.AUTOMATION_ANALYTICS_LAST_GATHER or horizon, horizon)
+        last_entry = max(last_entries.get(key) or last_gather, horizon)
 
     start, end = last_entry, None
     while start < until:
@@ -67,15 +67,14 @@ def four_hour_slicing(key, since, until):
         start = end
 
 
-def events_slicing(key, since, until):
+def events_slicing(key, since, until, last_gather):
     from awx.conf.models import Setting
 
-    last_gather = settings.AUTOMATION_ANALYTICS_LAST_GATHER
     last_entries = Setting.objects.filter(key='AUTOMATION_ANALYTICS_LAST_ENTRIES').first()
     last_entries = json.loads((last_entries.value if last_entries is not None else '') or '{}', object_hook=datetime_hook)
     horizon = until - timedelta(weeks=4)
 
-    lower = since or last_gather or horizon
+    lower = since or last_gather
     if not since and last_entries.get(key):
         lower = horizon
     pk_values = models.JobEvent.objects.filter(created__gte=lower, created__lte=until).aggregate(Min('pk'), Max('pk'))
@@ -135,7 +134,6 @@ def counts(since, **kwargs):
         models.WorkflowJobTemplate,
         models.Host,
         models.Schedule,
-        models.CustomInventoryScript,
         models.NotificationTemplate,
     ):
         counts[camelcase_to_underscore(cls.__name__)] = cls.objects.count()
@@ -221,17 +219,11 @@ def projects_by_scm_type(since, **kwargs):
     return counts
 
 
-def _get_isolated_datetime(last_check):
-    if last_check:
-        return last_check.isoformat()
-    return last_check
-
-
-@register('instance_info', '1.0', description=_('Cluster topology and capacity'))
+@register('instance_info', '1.1', description=_('Cluster topology and capacity'))
 def instance_info(since, include_hostnames=False, **kwargs):
     info = {}
     instances = models.Instance.objects.values_list('hostname').values(
-        'uuid', 'version', 'capacity', 'cpu', 'memory', 'managed_by_policy', 'hostname', 'last_isolated_check', 'enabled'
+        'uuid', 'version', 'capacity', 'cpu', 'memory', 'managed_by_policy', 'hostname', 'enabled'
     )
     for instance in instances:
         consumed_capacity = sum(x.task_impact for x in models.UnifiedJob.objects.filter(execution_node=instance['hostname'], status__in=('running', 'waiting')))
@@ -242,7 +234,6 @@ def instance_info(since, include_hostnames=False, **kwargs):
             'cpu': instance['cpu'],
             'memory': instance['memory'],
             'managed_by_policy': instance['managed_by_policy'],
-            'last_isolated_check': _get_isolated_datetime(instance['last_isolated_check']),
             'enabled': instance['enabled'],
             'consumed_capacity': consumed_capacity,
             'remaining_capacity': instance['capacity'] - consumed_capacity,
@@ -347,35 +338,35 @@ def _copy_table(table, query, path):
 @register('events_table', '1.2', format='csv', description=_('Automation task records'), expensive=events_slicing)
 def events_table(since, full_path, until, **kwargs):
     def query(event_data):
-        return f'''COPY (SELECT main_jobevent.id, 
+        return f'''COPY (SELECT main_jobevent.id,
                          main_jobevent.created,
                          main_jobevent.modified,
                          main_jobevent.uuid,
                          main_jobevent.parent_uuid,
-                         main_jobevent.event, 
+                         main_jobevent.event,
                          {event_data}->'task_action' AS task_action,
                          (CASE WHEN event = 'playbook_on_stats' THEN event_data END) as playbook_on_stats,
-                         main_jobevent.failed, 
-                         main_jobevent.changed, 
-                         main_jobevent.playbook, 
+                         main_jobevent.failed,
+                         main_jobevent.changed,
+                         main_jobevent.playbook,
                          main_jobevent.play,
                          main_jobevent.task,
-                         main_jobevent.role, 
-                         main_jobevent.job_id, 
-                         main_jobevent.host_id, 
+                         main_jobevent.role,
+                         main_jobevent.job_id,
+                         main_jobevent.host_id,
                          main_jobevent.host_name,
                          CAST({event_data}->>'start' AS TIMESTAMP WITH TIME ZONE) AS start,
                          CAST({event_data}->>'end' AS TIMESTAMP WITH TIME ZONE) AS end,
                          {event_data}->'duration' AS duration,
                          {event_data}->'res'->'warnings' AS warnings,
                          {event_data}->'res'->'deprecations' AS deprecations
-                         FROM main_jobevent 
+                         FROM main_jobevent
                          WHERE (main_jobevent.id > {since} AND main_jobevent.id <= {until})
                          ORDER BY main_jobevent.id ASC) TO STDOUT WITH CSV HEADER'''
 
     try:
         return _copy_table(table='events', query=query("main_jobevent.event_data::json"), path=full_path)
-    except UntranslatableCharacter as exc:
+    except UntranslatableCharacter:
         return _copy_table(table='events', query=query("replace(main_jobevent.event_data::text, '\\u0000', '')::json"), path=full_path)
 
 
@@ -386,22 +377,22 @@ def unified_jobs_table(since, full_path, until, **kwargs):
                                  django_content_type.model,
                                  main_unifiedjob.organization_id,
                                  main_organization.name as organization_name,
-                                 main_job.inventory_id, 
+                                 main_job.inventory_id,
                                  main_inventory.name as inventory_name,
-                                 main_unifiedjob.created,  
-                                 main_unifiedjob.name,  
-                                 main_unifiedjob.unified_job_template_id, 
-                                 main_unifiedjob.launch_type, 
-                                 main_unifiedjob.schedule_id, 
-                                 main_unifiedjob.execution_node, 
-                                 main_unifiedjob.controller_node, 
-                                 main_unifiedjob.cancel_flag, 
-                                 main_unifiedjob.status, 
-                                 main_unifiedjob.failed, 
-                                 main_unifiedjob.started, 
-                                 main_unifiedjob.finished, 
-                                 main_unifiedjob.elapsed, 
-                                 main_unifiedjob.job_explanation, 
+                                 main_unifiedjob.created,
+                                 main_unifiedjob.name,
+                                 main_unifiedjob.unified_job_template_id,
+                                 main_unifiedjob.launch_type,
+                                 main_unifiedjob.schedule_id,
+                                 main_unifiedjob.execution_node,
+                                 main_unifiedjob.controller_node,
+                                 main_unifiedjob.cancel_flag,
+                                 main_unifiedjob.status,
+                                 main_unifiedjob.failed,
+                                 main_unifiedjob.started,
+                                 main_unifiedjob.finished,
+                                 main_unifiedjob.elapsed,
+                                 main_unifiedjob.job_explanation,
                                  main_unifiedjob.instance_group_id,
                                  main_unifiedjob.installed_collections,
                                  main_unifiedjob.ansible_version
@@ -422,21 +413,21 @@ def unified_jobs_table(since, full_path, until, **kwargs):
 
 @register('unified_job_template_table', '1.0', format='csv', description=_('Data on job templates'))
 def unified_job_template_table(since, full_path, **kwargs):
-    unified_job_template_query = '''COPY (SELECT main_unifiedjobtemplate.id, 
+    unified_job_template_query = '''COPY (SELECT main_unifiedjobtemplate.id,
                                  main_unifiedjobtemplate.polymorphic_ctype_id,
                                  django_content_type.model,
-                                 main_unifiedjobtemplate.created, 
-                                 main_unifiedjobtemplate.modified, 
-                                 main_unifiedjobtemplate.created_by_id, 
-                                 main_unifiedjobtemplate.modified_by_id, 
-                                 main_unifiedjobtemplate.name, 
-                                 main_unifiedjobtemplate.current_job_id, 
-                                 main_unifiedjobtemplate.last_job_id, 
-                                 main_unifiedjobtemplate.last_job_failed, 
-                                 main_unifiedjobtemplate.last_job_run, 
-                                 main_unifiedjobtemplate.next_job_run, 
-                                 main_unifiedjobtemplate.next_schedule_id, 
-                                 main_unifiedjobtemplate.status 
+                                 main_unifiedjobtemplate.created,
+                                 main_unifiedjobtemplate.modified,
+                                 main_unifiedjobtemplate.created_by_id,
+                                 main_unifiedjobtemplate.modified_by_id,
+                                 main_unifiedjobtemplate.name,
+                                 main_unifiedjobtemplate.current_job_id,
+                                 main_unifiedjobtemplate.last_job_id,
+                                 main_unifiedjobtemplate.last_job_failed,
+                                 main_unifiedjobtemplate.last_job_run,
+                                 main_unifiedjobtemplate.next_job_run,
+                                 main_unifiedjobtemplate.next_schedule_id,
+                                 main_unifiedjobtemplate.status
                                  FROM main_unifiedjobtemplate, django_content_type
                                  WHERE main_unifiedjobtemplate.polymorphic_ctype_id = django_content_type.id
                                  ORDER BY main_unifiedjobtemplate.id ASC) TO STDOUT WITH CSV HEADER'''
@@ -447,15 +438,15 @@ def unified_job_template_table(since, full_path, **kwargs):
 def workflow_job_node_table(since, full_path, until, **kwargs):
     workflow_job_node_query = '''COPY (SELECT main_workflowjobnode.id,
                                  main_workflowjobnode.created,
-                                 main_workflowjobnode.modified, 
-                                 main_workflowjobnode.job_id, 
-                                 main_workflowjobnode.unified_job_template_id, 
-                                 main_workflowjobnode.workflow_job_id, 
-                                 main_workflowjobnode.inventory_id, 
+                                 main_workflowjobnode.modified,
+                                 main_workflowjobnode.job_id,
+                                 main_workflowjobnode.unified_job_template_id,
+                                 main_workflowjobnode.workflow_job_id,
+                                 main_workflowjobnode.inventory_id,
                                  success_nodes.nodes AS success_nodes,
                                  failure_nodes.nodes AS failure_nodes,
                                  always_nodes.nodes AS always_nodes,
-                                 main_workflowjobnode.do_not_run, 
+                                 main_workflowjobnode.do_not_run,
                                  main_workflowjobnode.all_parents_must_converge
                                  FROM main_workflowjobnode
                                  LEFT JOIN (
@@ -483,12 +474,12 @@ def workflow_job_node_table(since, full_path, until, **kwargs):
 
 @register('workflow_job_template_node_table', '1.0', format='csv', description=_('Data on workflows'))
 def workflow_job_template_node_table(since, full_path, **kwargs):
-    workflow_job_template_node_query = '''COPY (SELECT main_workflowjobtemplatenode.id, 
+    workflow_job_template_node_query = '''COPY (SELECT main_workflowjobtemplatenode.id,
                                  main_workflowjobtemplatenode.created,
-                                 main_workflowjobtemplatenode.modified, 
-                                 main_workflowjobtemplatenode.unified_job_template_id, 
-                                 main_workflowjobtemplatenode.workflow_job_template_id, 
-                                 main_workflowjobtemplatenode.inventory_id, 
+                                 main_workflowjobtemplatenode.modified,
+                                 main_workflowjobtemplatenode.unified_job_template_id,
+                                 main_workflowjobtemplatenode.workflow_job_template_id,
+                                 main_workflowjobtemplatenode.inventory_id,
                                  success_nodes.nodes AS success_nodes,
                                  failure_nodes.nodes AS failure_nodes,
                                  always_nodes.nodes AS always_nodes,

awx/main/analytics/core.py

@@ -116,6 +116,51 @@ def package(target, data, timestamp):
         return None
 
 
+def calculate_collection_interval(since, until):
+    _now = now()
+
+    # Make sure that the endpoints are not in the future.
+    if until is not None and until > _now:
+        until = _now
+        logger.warning(f"End of the collection interval is in the future, setting to {_now}.")
+    if since is not None and since > _now:
+        since = _now
+        logger.warning(f"Start of the collection interval is in the future, setting to {_now}.")
+
+    # The value of `until` needs to be concrete, so resolve it.  If it wasn't passed in,
+    # set it to `now`, but only if that isn't more than 4 weeks ahead of a passed-in
+    # `since` parameter.
+    if since is not None:
+        if until is not None:
+            if until > since + timedelta(weeks=4):
+                until = since + timedelta(weeks=4)
+                logger.warning(f"End of the collection interval is greater than 4 weeks from start, setting end to {until}.")
+        else:  # until is None
+            until = min(since + timedelta(weeks=4), _now)
+    elif until is None:
+        until = _now
+
+    if since and since >= until:
+        logger.warning("Start of the collection interval is later than the end, ignoring request.")
+        raise ValueError
+
+    # The ultimate beginning of the interval needs to be compared to 4 weeks prior to
+    # `until`, but we want to keep `since` empty if it wasn't passed in because we use that
+    # case to know whether to use the bookkeeping settings variables to decide the start of
+    # the interval.
+    horizon = until - timedelta(weeks=4)
+    if since is not None and since < horizon:
+        since = horizon
+        logger.warning(f"Start of the collection interval is more than 4 weeks prior to {until}, setting to {horizon}.")
+
+    last_gather = settings.AUTOMATION_ANALYTICS_LAST_GATHER or horizon
+    if last_gather < horizon:
+        last_gather = horizon
+        logger.warning(f"Last analytics run was more than 4 weeks prior to {until}, using {horizon} instead.")
+
+    return since, until, last_gather
+
+
 def gather(dest=None, module=None, subset=None, since=None, until=None, collection_type='scheduled'):
     """
     Gather all defined metrics and write them as JSON files in a .tgz
@@ -132,7 +177,7 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
 
     if collection_type != 'dry-run':
         if not settings.INSIGHTS_TRACKING_STATE:
-            logger.log(log_level, "Automation Analytics not enabled. Use --dry-run to gather locally without sending.")
+            logger.log(log_level, "Insights for Ansible Automation Platform not enabled. Use --dry-run to gather locally without sending.")
             return None
 
         if not (settings.AUTOMATION_ANALYTICS_URL and settings.REDHAT_USERNAME and settings.REDHAT_PASSWORD):
@@ -148,30 +193,12 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
         from awx.main.analytics import collectors
         from awx.main.signals import disable_activity_stream
 
-        _now = now()
-
-        # Make sure that the endpoints are not in the future.
-        until = None if until is None else min(until, _now)
-        since = None if since is None else min(since, _now)
-
-        if since and not until:
-            # If `since` is explicit but not `until`, `since` should be used to calculate the 4-week limit
-            until = min(since + timedelta(weeks=4), _now)
-        else:
-            until = _now if until is None else until
-
-        horizon = until - timedelta(weeks=4)
-        if since is not None:
-            # Make sure the start isn't more than 4 weeks prior to `until`.
-            since = max(since, horizon)
-
-        if since and since >= until:
-            logger.warning("Start of the collection interval is later than the end, ignoring request.")
-            return None
-
         logger.debug("Last analytics run was: {}".format(settings.AUTOMATION_ANALYTICS_LAST_GATHER))
-        # LAST_GATHER time should always get truncated to less than 4 weeks back.
-        last_gather = max(settings.AUTOMATION_ANALYTICS_LAST_GATHER or horizon, horizon)
+
+        try:
+            since, until, last_gather = calculate_collection_interval(since, until)
+        except ValueError:
+            return None
 
         last_entries = Setting.objects.filter(key='AUTOMATION_ANALYTICS_LAST_ENTRIES').first()
         last_entries = json.loads((last_entries.value if last_entries is not None else '') or '{}', object_hook=datetime_hook)
@@ -201,7 +228,7 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
             key = func.__awx_analytics_key__
             filename = f'{key}.json'
             try:
-                last_entry = max(last_entries.get(key) or last_gather, horizon)
+                last_entry = max(last_entries.get(key) or last_gather, until - timedelta(weeks=4))
                 results = (func(since or last_entry, collection_type=collection_type, until=until), func.__awx_analytics_version__)
                 json.dumps(results)  # throwaway check to see if the data is json-serializable
                 data[filename] = results
@@ -233,9 +260,9 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
                 # allowed to be None, and will fall back to LAST_ENTRIES[key] or to
                 # LAST_GATHER (truncated appropriately to match the 4-week limit).
                 if func.__awx_expensive__:
-                    slices = func.__awx_expensive__(key, since, until)
+                    slices = func.__awx_expensive__(key, since, until, last_gather)
                 else:
-                    slices = collectors.trivial_slicing(key, since, until)
+                    slices = collectors.trivial_slicing(key, since, until, last_gather)
 
                 for start, end in slices:
                     files = func(start, full_path=gather_dir, until=end)
@@ -259,9 +286,10 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
                         tgzfile = package(dest.parent, payload, until)
                         if tgzfile is not None:
                             tarfiles.append(tgzfile)
-                            if not ship(tgzfile):
-                                slice_succeeded, succeeded = False, False
-                                break
+                            if collection_type != 'dry-run':
+                                if not ship(tgzfile):
+                                    slice_succeeded, succeeded = False, False
+                                    break
 
                     if slice_succeeded and collection_type != 'dry-run':
                         with disable_activity_stream():
@@ -278,6 +306,14 @@ def gather(dest=None, module=None, subset=None, since=None, until=None, collecti
                         os.remove(fpath)
             with disable_activity_stream():
                 if not settings.AUTOMATION_ANALYTICS_LAST_GATHER or until > settings.AUTOMATION_ANALYTICS_LAST_GATHER:
+                    # `AUTOMATION_ANALYTICS_LAST_GATHER` is set whether collection succeeds or fails;
+                    # if collection fails because of a persistent, underlying issue and we do not set last_gather,
+                    # we risk the collectors hitting an increasingly greater workload while the underlying issue
+                    # remains unresolved. Put simply, if collection fails, we just move on.
+
+                    # All that said, `AUTOMATION_ANALYTICS_LAST_GATHER` plays a much smaller role in determining
+                    # what is actually collected than it used to; collectors now mostly rely on their respective entry
+                    # under `last_entries` to determine what should be collected.
                     settings.AUTOMATION_ANALYTICS_LAST_GATHER = until
 
         shutil.rmtree(dest, ignore_errors=True)  # clean up individual artifact files
@@ -294,10 +330,10 @@ def ship(path):
     Ship gathered metrics to the Insights API
     """
     if not path:
-        logger.error('Automation Analytics TAR not found')
+        logger.error('Insights for Ansible Automation Platform TAR not found')
         return False
     if not os.path.exists(path):
-        logger.error('Automation Analytics TAR {} not found'.format(path))
+        logger.error('Insights for Ansible Automation Platform TAR {} not found'.format(path))
         return False
     if "Error:" in str(path):
         return False

awx/main/analytics/metrics.py

@@ -1,5 +1,5 @@
 from django.conf import settings
-from prometheus_client import PROCESS_COLLECTOR, PLATFORM_COLLECTOR, GC_COLLECTOR, CollectorRegistry, Gauge, Info, generate_latest
+from prometheus_client import CollectorRegistry, Gauge, Info, generate_latest
 
 from awx.conf.license import get_license
 from awx.main.utils import get_awx_version
@@ -31,7 +31,6 @@ def metrics():
         registry=REGISTRY,
     )
     SCHEDULE_COUNT = Gauge('awx_schedules_total', 'Number of schedules', registry=REGISTRY)
-    INV_SCRIPT_COUNT = Gauge('awx_inventory_scripts_total', 'Number of invetory scripts', registry=REGISTRY)
     USER_SESSIONS = Gauge(
         'awx_sessions_total',
         'Number of sessions',
@@ -41,8 +40,8 @@ def metrics():
         registry=REGISTRY,
     )
     CUSTOM_VENVS = Gauge('awx_custom_virtualenvs_total', 'Number of virtualenvs', registry=REGISTRY)
-    RUNNING_JOBS = Gauge('awx_running_jobs_total', 'Number of running jobs on the Tower system', registry=REGISTRY)
-    PENDING_JOBS = Gauge('awx_pending_jobs_total', 'Number of pending jobs on the Tower system', registry=REGISTRY)
+    RUNNING_JOBS = Gauge('awx_running_jobs_total', 'Number of running jobs on the system', registry=REGISTRY)
+    PENDING_JOBS = Gauge('awx_pending_jobs_total', 'Number of pending jobs on the system', registry=REGISTRY)
     STATUS = Gauge(
         'awx_status_total',
         'Status of Job launched',
@@ -54,7 +53,7 @@ def metrics():
 
     INSTANCE_CAPACITY = Gauge(
         'awx_instance_capacity',
-        'Capacity of each node in a Tower system',
+        'Capacity of each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -63,7 +62,7 @@ def metrics():
     )
     INSTANCE_CPU = Gauge(
         'awx_instance_cpu',
-        'CPU cores on each node in a Tower system',
+        'CPU cores on each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -72,7 +71,7 @@ def metrics():
     )
     INSTANCE_MEMORY = Gauge(
         'awx_instance_memory',
-        'RAM (Kb) on each node in a Tower system',
+        'RAM (Kb) on each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -81,7 +80,7 @@ def metrics():
     )
     INSTANCE_INFO = Info(
         'awx_instance',
-        'Info about each node in a Tower system',
+        'Info about each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -108,7 +107,7 @@ def metrics():
     )
     INSTANCE_CONSUMED_CAPACITY = Gauge(
         'awx_instance_consumed_capacity',
-        'Consumed capacity of each node in a Tower system',
+        'Consumed capacity of each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -117,7 +116,7 @@ def metrics():
     )
     INSTANCE_REMAINING_CAPACITY = Gauge(
         'awx_instance_remaining_capacity',
-        'Remaining capacity of each node in a Tower system',
+        'Remaining capacity of each node in the system',
         [
             'hostname',
             'instance_uuid',
@@ -160,7 +159,6 @@ def metrics():
     HOST_COUNT.labels(type='active').set(current_counts['active_host_count'])
 
     SCHEDULE_COUNT.set(current_counts['schedule'])
-    INV_SCRIPT_COUNT.set(current_counts['custom_inventory_script'])
     CUSTOM_VENVS.set(current_counts['custom_virtualenvs'])
 
     USER_SESSIONS.labels(type='all').set(current_counts['active_sessions'])
@@ -186,7 +184,6 @@ def metrics():
         INSTANCE_INFO.labels(hostname=hostname, instance_uuid=uuid).info(
             {
                 'enabled': str(instance_data[uuid]['enabled']),
-                'last_isolated_check': getattr(instance_data[uuid], 'last_isolated_check', 'None'),
                 'managed_by_policy': str(instance_data[uuid]['managed_by_policy']),
                 'version': instance_data[uuid]['version'],
             }

awx/main/backends.py

@@ -0,0 +1,14 @@
+import logging
+
+from django.conf import settings
+from django.contrib.auth.backends import ModelBackend
+
+logger = logging.getLogger('awx.main.backends')
+
+
+class AWXModelBackend(ModelBackend):
+    def authenticate(self, request, **kwargs):
+        if settings.DISABLE_LOCAL_AUTH:
+            logger.warning(f"User '{kwargs['username']}' attempted login through the disabled local authentication system.")
+            return
+        return super().authenticate(request, **kwargs)

awx/main/conf.py

@@ -6,9 +6,8 @@ from django.utils.translation import ugettext_lazy as _
 
 # Django REST Framework
 from rest_framework import serializers
-from rest_framework.fields import FloatField
 
-# Tower
+# AWX
 from awx.conf import fields, register, register_validate
 from awx.main.models import ExecutionEnvironment
 
@@ -37,7 +36,7 @@ register(
     'ORG_ADMINS_CAN_SEE_ALL_USERS',
     field_class=fields.BooleanField,
     label=_('All Users Visible to Organization Admins'),
-    help_text=_('Controls whether any Organization Admin can view all users and teams, ' 'even those not associated with their Organization.'),
+    help_text=_('Controls whether any Organization Admin can view all users and teams, even those not associated with their Organization.'),
     category=_('System'),
     category_slug='system',
 )
@@ -59,8 +58,8 @@ register(
     field_class=fields.URLField,
     schemes=('http', 'https'),
     allow_plain_hostname=True,  # Allow hostname only without TLD.
-    label=_('Base URL of the Tower host'),
-    help_text=_('This setting is used by services like notifications to render ' 'a valid url to the Tower host.'),
+    label=_('Base URL of the service'),
+    help_text=_('This setting is used by services like notifications to render a valid url to the service.'),
     category=_('System'),
     category_slug='system',
 )
@@ -85,8 +84,8 @@ register(
     field_class=fields.StringListField,
     label=_('Proxy IP Allowed List'),
     help_text=_(
-        "If Tower is behind a reverse proxy/load balancer, use this setting "
-        "to configure the proxy IP addresses from which Tower should trust "
+        "If the service is behind a reverse proxy/load balancer, use this setting "
+        "to configure the proxy IP addresses from which the service should trust "
         "custom REMOTE_HOST_HEADERS header values. "
         "If this setting is an empty list (the default), the headers specified by "
         "REMOTE_HOST_HEADERS will be trusted unconditionally')"
@@ -95,13 +94,12 @@ register(
     category_slug='system',
 )
 
-
 register(
     'LICENSE',
     field_class=fields.DictField,
     default=lambda: {},
     label=_('License'),
-    help_text=_('The license controls which features and functionality are ' 'enabled. Use /api/v2/config/ to update or change ' 'the license.'),
+    help_text=_('The license controls which features and functionality are enabled. Use /api/v2/config/ to update or change the license.'),
     category=_('System'),
     category_slug='system',
 )
@@ -114,7 +112,7 @@ register(
     encrypted=False,
     read_only=False,
     label=_('Red Hat customer username'),
-    help_text=_('This username is used to send data to Automation Analytics'),
+    help_text=_('This username is used to send data to Insights for Ansible Automation Platform'),
     category=_('System'),
     category_slug='system',
 )
@@ -127,7 +125,7 @@ register(
     encrypted=True,
     read_only=False,
     label=_('Red Hat customer password'),
-    help_text=_('This password is used to send data to Automation Analytics'),
+    help_text=_('This password is used to send data to Insights for Ansible Automation Platform'),
     category=_('System'),
     category_slug='system',
 )
@@ -164,8 +162,8 @@ register(
     default='https://example.com',
     schemes=('http', 'https'),
     allow_plain_hostname=True,  # Allow hostname only without TLD.
-    label=_('Automation Analytics upload URL'),
-    help_text=_('This setting is used to to configure data collection for the Automation Analytics dashboard'),
+    label=_('Insights for Ansible Automation Platform upload URL'),
+    help_text=_('This setting is used to to configure the upload URL for data collection for Red Hat Insights.'),
     category=_('System'),
     category_slug='system',
 )
@@ -173,7 +171,7 @@ register(
 register(
     'INSTALL_UUID',
     field_class=fields.CharField,
-    label=_('Unique identifier for an AWX/Tower installation'),
+    label=_('Unique identifier for an installation'),
     category=_('System'),
     category_slug='system',
     read_only=True,
@@ -195,7 +193,7 @@ register(
     'CUSTOM_VENV_PATHS',
     field_class=fields.StringListPathField,
     label=_('Custom virtual environment paths'),
-    help_text=_('Paths where Tower will look for custom virtual environments ' '(in addition to /var/lib/awx/venv/). Enter one path per line.'),
+    help_text=_('Paths where Tower will look for custom virtual environments (in addition to /var/lib/awx/venv/). Enter one path per line.'),
     category=_('System'),
     category_slug='system',
     default=[],
@@ -224,7 +222,7 @@ register(
     help_text=_(
         'Ansible allows variable substitution via the Jinja2 templating '
         'language for --extra-vars. This poses a potential security '
-        'risk where Tower users with the ability to specify extra vars at job '
+        'risk where users with the ability to specify extra vars at job '
         'launch time can use Jinja2 templates to run arbitrary Python.  It is '
         'recommended that this value be set to "template" or "never".'
     ),
@@ -236,11 +234,7 @@ register(
     'AWX_ISOLATION_BASE_PATH',
     field_class=fields.CharField,
     label=_('Job execution path'),
-    help_text=_(
-        'The directory in which Tower will create new temporary '
-        'directories for job execution and isolation '
-        '(such as credential files and custom inventory scripts).'
-    ),
+    help_text=_('The directory in which the service will create new temporary directories for job execution and isolation (such as credential files).'),
     category=_('Jobs'),
     category_slug='jobs',
 )
@@ -255,138 +249,6 @@ register(
     category_slug='jobs',
 )
 
-register(
-    'AWX_ISOLATED_CHECK_INTERVAL',
-    field_class=fields.IntegerField,
-    min_value=0,
-    label=_('Isolated status check interval'),
-    help_text=_('The number of seconds to sleep between status checks for jobs running on isolated instances.'),
-    category=_('Jobs'),
-    category_slug='jobs',
-    unit=_('seconds'),
-)
-
-register(
-    'AWX_ISOLATED_LAUNCH_TIMEOUT',
-    field_class=fields.IntegerField,
-    min_value=0,
-    label=_('Isolated launch timeout'),
-    help_text=_(
-        'The timeout (in seconds) for launching jobs on isolated instances.  '
-        'This includes the time needed to copy source control files (playbooks) to the isolated instance.'
-    ),
-    category=_('Jobs'),
-    category_slug='jobs',
-    unit=_('seconds'),
-)
-
-register(
-    'AWX_ISOLATED_CONNECTION_TIMEOUT',
-    field_class=fields.IntegerField,
-    min_value=0,
-    default=10,
-    label=_('Isolated connection timeout'),
-    help_text=_(
-        'Ansible SSH connection timeout (in seconds) to use when communicating with isolated instances. '
-        'Value should be substantially greater than expected network latency.'
-    ),
-    category=_('Jobs'),
-    category_slug='jobs',
-    unit=_('seconds'),
-)
-
-register(
-    'AWX_ISOLATED_HOST_KEY_CHECKING',
-    field_class=fields.BooleanField,
-    label=_('Isolated host key checking'),
-    help_text=_('When set to True, AWX will enforce strict host key checking for communication with isolated nodes.'),
-    category=_('Jobs'),
-    category_slug='jobs',
-    default=False,
-)
-
-register(
-    'AWX_ISOLATED_KEY_GENERATION',
-    field_class=fields.BooleanField,
-    default=True,
-    label=_('Generate RSA keys for isolated instances'),
-    help_text=_(
-        'If set, a random RSA key will be generated and distributed to '
-        'isolated instances.  To disable this behavior and manage authentication '
-        'for isolated instances outside of Tower, disable this setting.'
-    ),  # noqa
-    category=_('Jobs'),
-    category_slug='jobs',
-)
-
-register(
-    'AWX_ISOLATED_PRIVATE_KEY',
-    field_class=fields.CharField,
-    default='',
-    allow_blank=True,
-    encrypted=True,
-    read_only=True,
-    label=_('The RSA private key for SSH traffic to isolated instances'),
-    help_text=_('The RSA private key for SSH traffic to isolated instances'),  # noqa
-    category=_('Jobs'),
-    category_slug='jobs',
-)
-
-register(
-    'AWX_ISOLATED_PUBLIC_KEY',
-    field_class=fields.CharField,
-    default='',
-    allow_blank=True,
-    read_only=True,
-    label=_('The RSA public key for SSH traffic to isolated instances'),
-    help_text=_('The RSA public key for SSH traffic to isolated instances'),  # noqa
-    category=_('Jobs'),
-    category_slug='jobs',
-)
-
-register(
-    'AWX_RESOURCE_PROFILING_ENABLED',
-    field_class=fields.BooleanField,
-    default=False,
-    label=_('Enable detailed resource profiling on all playbook runs'),
-    help_text=_('If set, detailed resource profiling data will be collected on all jobs. ' 'This data can be gathered with `sosreport`.'),  # noqa
-    category=_('Jobs'),
-    category_slug='jobs',
-)
-
-register(
-    'AWX_RESOURCE_PROFILING_CPU_POLL_INTERVAL',
-    field_class=FloatField,
-    default='0.25',
-    label=_('Interval (in seconds) between polls for cpu usage.'),
-    help_text=_('Interval (in seconds) between polls for cpu usage. ' 'Setting this lower than the default will affect playbook performance.'),
-    category=_('Jobs'),
-    category_slug='jobs',
-    required=False,
-)
-
-register(
-    'AWX_RESOURCE_PROFILING_MEMORY_POLL_INTERVAL',
-    field_class=FloatField,
-    default='0.25',
-    label=_('Interval (in seconds) between polls for memory usage.'),
-    help_text=_('Interval (in seconds) between polls for memory usage. ' 'Setting this lower than the default will affect playbook performance.'),
-    category=_('Jobs'),
-    category_slug='jobs',
-    required=False,
-)
-
-register(
-    'AWX_RESOURCE_PROFILING_PID_POLL_INTERVAL',
-    field_class=FloatField,
-    default='0.25',
-    label=_('Interval (in seconds) between polls for PID count.'),
-    help_text=_('Interval (in seconds) between polls for PID count. ' 'Setting this lower than the default will affect playbook performance.'),
-    category=_('Jobs'),
-    category_slug='jobs',
-    required=False,
-)
-
 register(
     'AWX_TASK_ENV',
     field_class=fields.KeyValueField,
@@ -402,8 +264,8 @@ register(
     'INSIGHTS_TRACKING_STATE',
     field_class=fields.BooleanField,
     default=False,
-    label=_('Gather data for Automation Analytics'),
-    help_text=_('Enables Tower to gather data on automation and send it to Red Hat.'),
+    label=_('Gather data for Insights for Ansible Automation Platform'),
+    help_text=_('Enables the service to gather data on automation and send it to Red Hat Insights.'),
     category=_('System'),
     category_slug='system',
 )
@@ -455,7 +317,7 @@ register(
     field_class=fields.BooleanField,
     default=False,
     label=_('Ignore Ansible Galaxy SSL Certificate Verification'),
-    help_text=_('If set to true, certificate validation will not be done when ' 'installing content from any Galaxy server.'),
+    help_text=_('If set to true, certificate validation will not be done when installing content from any Galaxy server.'),
     category=_('Jobs'),
     category_slug='jobs',
 )
@@ -570,7 +432,7 @@ register(
     allow_null=False,
     default=200,
     label=_('Maximum number of forks per job'),
-    help_text=_('Saving a Job Template with more than this number of forks will result in an error. ' 'When set to 0, no limit is applied.'),
+    help_text=_('Saving a Job Template with more than this number of forks will result in an error. When set to 0, no limit is applied.'),
     category=_('Jobs'),
     category_slug='jobs',
 )
@@ -591,7 +453,7 @@ register(
     allow_null=True,
     default=None,
     label=_('Logging Aggregator Port'),
-    help_text=_('Port on Logging Aggregator to send logs to (if required and not' ' provided in Logging Aggregator).'),
+    help_text=_('Port on Logging Aggregator to send logs to (if required and not provided in Logging Aggregator).'),
     category=_('Logging'),
     category_slug='logging',
     required=False,
@@ -674,8 +536,8 @@ register(
     field_class=fields.CharField,
     allow_blank=True,
     default='',
-    label=_('Cluster-wide Tower unique identifier.'),
-    help_text=_('Useful to uniquely identify Tower instances.'),
+    label=_('Cluster-wide unique identifier.'),
+    help_text=_('Useful to uniquely identify instances.'),
     category=_('Logging'),
     category_slug='logging',
 )
@@ -698,7 +560,7 @@ register(
     field_class=fields.IntegerField,
     default=5,
     label=_('TCP Connection Timeout'),
-    help_text=_('Number of seconds for a TCP connection to external log ' 'aggregator to timeout. Applies to HTTPS and TCP log ' 'aggregator protocols.'),
+    help_text=_('Number of seconds for a TCP connection to external log aggregator to timeout. Applies to HTTPS and TCP log aggregator protocols.'),
     category=_('Logging'),
     category_slug='logging',
     unit=_('seconds'),
@@ -710,7 +572,7 @@ register(
     label=_('Enable/disable HTTPS certificate verification'),
     help_text=_(
         'Flag to control enable/disable of certificate verification'
-        ' when LOG_AGGREGATOR_PROTOCOL is "https". If enabled, Tower\'s'
+        ' when LOG_AGGREGATOR_PROTOCOL is "https". If enabled, the'
         ' log handler will verify certificate sent by external log aggregator'
         ' before establishing connection.'
     ),
@@ -764,7 +626,7 @@ register(
     field_class=fields.BooleanField,
     default=False,
     label=_('Enable rsyslogd debugging'),
-    help_text=_('Enabled high verbosity debugging for rsyslogd.  ' 'Useful for debugging connection issues for external log aggregation.'),
+    help_text=_('Enabled high verbosity debugging for rsyslogd.  Useful for debugging connection issues for external log aggregation.'),
     category=_('Logging'),
     category_slug='logging',
 )
@@ -773,7 +635,7 @@ register(
 register(
     'AUTOMATION_ANALYTICS_LAST_GATHER',
     field_class=fields.DateTimeField,
-    label=_('Last gather date for Automation Analytics.'),
+    label=_('Last gather date for Insights for Ansible Automation Platform.'),
     allow_null=True,
     category=_('System'),
     category_slug='system',
@@ -781,7 +643,7 @@ register(
 register(
     'AUTOMATION_ANALYTICS_LAST_ENTRIES',
     field_class=fields.CharField,
-    label=_('Last gathered entries for expensive Automation Analytics collectors.'),
+    label=_('Last gathered entries for expensive collectors for Insights for Ansible Automation Platform.'),
     default='',
     allow_blank=True,
     category=_('System'),
@@ -792,7 +654,7 @@ register(
 register(
     'AUTOMATION_ANALYTICS_GATHER_INTERVAL',
     field_class=fields.IntegerField,
-    label=_('Automation Analytics Gather Interval'),
+    label=_('Insights for Ansible Automation Platform Gather Interval'),
     help_text=_('Interval (in seconds) between data gathering.'),
     default=14400,  # every 4 hours
     min_value=1800,  # every 30 minutes

awx/main/constants.py

@@ -7,7 +7,6 @@ from django.utils.translation import ugettext_lazy as _
 
 __all__ = [
     'CLOUD_PROVIDERS',
-    'SCHEDULEABLE_PROVIDERS',
     'PRIVILEGE_ESCALATION_METHODS',
     'ANSI_SGR_PATTERN',
     'CAN_CANCEL',
@@ -16,10 +15,6 @@ __all__ = [
 ]
 
 CLOUD_PROVIDERS = ('azure_rm', 'ec2', 'gce', 'vmware', 'openstack', 'rhv', 'satellite6', 'tower')
-SCHEDULEABLE_PROVIDERS = CLOUD_PROVIDERS + (
-    'custom',
-    'scm',
-)
 PRIVILEGE_ESCALATION_METHODS = [
     ('sudo', _('Sudo')),
     ('su', _('Su')),

awx/main/dispatch/reaper.py

@@ -18,7 +18,7 @@ def reap_job(j, status):
     j.start_args = ''  # blank field to remove encrypted passwords
     j.job_explanation += ' '.join(
         (
-            'Task was marked as running in Tower but was not present in',
+            'Task was marked as running but was not present in',
             'the job queue, so it has been marked as failed.',
         )
     )
@@ -37,7 +37,7 @@ def reap(instance=None, status='failed', excluded_uuids=[]):
     if me is None:
         (changed, me) = Instance.objects.get_or_register()
         if changed:
-            logger.info("Registered tower node '{}'".format(me.hostname))
+            logger.info("Registered node '{}'".format(me.hostname))
     now = tz_now()
     workflow_ctype_id = ContentType.objects.get_for_model(WorkflowJob).id
     jobs = UnifiedJob.objects.filter(

awx/main/isolated/.gitignore

@@ -1 +0,0 @@
-authorized_keys

awx/main/isolated/manager.py

@@ -1,365 +0,0 @@
-import fnmatch
-import json
-import os
-import shutil
-import stat
-import tempfile
-import time
-import logging
-import datetime
-
-from django.conf import settings
-import ansible_runner
-
-import awx
-from awx.main.utils import get_system_task_capacity
-
-logger = logging.getLogger('awx.isolated.manager')
-playbook_logger = logging.getLogger('awx.isolated.manager.playbooks')
-
-
-def set_pythonpath(venv_libdir, env):
-    env.pop('PYTHONPATH', None)  # default to none if no python_ver matches
-    for version in os.listdir(venv_libdir):
-        if fnmatch.fnmatch(version, 'python[23].*'):
-            if os.path.isdir(os.path.join(venv_libdir, version)):
-                env['PYTHONPATH'] = os.path.join(venv_libdir, version, "site-packages") + ":"
-                break
-
-
-class IsolatedManager(object):
-    def __init__(self, event_handler, canceled_callback=None, check_callback=None):
-        """
-        :param event_handler: a callable used to persist event data from isolated nodes
-        :param canceled_callback:  a callable - which returns `True` or `False`
-                                    - signifying if the job has been prematurely
-                                      canceled
-        """
-        self.event_handler = event_handler
-        self.canceled_callback = canceled_callback
-        self.check_callback = check_callback
-        self.started_at = None
-        self.captured_command_artifact = False
-        self.instance = None
-
-    def build_inventory(self, hosts):
-        inventory = '\n'.join(['{} ansible_ssh_user={}'.format(host, settings.AWX_ISOLATED_USERNAME) for host in hosts])
-
-        return inventory
-
-    def build_runner_params(self, hosts, verbosity=1):
-        env = dict(os.environ.items())
-        env['ANSIBLE_RETRY_FILES_ENABLED'] = 'False'
-        env['ANSIBLE_HOST_KEY_CHECKING'] = str(settings.AWX_ISOLATED_HOST_KEY_CHECKING)
-        env['ANSIBLE_LIBRARY'] = os.path.join(os.path.dirname(awx.__file__), 'plugins', 'isolated')
-        env['ANSIBLE_COLLECTIONS_PATHS'] = settings.AWX_ANSIBLE_COLLECTIONS_PATHS
-        set_pythonpath(os.path.join(settings.ANSIBLE_VENV_PATH, 'lib'), env)
-
-        def finished_callback(runner_obj):
-            if runner_obj.status == 'failed' and runner_obj.config.playbook != 'check_isolated.yml':
-                # failed for clean_isolated.yml just means the playbook hasn't
-                # exited on the isolated host
-                stdout = runner_obj.stdout.read()
-                playbook_logger.error(stdout)
-            elif runner_obj.status == 'timeout':
-                # this means that the default idle timeout of
-                # (2 * AWX_ISOLATED_CONNECTION_TIMEOUT) was exceeded
-                # (meaning, we tried to sync with an isolated node, and we got
-                # no new output for 2 * AWX_ISOLATED_CONNECTION_TIMEOUT seconds)
-                # this _usually_ means SSH key auth from the controller ->
-                # isolated didn't work, and ssh is hung waiting on interactive
-                # input e.g.,
-                #
-                # awx@isolated's password:
-                stdout = runner_obj.stdout.read()
-                playbook_logger.error(stdout)
-            else:
-                playbook_logger.info(runner_obj.stdout.read())
-
-        return {
-            'project_dir': os.path.abspath(os.path.join(os.path.dirname(awx.__file__), 'playbooks')),
-            'inventory': self.build_inventory(hosts),
-            'envvars': env,
-            'finished_callback': finished_callback,
-            'verbosity': verbosity,
-            'cancel_callback': self.canceled_callback,
-            'settings': {
-                'job_timeout': settings.AWX_ISOLATED_LAUNCH_TIMEOUT,
-                'suppress_ansible_output': True,
-            },
-        }
-
-    def path_to(self, *args):
-        return os.path.join(self.private_data_dir, *args)
-
-    def run_management_playbook(self, playbook, private_data_dir, idle_timeout=None, **kw):
-        iso_dir = tempfile.mkdtemp(prefix=playbook, dir=private_data_dir)
-        params = self.runner_params.copy()
-        params.get('envvars', dict())['ANSIBLE_CALLBACK_WHITELIST'] = 'profile_tasks'
-        params['playbook'] = playbook
-        params['private_data_dir'] = iso_dir
-        if idle_timeout:
-            params['settings']['idle_timeout'] = idle_timeout
-        else:
-            params['settings'].pop('idle_timeout', None)
-        params.update(**kw)
-        if all([getattr(settings, 'AWX_ISOLATED_KEY_GENERATION', False) is True, getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', None)]):
-            params['ssh_key'] = settings.AWX_ISOLATED_PRIVATE_KEY
-        return ansible_runner.interface.run(**params)
-
-    def dispatch(self, playbook=None, module=None, module_args=None):
-        """
-        Ship the runner payload to a remote host for isolated execution.
-        """
-        self.handled_events = set()
-        self.started_at = time.time()
-
-        # exclude certain files from the rsync
-        rsync_exclude = [
-            # don't rsync source control metadata (it can be huge!)
-            '- /project/.git',
-            '- /project/.svn',
-            # don't rsync job events that are in the process of being written
-            '- /artifacts/job_events/*-partial.json.tmp',
-            # don't rsync the ssh_key FIFO
-            '- /env/ssh_key',
-            # don't rsync kube config files
-            '- .kubeconfig*',
-        ]
-
-        for filename, data in (['.rsync-filter', '\n'.join(rsync_exclude)],):
-            path = self.path_to(filename)
-            with open(path, 'w') as f:
-                f.write(data)
-            os.chmod(path, stat.S_IRUSR)
-
-        extravars = {
-            'src': self.private_data_dir,
-            'dest': settings.AWX_ISOLATION_BASE_PATH,
-            'ident': self.ident,
-            'job_id': self.instance.id,
-        }
-        if playbook:
-            extravars['playbook'] = playbook
-        if module and module_args:
-            extravars['module'] = module
-            extravars['module_args'] = module_args
-
-        logger.debug('Starting job {} on isolated host with `run_isolated.yml` playbook.'.format(self.instance.id))
-        runner_obj = self.run_management_playbook(
-            'run_isolated.yml', self.private_data_dir, idle_timeout=max(60, 2 * settings.AWX_ISOLATED_CONNECTION_TIMEOUT), extravars=extravars
-        )
-
-        if runner_obj.status == 'failed':
-            self.instance.result_traceback = runner_obj.stdout.read()
-            self.instance.save(update_fields=['result_traceback'])
-            return 'error', runner_obj.rc
-
-        return runner_obj.status, runner_obj.rc
-
-    def check(self, interval=None):
-        """
-        Repeatedly poll the isolated node to determine if the job has run.
-
-        On success, copy job artifacts to the controlling node.
-        On failure, continue to poll the isolated node (until the job timeout
-        is exceeded).
-
-        For a completed job run, this function returns (status, rc),
-        representing the status and return code of the isolated
-        `ansible-playbook` run.
-
-        :param interval: an interval (in seconds) to wait between status polls
-        """
-        interval = interval if interval is not None else settings.AWX_ISOLATED_CHECK_INTERVAL
-        extravars = {'src': self.private_data_dir, 'job_id': self.instance.id}
-        status = 'failed'
-        rc = None
-        last_check = time.time()
-
-        while status == 'failed':
-            canceled = self.canceled_callback() if self.canceled_callback else False
-            if not canceled and time.time() - last_check < interval:
-                # If the job isn't canceled, but we haven't waited `interval` seconds, wait longer
-                time.sleep(1)
-                continue
-
-            if canceled:
-                logger.warning('Isolated job {} was manually canceled.'.format(self.instance.id))
-
-            logger.debug('Checking on isolated job {} with `check_isolated.yml`.'.format(self.instance.id))
-            time_start = datetime.datetime.now()
-            runner_obj = self.run_management_playbook('check_isolated.yml', self.private_data_dir, extravars=extravars)
-            time_end = datetime.datetime.now()
-            time_diff = time_end - time_start
-            logger.debug('Finished checking on isolated job {} with `check_isolated.yml` took {} seconds.'.format(self.instance.id, time_diff.total_seconds()))
-            status, rc = runner_obj.status, runner_obj.rc
-
-            if self.check_callback is not None and not self.captured_command_artifact:
-                command_path = self.path_to('artifacts', self.ident, 'command')
-                # If the configuration artifact has been synced back, update the model
-                if os.path.exists(command_path):
-                    try:
-                        with open(command_path, 'r') as f:
-                            data = json.load(f)
-                        self.check_callback(data)
-                        self.captured_command_artifact = True
-                    except json.decoder.JSONDecodeError:  # Just in case it's not fully here yet.
-                        pass
-
-            self.consume_events()
-
-            last_check = time.time()
-
-        if status == 'successful':
-            status_path = self.path_to('artifacts', self.ident, 'status')
-            rc_path = self.path_to('artifacts', self.ident, 'rc')
-            if os.path.exists(status_path):
-                with open(status_path, 'r') as f:
-                    status = f.readline()
-                with open(rc_path, 'r') as f:
-                    rc = int(f.readline())
-            else:
-                # if there's no status file, it means that runner _probably_
-                # exited with a traceback (which should be logged to
-                # daemon.log)  Record it so we can see how runner failed.
-                daemon_path = self.path_to('daemon.log')
-                if os.path.exists(daemon_path):
-                    with open(daemon_path, 'r') as f:
-                        self.instance.result_traceback = f.read()
-                        self.instance.save(update_fields=['result_traceback'])
-                else:
-                    logger.error('Failed to rsync daemon.log (is ansible-runner installed on the isolated host?)')
-                status = 'failed'
-                rc = 1
-
-        # consume events one last time just to be sure we didn't miss anything
-        # in the final sync
-        self.consume_events()
-
-        return status, rc
-
-    def consume_events(self):
-        # discover new events and ingest them
-        events_path = self.path_to('artifacts', self.ident, 'job_events')
-
-        # it's possible that `events_path` doesn't exist *yet*, because runner
-        # hasn't actually written any events yet (if you ran e.g., a sleep 30)
-        # only attempt to consume events if any were rsynced back
-        if os.path.exists(events_path):
-            for event in set(os.listdir(events_path)) - self.handled_events:
-                path = os.path.join(events_path, event)
-                if os.path.exists(path) and os.path.isfile(path):
-                    try:
-                        event_data = json.load(open(os.path.join(events_path, event), 'r'))
-                    except json.decoder.JSONDecodeError:
-                        # This means the event we got back isn't valid JSON
-                        # that can happen if runner is still partially
-                        # writing an event file while it's rsyncing
-                        # these event writes are _supposed_ to be atomic
-                        # but it doesn't look like they actually are in
-                        # practice
-                        # in this scenario, just ignore this event and try it
-                        # again on the next sync
-                        continue
-                    self.event_handler(event_data)
-                    self.handled_events.add(event)
-
-    def cleanup(self):
-        extravars = {
-            'private_data_dir': self.private_data_dir,
-            'cleanup_dirs': [
-                self.private_data_dir,
-            ],
-        }
-        logger.debug('Cleaning up job {} on isolated host with `clean_isolated.yml` playbook.'.format(self.instance.id))
-        self.run_management_playbook('clean_isolated.yml', self.private_data_dir, extravars=extravars)
-
-    @classmethod
-    def update_capacity(cls, instance, task_result):
-        instance.version = 'ansible-runner-{}'.format(task_result['version'])
-
-        if instance.capacity == 0 and task_result['capacity_cpu']:
-            logger.warning('Isolated instance {} has re-joined.'.format(instance.hostname))
-        instance.cpu = int(task_result['cpu'])
-        instance.memory = int(task_result['mem'])
-        instance.cpu_capacity = int(task_result['capacity_cpu'])
-        instance.mem_capacity = int(task_result['capacity_mem'])
-        instance.capacity = get_system_task_capacity(
-            scale=instance.capacity_adjustment, cpu_capacity=int(task_result['capacity_cpu']), mem_capacity=int(task_result['capacity_mem'])
-        )
-        instance.save(update_fields=['cpu', 'memory', 'cpu_capacity', 'mem_capacity', 'capacity', 'version', 'modified'])
-
-    def health_check(self, instance_qs):
-        """
-        :param instance_qs:         List of Django objects representing the
-                                    isolated instances to manage
-        Runs playbook that will
-         - determine if instance is reachable
-         - find the instance capacity
-         - clean up orphaned private files
-        Performs save on each instance to update its capacity.
-        """
-        instance_qs = [i for i in instance_qs if i.enabled]
-        if not len(instance_qs):
-            return
-        try:
-            private_data_dir = tempfile.mkdtemp(prefix='awx_iso_heartbeat_', dir=settings.AWX_ISOLATION_BASE_PATH)
-            self.runner_params = self.build_runner_params([instance.hostname for instance in instance_qs])
-            self.runner_params['private_data_dir'] = private_data_dir
-            self.runner_params['forks'] = len(instance_qs)
-            runner_obj = self.run_management_playbook('heartbeat_isolated.yml', private_data_dir)
-
-            for instance in instance_qs:
-                task_result = {}
-                try:
-                    task_result = runner_obj.get_fact_cache(instance.hostname)
-                except Exception:
-                    logger.exception('Failed to read status from isolated instances')
-                if 'awx_capacity_cpu' in task_result and 'awx_capacity_mem' in task_result:
-                    task_result = {
-                        'cpu': task_result['awx_cpu'],
-                        'mem': task_result['awx_mem'],
-                        'capacity_cpu': task_result['awx_capacity_cpu'],
-                        'capacity_mem': task_result['awx_capacity_mem'],
-                        'version': task_result['awx_capacity_version'],
-                    }
-                    IsolatedManager.update_capacity(instance, task_result)
-                    logger.debug('Isolated instance {} successful heartbeat'.format(instance.hostname))
-                elif instance.capacity == 0:
-                    logger.debug('Isolated instance {} previously marked as lost, could not re-join.'.format(instance.hostname))
-                else:
-                    logger.warning('Could not update status of isolated instance {}'.format(instance.hostname))
-                    if instance.is_lost(isolated=True):
-                        instance.capacity = 0
-                        instance.save(update_fields=['capacity'])
-                        logger.error('Isolated instance {} last checked in at {}, marked as lost.'.format(instance.hostname, instance.modified))
-        finally:
-            if os.path.exists(private_data_dir):
-                shutil.rmtree(private_data_dir)
-
-    def run(self, instance, private_data_dir, playbook, module, module_args, ident=None):
-        """
-        Run a job on an isolated host.
-
-        :param instance:         a `model.Job` instance
-        :param private_data_dir: an absolute path on the local file system
-                                 where job-specific data should be written
-                                 (i.e., `/tmp/awx_N_xyz/`)
-        :param playbook:         the playbook to run
-        :param module:           the module to run
-        :param module_args:      the module args to use
-
-        For a completed job run, this function returns (status, rc),
-        representing the status and return code of the isolated
-        `ansible-playbook` run.
-        """
-        self.ident = ident
-        self.instance = instance
-        self.private_data_dir = private_data_dir
-        self.runner_params = self.build_runner_params([instance.execution_node], verbosity=min(5, self.instance.verbosity))
-
-        status, rc = self.dispatch(playbook, module, module_args)
-        if status == 'successful':
-            status, rc = self.check()
-        return status, rc

awx/main/management/commands/check_migrations.py

@@ -1,13 +1,5 @@
-from django.db import connections
-from django.db.backends.sqlite3.base import DatabaseWrapper
 from django.core.management.commands.makemigrations import Command as MakeMigrations
 
 
 class Command(MakeMigrations):
-    def execute(self, *args, **options):
-        settings = connections['default'].settings_dict.copy()
-        settings['ENGINE'] = 'sqlite3'
-        if 'application_name' in settings['OPTIONS']:
-            del settings['OPTIONS']['application_name']
-        connections['default'] = DatabaseWrapper(settings)
-        return MakeMigrations().execute(*args, **options)
+    pass

awx/main/management/commands/create_preload_data.py

@@ -69,7 +69,7 @@ class Command(BaseCommand):
                     changed = True
 
                 for ee in reversed(settings.DEFAULT_EXECUTION_ENVIRONMENTS):
-                    _, created = ExecutionEnvironment.objects.get_or_create(name=ee['name'], defaults={'image': ee['image'], 'managed_by_tower': True})
+                    _, created = ExecutionEnvironment.objects.update_or_create(name=ee['name'], defaults={'image': ee['image'], 'managed_by_tower': True})
 
                 if created:
                     changed = True

awx/main/management/commands/deprovision_instance.py

@@ -10,7 +10,7 @@ from awx.main.utils.pglock import advisory_lock
 
 class Command(BaseCommand):
     """
-    Deprovision a Tower cluster node
+    Deprovision a cluster node
     """
 
     help = 'Remove instance from the database. ' 'Specify `--hostname` to use this command.'

awx/main/management/commands/expire_sessions.py

@@ -31,6 +31,7 @@ class Command(BaseCommand):
         for session in sessions:
             user_id = session.get_decoded().get('_auth_user_id')
             if (user is None) or (user_id and user.id == int(user_id)):
+                # The Session model instance doesn't have .flush(), we need a SessionStore instance.
                 session = import_module(settings.SESSION_ENGINE).SessionStore(session.session_key)
                 # Log out the session, but without the need for a request object.
                 session.flush()

awx/main/management/commands/export_custom_scripts.py

@@ -0,0 +1,36 @@
+import tempfile
+import tarfile
+import stat
+import os
+
+from awx.main.models.inventory import CustomInventoryScript
+
+from django.core.management.base import BaseCommand
+from django.utils.text import slugify
+
+
+class Command(BaseCommand):
+
+    help = 'Export custom inventory scripts into a tarfile.'
+
+    def add_arguments(self, parser):
+        parser.add_argument('--filename', dest='filename', type=str, default='custom_scripts.tar', help='Filename of the output tar file')
+
+    def handle(self, **options):
+        tar_filename = options.get('filename')
+
+        with tempfile.TemporaryDirectory() as tmpdirname:
+            with tarfile.open(tar_filename, "w") as tar:
+
+                for cis in CustomInventoryScript.objects.all():
+                    # naming convention similar to project paths
+                    slug_name = slugify(str(cis.name)).replace(u'-', u'_')
+                    script_filename = u'_%d__%s' % (int(cis.pk), slug_name)
+                    script_path = os.path.join(tmpdirname, script_filename)
+
+                    with open(script_path, 'w') as f:
+                        f.write(cis.script)
+                    os.chmod(script_path, stat.S_IRWXU)
+                    tar.add(script_path, arcname=script_filename)
+
+        print('Dump of old custom inventory scripts at {}'.format(tar_filename))

awx/main/management/commands/generate_isolated_key.py

@@ -1,38 +0,0 @@
-# Copyright (c) 2015 Ansible, Inc.
-# All Rights Reserved
-import datetime
-from django.utils.encoding import smart_str
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from django.conf import settings
-from django.core.management.base import BaseCommand
-
-from awx.conf.models import Setting
-
-
-class Command(BaseCommand):
-    """Generate and store a randomized RSA key for SSH traffic to isolated instances"""
-
-    help = 'Generates and stores a randomized RSA key for SSH traffic to isolated instances'
-
-    def handle(self, *args, **kwargs):
-        if getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', False):
-            print(settings.AWX_ISOLATED_PUBLIC_KEY)
-            return
-
-        key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=default_backend())
-        Setting.objects.create(
-            key='AWX_ISOLATED_PRIVATE_KEY',
-            value=key.private_bytes(
-                encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()
-            ),
-        ).save()
-        pemfile = Setting.objects.create(
-            key='AWX_ISOLATED_PUBLIC_KEY',
-            value=smart_str(key.public_key().public_bytes(encoding=serialization.Encoding.OpenSSH, format=serialization.PublicFormat.OpenSSH))
-            + " generated-by-awx@%s" % datetime.datetime.utcnow().isoformat(),
-        )
-        pemfile.save()
-        print(pemfile.value)

awx/main/management/commands/host_metric.py

@@ -0,0 +1,54 @@
+from django.core.management.base import BaseCommand
+import datetime
+from django.core.serializers.json import DjangoJSONEncoder
+from awx.main.models.inventory import HostMetric
+import json
+
+
+class Command(BaseCommand):
+
+    help = 'This is for offline licensing usage'
+
+    def add_arguments(self, parser):
+        parser.add_argument('--since', type=datetime.datetime.fromisoformat, help='Start Date in ISO format YYYY-MM-DD')
+        parser.add_argument('--until', type=datetime.datetime.fromisoformat, help='End Date in ISO format YYYY-MM-DD')
+        parser.add_argument('--json', action='store_true', help='Select output as JSON')
+
+    def handle(self, *args, **options):
+        since = options.get('since')
+        until = options.get('until')
+
+        if since is None and until is None:
+            print("No Arguments received")
+            return None
+
+        if since is not None and since.tzinfo is None:
+            since = since.replace(tzinfo=datetime.timezone.utc)
+
+        if until is not None and until.tzinfo is None:
+            until = until.replace(tzinfo=datetime.timezone.utc)
+
+        filter_kwargs = {}
+        if since is not None:
+            filter_kwargs['last_automation__gte'] = since
+        if until is not None:
+            filter_kwargs['last_automation__lte'] = until
+
+        result = HostMetric.objects.filter(**filter_kwargs)
+
+        # if --json flag is set, output the result in json format
+        if options['json']:
+            list_of_queryset = list(result.values('hostname', 'first_automation', 'last_automation'))
+            json_result = json.dumps(list_of_queryset, cls=DjangoJSONEncoder)
+            print(json_result)
+
+        # --json flag is not set, output in plain text
+        else:
+            print(f"Total Number of hosts automated: {len(result)}")
+            for item in result:
+                print(
+                    "Hostname : {hostname} | first_automation : {first_automation} | last_automation : {last_automation}".format(
+                        hostname=item.hostname, first_automation=item.first_automation, last_automation=item.last_automation
+                    )
+                )
+        return

awx/main/management/commands/inventory_import.py

@@ -10,7 +10,6 @@ import subprocess
 import sys
 import time
 import traceback
-import shutil
 
 # Django
 from django.conf import settings
@@ -75,17 +74,6 @@ class AnsibleInventoryLoader(object):
         else:
             self.venv_path = settings.ANSIBLE_VENV_PATH
 
-    def get_path_to_ansible_inventory(self):
-        venv_exe = os.path.join(self.venv_path, 'bin', 'ansible-inventory')
-        if os.path.exists(venv_exe):
-            return venv_exe
-        elif os.path.exists(os.path.join(self.venv_path, 'bin', 'ansible')):
-            # if bin/ansible exists but bin/ansible-inventory doesn't, it's
-            # probably a really old version of ansible that doesn't support
-            # ansible-inventory
-            raise RuntimeError("{} does not exist (please upgrade to ansible >= 2.4)".format(venv_exe))
-        return shutil.which('ansible-inventory')
-
     def get_base_args(self):
         bargs = ['podman', 'run', '--user=root', '--quiet']
         bargs.extend(['-v', '{0}:{0}:Z'.format(self.source)])
@@ -147,9 +135,6 @@ class Command(BaseCommand):
         parser.add_argument('--overwrite', dest='overwrite', action='store_true', default=False, help='overwrite the destination hosts and groups')
         parser.add_argument('--overwrite-vars', dest='overwrite_vars', action='store_true', default=False, help='overwrite (rather than merge) variables')
         parser.add_argument('--keep-vars', dest='keep_vars', action='store_true', default=False, help='DEPRECATED legacy option, has no effect')
-        parser.add_argument(
-            '--custom', dest='custom', action='store_true', default=False, help='DEPRECATED indicates a custom inventory script, no longer used'
-        )
         parser.add_argument('--source', dest='source', type=str, default=None, metavar='s', help='inventory directory, file, or script to load')
         parser.add_argument(
             '--enabled-var',

awx/main/management/commands/list_instances.py

@@ -10,7 +10,6 @@ class Ungrouped(object):
     name = 'ungrouped'
     policy_instance_percentage = None
     policy_instance_minimum = None
-    controller = None
 
     @property
     def instances(self):
@@ -18,7 +17,7 @@ class Ungrouped(object):
 
     @property
     def capacity(self):
-        return sum([x.capacity for x in self.instances])
+        return sum(x.capacity for x in self.instances)
 
 
 class Command(BaseCommand):
@@ -38,8 +37,6 @@ class Command(BaseCommand):
                 fmt += ' policy={0.policy_instance_percentage}%'
             if instance_group.policy_instance_minimum:
                 fmt += ' policy>={0.policy_instance_minimum}'
-            if instance_group.controller:
-                fmt += ' controller={0.controller.name}'
             print((fmt + ']').format(instance_group))
             for x in instance_group.instances.all():
                 color = '\033[92m'
@@ -48,8 +45,6 @@ class Command(BaseCommand):
                 if x.enabled is False:
                     color = '\033[90m[DISABLED] '
                 fmt = '\t' + color + '{0.hostname} capacity={0.capacity} version={1}'
-                if x.last_isolated_check:
-                    fmt += ' last_isolated_check="{0.last_isolated_check:%Y-%m-%d %H:%M:%S}"'
                 if x.capacity:
                     fmt += ' heartbeat="{0.modified:%Y-%m-%d %H:%M:%S}"'
                 print((fmt + '\033[0m').format(x, x.version or '?'))

awx/main/management/commands/provision_instance.py

@@ -1,13 +1,11 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved
 
-from uuid import uuid4
+from django.conf import settings
+from django.core.management.base import BaseCommand, CommandError
+from django.db import transaction
 
 from awx.main.models import Instance
-from django.conf import settings
-
-from django.db import transaction
-from django.core.management.base import BaseCommand, CommandError
 
 
 class Command(BaseCommand):
@@ -20,7 +18,6 @@ class Command(BaseCommand):
 
     def add_arguments(self, parser):
         parser.add_argument('--hostname', dest='hostname', type=str, help='Hostname used during provisioning')
-        parser.add_argument('--is-isolated', dest='is_isolated', action='store_true', help='Specify whether the instance is isolated')
 
     def _register_hostname(self, hostname):
         if not hostname:
@@ -36,10 +33,7 @@ class Command(BaseCommand):
     def handle(self, **options):
         if not options.get('hostname'):
             raise CommandError("Specify `--hostname` to use this command.")
-        if options['is_isolated']:
-            self.uuid = str(uuid4())
-        else:
-            self.uuid = settings.SYSTEM_UUID
+        self.uuid = settings.SYSTEM_UUID
         self.changed = False
         self._register_hostname(options.get('hostname'))
         if self.changed:

awx/main/management/commands/regenerate_secret_key.py

@@ -16,8 +16,7 @@ from awx.main.utils.encryption import encrypt_field, decrypt_field, encrypt_valu
 
 class Command(BaseCommand):
     """
-    Regenerate a new SECRET_KEY value and re-encrypt every secret in the
-    Tower database.
+    Regenerate a new SECRET_KEY value and re-encrypt every secret in the database.
     """
 
     @transaction.atomic

awx/main/management/commands/register_queue.py

@@ -17,10 +17,9 @@ class InstanceNotFound(Exception):
 
 
 class RegisterQueue:
-    def __init__(self, queuename, controller, instance_percent, inst_min, hostname_list, is_container_group=None):
+    def __init__(self, queuename, instance_percent, inst_min, hostname_list, is_container_group=None):
         self.instance_not_found_err = None
         self.queuename = queuename
-        self.controller = controller
         self.instance_percent = instance_percent
         self.instance_min = inst_min
         self.hostname_list = hostname_list
@@ -46,20 +45,6 @@ class RegisterQueue:
 
         return (ig, created, changed)
 
-    def update_instance_group_controller(self, ig):
-        changed = False
-        control_ig = None
-
-        if self.controller:
-            control_ig = InstanceGroup.objects.filter(name=self.controller).first()
-
-        if control_ig and ig.controller_id != control_ig.pk:
-            ig.controller = control_ig
-            ig.save()
-            changed = True
-
-        return (control_ig, changed)
-
     def add_instances_to_group(self, ig):
         changed = False
 
@@ -88,26 +73,20 @@ class RegisterQueue:
         with advisory_lock('cluster_policy_lock'):
             with transaction.atomic():
                 changed2 = False
-                changed3 = False
                 (ig, created, changed1) = self.get_create_update_instance_group()
                 if created:
                     print("Creating instance group {}".format(ig.name))
                 elif not created:
                     print("Instance Group already registered {}".format(ig.name))
 
-                if self.controller:
-                    (ig_ctrl, changed2) = self.update_instance_group_controller(ig)
-                    if changed2:
-                        print("Set controller group {} on {}.".format(self.controller, self.queuename))
-
                 try:
-                    (instances, changed3) = self.add_instances_to_group(ig)
+                    (instances, changed2) = self.add_instances_to_group(ig)
                     for i in instances:
                         print("Added instance {} to {}".format(i.hostname, ig.name))
                 except InstanceNotFound as e:
                     self.instance_not_found_err = e
 
-        if any([changed1, changed2, changed3]):
+        if changed1 or changed2:
             print('(changed: True)')
 
 
@@ -117,7 +96,6 @@ class Command(BaseCommand):
         parser.add_argument(
             '--hostnames', dest='hostnames', type=str, help='Comma-Delimited Hosts to add to the Queue (will not remove already assigned instances)'
         )
-        parser.add_argument('--controller', dest='controller', type=str, default='', help='The controlling group (makes this an isolated group)')
         parser.add_argument(
             '--instance_percent', dest='instance_percent', type=int, default=0, help='The percentage of active instances that will be assigned to this group'
         ),
@@ -133,14 +111,13 @@ class Command(BaseCommand):
         queuename = options.get('queuename')
         if not queuename:
             raise CommandError("Specify `--queuename` to use this command.")
-        ctrl = options.get('controller')
         inst_per = options.get('instance_percent')
         instance_min = options.get('instance_minimum')
         hostname_list = []
         if options.get('hostnames'):
             hostname_list = options.get('hostnames').split(",")
 
-        rq = RegisterQueue(queuename, ctrl, inst_per, instance_min, hostname_list)
+        rq = RegisterQueue(queuename, inst_per, instance_min, hostname_list)
         rq.register()
         if rq.instance_not_found_err:
             print(rq.instance_not_found_err.message)

awx/main/management/commands/run_wsbroadcast.py

@@ -10,7 +10,6 @@ from datetime import datetime as dt
 
 from django.core.management.base import BaseCommand
 from django.db import connection
-from django.db.models import Q
 from django.db.migrations.executor import MigrationExecutor
 
 from awx.main.analytics.broadcast_websocket import (
@@ -140,7 +139,7 @@ class Command(BaseCommand):
                     data[family.name] = family.samples[0].value
 
             me = Instance.objects.me()
-            hostnames = [i.hostname for i in Instance.objects.exclude(Q(hostname=me.hostname) | Q(rampart_groups__controller__isnull=False))]
+            hostnames = [i.hostname for i in Instance.objects.exclude(hostname=me.hostname)]
 
             host_stats = Command.get_connection_status(me, hostnames, data)
             lines = Command._format_lines(host_stats)

awx/main/management/commands/test_isolated_connection.py

@@ -1,47 +0,0 @@
-import os
-import shutil
-import sys
-import tempfile
-
-from django.conf import settings
-from django.core.management.base import BaseCommand, CommandError
-
-import ansible_runner
-
-from awx.main.isolated.manager import set_pythonpath
-
-
-class Command(BaseCommand):
-    """Tests SSH connectivity between a controller and target isolated node"""
-
-    help = 'Tests SSH connectivity between a controller and target isolated node'
-
-    def add_arguments(self, parser):
-        parser.add_argument('--hostname', dest='hostname', type=str, help='Hostname of an isolated node')
-
-    def handle(self, *args, **options):
-        hostname = options.get('hostname')
-        if not hostname:
-            raise CommandError("--hostname is a required argument")
-
-        try:
-            path = tempfile.mkdtemp(prefix='awx_isolated_ssh', dir=settings.AWX_ISOLATION_BASE_PATH)
-            ssh_key = None
-            if all([getattr(settings, 'AWX_ISOLATED_KEY_GENERATION', False) is True, getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', None)]):
-                ssh_key = settings.AWX_ISOLATED_PRIVATE_KEY
-            env = dict(os.environ.items())
-            env['ANSIBLE_HOST_KEY_CHECKING'] = str(settings.AWX_ISOLATED_HOST_KEY_CHECKING)
-            set_pythonpath(os.path.join(settings.ANSIBLE_VENV_PATH, 'lib'), env)
-            res = ansible_runner.interface.run(
-                private_data_dir=path,
-                host_pattern='all',
-                inventory='{} ansible_ssh_user={}'.format(hostname, settings.AWX_ISOLATED_USERNAME),
-                module='shell',
-                module_args='ansible-runner --version',
-                envvars=env,
-                verbosity=3,
-                ssh_key=ssh_key,
-            )
-            sys.exit(res.rc)
-        finally:
-            shutil.rmtree(path)

awx/main/managers.py

@@ -142,7 +142,7 @@ class InstanceManager(models.Manager):
             pod_ip = os.environ.get('MY_POD_IP')
             registered = self.register(ip_address=pod_ip)
             is_container_group = settings.IS_K8S
-            RegisterQueue('tower', None, 100, 0, [], is_container_group).register()
+            RegisterQueue('tower', 100, 0, [], is_container_group).register()
             return registered
         else:
             return (False, self.me())
@@ -155,9 +155,6 @@ class InstanceManager(models.Manager):
         # NOTE: TODO: Likely to repurpose this once standalone ramparts are a thing
         return "tower"
 
-    def all_non_isolated(self):
-        return self.exclude(rampart_groups__controller__isnull=False)
-
 
 class InstanceGroupManager(models.Manager):
     """A custom manager class for the Instance model.

awx/main/middleware.py

@@ -7,6 +7,7 @@ import time
 import urllib.parse
 
 from django.conf import settings
+from django.contrib.auth import logout
 from django.contrib.auth.models import User
 from django.db.migrations.executor import MigrationExecutor
 from django.db import connection
@@ -71,6 +72,21 @@ class SessionTimeoutMiddleware(MiddlewareMixin):
         return response
 
 
+class DisableLocalAuthMiddleware(MiddlewareMixin):
+    """
+    Respects the presence of the DISABLE_LOCAL_AUTH setting and forces
+    local-only users to logout when they make a request.
+    """
+
+    def process_request(self, request):
+        if settings.DISABLE_LOCAL_AUTH:
+            user = request.user
+            if not user.pk:
+                return
+            if not (user.profile.ldap_dn or user.social_auth.exists() or user.enterprise_auth.exists()):
+                logout(request)
+
+
 def _customize_graph():
     from awx.main.models import Instance, Schedule, UnifiedJobTemplate
 

awx/main/migrations/0007_v320_data_migrations.py

@@ -2,12 +2,8 @@
 # Python
 from __future__ import unicode_literals
 
-# Django
-from django.db import migrations, models
-
 # AWX
 from awx.main.migrations import ActivityStreamDisabledMigration
-import awx.main.fields
 
 
 class Migration(ActivityStreamDisabledMigration):

awx/main/migrations/0010_v322_add_ovirt4_tower_inventory.py

@@ -1,10 +1,6 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-# AWX
-from awx.main.migrations import _migration_utils as migration_utils
-from awx.main.migrations import _credentialtypes as credentialtypes
-
 from django.db import migrations, models
 
 

awx/main/migrations/0011_v322_encrypt_survey_passwords.py

@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-from django.db import migrations
 from awx.main.migrations import ActivityStreamDisabledMigration
 
 

awx/main/migrations/0015_v330_blank_start_args.py

@@ -3,7 +3,7 @@
 from __future__ import unicode_literals
 
 # Django
-from django.db import migrations, models
+from django.db import migrations
 
 # AWX
 from awx.main.migrations import _migration_utils as migration_utils

awx/main/migrations/0016_v330_non_blank_workflow.py

@@ -2,7 +2,6 @@
 # Generated by Django 1.11.7 on 2017-12-11 16:40
 from __future__ import unicode_literals
 
-from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
 

awx/main/migrations/0021_v330_declare_new_rbac_roles.py

@@ -3,8 +3,7 @@
 from __future__ import unicode_literals
 
 import awx.main.fields
-from django.conf import settings
-from django.db import migrations, models
+from django.db import migrations
 import django.db.models.deletion
 
 

awx/main/migrations/0026_v330_delete_authtoken.py

@@ -2,10 +2,7 @@
 # Generated by Django 1.11.7 on 2018-02-27 17:58
 from __future__ import unicode_literals
 
-import awx.main.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
+from django.db import migrations
 
 # TODO: Squash all of these migrations with '0024_v330_add_oauth_activity_stream_registrar'
 

awx/main/migrations/0028_v330_add_tower_verify.py

@@ -4,7 +4,7 @@ from __future__ import unicode_literals
 # AWX
 from awx.main.migrations import _credentialtypes as credentialtypes
 
-from django.db import migrations, models
+from django.db import migrations
 
 
 class Migration(migrations.Migration):

awx/main/migrations/0030_v330_modify_application.py

@@ -2,8 +2,6 @@
 # Generated by Django 1.11.11 on 2018-03-16 20:25
 from __future__ import unicode_literals
 
-import awx.main.fields
-from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
 

awx/main/migrations/0038_v330_add_deleted_activitystream_actor.py

@@ -4,9 +4,7 @@ from __future__ import unicode_literals
 
 import awx.main.fields
 import awx.main.models.activity_stream
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
+from django.db import migrations
 
 
 class Migration(migrations.Migration):

awx/main/migrations/0039_v330_custom_venv_help_text.py

@@ -2,10 +2,7 @@
 # Generated by Django 1.11.11 on 2018-05-23 20:17
 from __future__ import unicode_literals
 
-import awx.main.fields
-from django.conf import settings
 from django.db import migrations, models
-import django.db.models.deletion
 
 
 class Migration(migrations.Migration):

awx/main/migrations/0069_v350_generate_unique_install_uuid.py

@@ -3,7 +3,7 @@
 from __future__ import unicode_literals
 from uuid import uuid4
 
-from django.db import migrations, models
+from django.db import migrations
 from django.utils.timezone import now
 
 

awx/main/migrations/0076_v360_add_new_instance_group_relations.py

@@ -2,7 +2,7 @@
 # Generated by Django 1.11.20 on 2019-05-06 15:20
 from __future__ import unicode_literals
 
-from django.db import migrations, models
+from django.db import migrations
 from awx.main.fields import OrderedManyToManyField
 
 

awx/main/migrations/0084_v360_token_description.py

@@ -2,8 +2,6 @@
 
 from django.db import migrations, models
 
-import awx
-
 
 class Migration(migrations.Migration):
 

awx/main/migrations/0109_v370_job_template_organization_field.py

@@ -7,7 +7,6 @@ import django.db.models.deletion
 
 from awx.main.migrations._rbac import (
     rebuild_role_parentage,
-    rebuild_role_hierarchy,
     migrate_ujt_organization,
     migrate_ujt_organization_backward,
     restore_inventory_admins,

awx/main/migrations/0120_galaxy_credentials.py

@@ -3,15 +3,11 @@
 import logging
 
 import awx.main.fields
-from awx.main.utils.encryption import encrypt_field, decrypt_field
 
 from django.db import migrations, models
-from django.utils.timezone import now
 import django.db.models.deletion
 
 from awx.main.migrations import _galaxy as galaxy
-from awx.main.models import CredentialType as ModernCredentialType
-from awx.main.utils.common import set_current_apps
 
 logger = logging.getLogger('awx.main.migrations')
 

awx/main/migrations/0126_executionenvironment_container_options.py

@@ -16,7 +16,7 @@ class Migration(migrations.Migration):
             field=models.CharField(
                 choices=[
                     ('always', 'Always pull container before running.'),
-                    ('missing', 'No pull option has been selected.'),
+                    ('missing', 'Only pull the image if not present before running.'),
                     ('never', 'Never pull container before running.'),
                 ],
                 blank=True,

awx/main/migrations/0136_scm_track_submodules.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2.16 on 2021-04-13 19:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0135_schedule_sort_fallback_to_id'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='project',
+            name='scm_track_submodules',
+            field=models.BooleanField(default=False, help_text='Track submodules latest commits on defined branch.'),
+        ),
+        migrations.AddField(
+            model_name='projectupdate',
+            name='scm_track_submodules',
+            field=models.BooleanField(default=False, help_text='Track submodules latest commits on defined branch.'),
+        ),
+    ]

awx/main/migrations/0137_custom_inventory_scripts_removal_data.py

@@ -0,0 +1,17 @@
+# Generated by Django 2.2.16 on 2021-04-13 19:51
+
+from django.db import migrations
+
+# AWX migration utils
+from awx.main.migrations._inventory_source import delete_custom_inv_source
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0136_scm_track_submodules'),
+    ]
+
+    operations = [
+        migrations.RunPython(delete_custom_inv_source),
+    ]

awx/main/migrations/0138_custom_inventory_scripts_removal.py

@@ -0,0 +1,84 @@
+# Generated by Django 2.2.16 on 2021-04-13 19:51
+
+from django.db import migrations, models
+
+from awx.main.migrations._rbac import delete_all_custom_script_roles
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0137_custom_inventory_scripts_removal_data'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='activitystream',
+            name='custom_inventory_script',
+        ),
+        migrations.RemoveField(
+            model_name='inventorysource',
+            name='source_script',
+        ),
+        migrations.RemoveField(
+            model_name='inventoryupdate',
+            name='source_script',
+        ),
+        migrations.AlterField(
+            model_name='inventorysource',
+            name='source',
+            field=models.CharField(
+                choices=[
+                    ('file', 'File, Directory or Script'),
+                    ('scm', 'Sourced from a Project'),
+                    ('ec2', 'Amazon EC2'),
+                    ('gce', 'Google Compute Engine'),
+                    ('azure_rm', 'Microsoft Azure Resource Manager'),
+                    ('vmware', 'VMware vCenter'),
+                    ('satellite6', 'Red Hat Satellite 6'),
+                    ('openstack', 'OpenStack'),
+                    ('rhv', 'Red Hat Virtualization'),
+                    ('tower', 'Ansible Tower'),
+                ],
+                default=None,
+                max_length=32,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='inventoryupdate',
+            name='source',
+            field=models.CharField(
+                choices=[
+                    ('file', 'File, Directory or Script'),
+                    ('scm', 'Sourced from a Project'),
+                    ('ec2', 'Amazon EC2'),
+                    ('gce', 'Google Compute Engine'),
+                    ('azure_rm', 'Microsoft Azure Resource Manager'),
+                    ('vmware', 'VMware vCenter'),
+                    ('satellite6', 'Red Hat Satellite 6'),
+                    ('openstack', 'OpenStack'),
+                    ('rhv', 'Red Hat Virtualization'),
+                    ('tower', 'Ansible Tower'),
+                ],
+                default=None,
+                max_length=32,
+            ),
+        ),
+        migrations.AlterUniqueTogether(
+            name='custominventoryscript',
+            unique_together=set(),
+        ),
+        migrations.RemoveField(
+            model_name='custominventoryscript',
+            name='admin_role',
+        ),
+        migrations.RemoveField(
+            model_name='custominventoryscript',
+            name='organization',
+        ),
+        migrations.RemoveField(
+            model_name='custominventoryscript',
+            name='read_role',
+        ),
+        migrations.RunPython(delete_all_custom_script_roles),
+    ]

awx/main/migrations/0139_isolated_removal.py

@@ -0,0 +1,26 @@
+# Generated by Django 2.2.16 on 2021-04-21 15:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0138_custom_inventory_scripts_removal'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='instance',
+            name='last_isolated_check',
+        ),
+        migrations.RemoveField(
+            model_name='instancegroup',
+            name='controller',
+        ),
+        migrations.AlterField(
+            model_name='unifiedjob',
+            name='controller_node',
+            field=models.TextField(blank=True, default='', editable=False, help_text='The instance that managed the execution environment.'),
+        ),
+    ]

awx/main/migrations/0140_rename.py

@@ -0,0 +1,90 @@
+# Generated by Django 2.2.16 on 2021-04-27 18:07
+
+import awx.main.fields
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0139_isolated_removal'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='credential',
+            name='credential_type',
+            field=models.ForeignKey(
+                help_text='Specify the type of credential you want to create. Refer to the documentation for details on each type.',
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='credentials',
+                to='main.CredentialType',
+            ),
+        ),
+        migrations.AlterField(
+            model_name='credential',
+            name='inputs',
+            field=awx.main.fields.CredentialInputField(
+                blank=True, default=dict, help_text='Enter inputs using either JSON or YAML syntax. Refer to the documentation for example syntax.'
+            ),
+        ),
+        migrations.AlterField(
+            model_name='credentialtype',
+            name='injectors',
+            field=awx.main.fields.CredentialTypeInjectorField(
+                blank=True, default=dict, help_text='Enter injectors using either JSON or YAML syntax. Refer to the documentation for example syntax.'
+            ),
+        ),
+        migrations.AlterField(
+            model_name='credentialtype',
+            name='inputs',
+            field=awx.main.fields.CredentialTypeInputField(
+                blank=True, default=dict, help_text='Enter inputs using either JSON or YAML syntax. Refer to the documentation for example syntax.'
+            ),
+        ),
+        migrations.AlterField(
+            model_name='inventorysource',
+            name='enabled_value',
+            field=models.TextField(
+                blank=True,
+                default='',
+                help_text='Only used when enabled_var is set. Value when the host is considered enabled. For example if enabled_var="status.power_state"and enabled_value="powered_on" with host variables:{   "status": {     "power_state": "powered_on",     "created": "2020-08-04T18:13:04+00:00",     "healthy": true    },    "name": "foobar",    "ip_address": "192.168.2.1"}The host would be marked enabled. If power_state where any value other than powered_on then the host would be disabled when imported. If the key is not found then the host will be enabled',
+            ),
+        ),
+        migrations.AlterField(
+            model_name='inventorysource',
+            name='host_filter',
+            field=models.TextField(blank=True, default='', help_text='Regex where only matching hosts will be imported.'),
+        ),
+        migrations.AlterField(
+            model_name='inventoryupdate',
+            name='enabled_value',
+            field=models.TextField(
+                blank=True,
+                default='',
+                help_text='Only used when enabled_var is set. Value when the host is considered enabled. For example if enabled_var="status.power_state"and enabled_value="powered_on" with host variables:{   "status": {     "power_state": "powered_on",     "created": "2020-08-04T18:13:04+00:00",     "healthy": true    },    "name": "foobar",    "ip_address": "192.168.2.1"}The host would be marked enabled. If power_state where any value other than powered_on then the host would be disabled when imported. If the key is not found then the host will be enabled',
+            ),
+        ),
+        migrations.AlterField(
+            model_name='inventoryupdate',
+            name='host_filter',
+            field=models.TextField(blank=True, default='', help_text='Regex where only matching hosts will be imported.'),
+        ),
+        migrations.AlterField(
+            model_name='job',
+            name='use_fact_cache',
+            field=models.BooleanField(
+                default=False,
+                help_text='If enabled, the service will act as an Ansible Fact Cache Plugin; persisting facts at the end of a playbook run to the database and caching facts for use by Ansible.',
+            ),
+        ),
+        migrations.AlterField(
+            model_name='jobtemplate',
+            name='use_fact_cache',
+            field=models.BooleanField(
+                default=False,
+                help_text='If enabled, the service will act as an Ansible Fact Cache Plugin; persisting facts at the end of a playbook run to the database and caching facts for use by Ansible.',
+            ),
+        ),
+    ]

awx/main/migrations/0141_remove_isolated_instances.py

@@ -0,0 +1,19 @@
+# Generated by Django 2.2.16 on 2021-05-11 19:38
+
+from django.db import migrations
+
+
+def forwards(apps, schema_editor):
+    Instance = apps.get_model('main', 'Instance')
+    Instance.objects.filter(version__startswith='ansible-runner-').delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0140_rename'),
+    ]
+
+    operations = [
+        migrations.RunPython(forwards),
+    ]

awx/main/migrations/0142_update_ee_image_field_description.py

@@ -0,0 +1,22 @@
+# Generated by Django 2.2.16 on 2021-05-12 20:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0141_remove_isolated_instances'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='executionenvironment',
+            name='image',
+            field=models.CharField(
+                help_text='The full image location, including the container registry, image name, and version tag.',
+                max_length=1024,
+                verbose_name='image location',
+            ),
+        ),
+    ]

awx/main/migrations/0143_hostmetric.py

@@ -0,0 +1,21 @@
+# Generated by Django 2.2.16 on 2021-05-18 18:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0142_update_ee_image_field_description'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='HostMetric',
+            fields=[
+                ('hostname', models.CharField(max_length=512, primary_key=True, serialize=False)),
+                ('first_automation', models.DateTimeField(auto_now_add=True, db_index=True, help_text='When the host was first automated against')),
+                ('last_automation', models.DateTimeField(db_index=True, help_text='When the host was last automated against')),
+            ],
+        ),
+    ]

awx/main/migrations/_create_system_jobs.py

@@ -1,8 +1,6 @@
-import random
 import logging
 
-from django.db import migrations, models
-from django.utils.timezone import now, timedelta
+from django.utils.timezone import now
 
 logger = logging.getLogger('awx.main.migrations')
 

awx/main/migrations/_galaxy.py

@@ -27,7 +27,7 @@ def migrate_galaxy_settings(apps, schema_editor):
     galaxy_type = CredentialType.objects.get(kind='galaxy')
     private_galaxy_url = Setting.objects.filter(key='PRIMARY_GALAXY_URL').first()
 
-    # by default, prior versions of AWX/Tower automatically pulled content
+    # by default, prior versions of AWX automatically pulled content
     # from galaxy.ansible.com
     public_galaxy_enabled = True
     public_galaxy_setting = Setting.objects.filter(key='PUBLIC_GALAXY_ENABLED').first()

awx/main/migrations/_inventory_source.py

@@ -1,9 +1,6 @@
 import logging
 
-from uuid import uuid4
-
 from django.utils.encoding import smart_text
-from django.utils.timezone import now
 
 from awx.main.utils.common import set_current_apps
 from awx.main.utils.common import parse_yaml_or_json
@@ -93,3 +90,22 @@ def delete_cloudforms_inv_source(apps, schema_editor):
     if ct:
         ct.credentials.all().delete()
         ct.delete()
+
+
+def delete_custom_inv_source(apps, schema_editor):
+    set_current_apps(apps)
+    InventorySource = apps.get_model('main', 'InventorySource')
+    InventoryUpdate = apps.get_model('main', 'InventoryUpdate')
+    ct, deletions = InventoryUpdate.objects.filter(source='custom').delete()
+    if ct:
+        logger.info('deleted {}'.format((ct, deletions)))
+        update_ct = deletions['main.InventoryUpdate']
+        if update_ct:
+            logger.info('Deleted {} custom inventory script sources.'.format(update_ct))
+    ct, deletions = InventorySource.objects.filter(source='custom').delete()
+    if ct:
+        logger.info('deleted {}'.format((ct, deletions)))
+        src_ct = deletions['main.InventorySource']
+        if src_ct:
+            logger.info('Deleted {} custom inventory script updates.'.format(src_ct))
+            logger.warning('Custom inventory scripts have been removed, see awx-manage export_custom_scripts')

awx/main/migrations/_rbac.py

@@ -28,7 +28,6 @@ def create_roles(apps, schema_editor):
             'Inventory',
             'Project',
             'Credential',
-            'CustomInventoryScript',
             'JobTemplate',
         ]
     ]
@@ -48,6 +47,21 @@ def delete_all_user_roles(apps, schema_editor):
         role.delete()
 
 
+def delete_all_custom_script_roles(apps, schema_editor):
+    ContentType = apps.get_model('contenttypes', "ContentType")
+    Role = apps.get_model('main', "Role")
+    try:
+        cis_type = ContentType.objects.get(model='custominventoryscript')
+    except ContentType.DoesNotExist:
+        return
+    role_ct = 0
+    for role in Role.objects.filter(content_type=cis_type).iterator():
+        role.delete()
+        role_ct += 1
+    if role_ct:
+        logger.debug('Deleted {} roles corresponding to custom inventory sources.'.format(role_ct))
+
+
 UNIFIED_ORG_LOOKUPS = {
     # Job Templates had an implicit organization via their project
     'jobtemplate': 'project',

awx/main/models/__init__.py

@@ -12,7 +12,16 @@ from awx.main.models.unified_jobs import UnifiedJob, UnifiedJobTemplate, StdoutM
 from awx.main.models.organization import Organization, Profile, Team, UserSessionMembership  # noqa
 from awx.main.models.credential import Credential, CredentialType, CredentialInputSource, ManagedCredentialType, build_safe_env  # noqa
 from awx.main.models.projects import Project, ProjectUpdate  # noqa
-from awx.main.models.inventory import CustomInventoryScript, Group, Host, Inventory, InventorySource, InventoryUpdate, SmartInventoryMembership  # noqa
+from awx.main.models.inventory import (  # noqa
+    CustomInventoryScript,
+    Group,
+    Host,
+    HostMetric,
+    Inventory,
+    InventorySource,
+    InventoryUpdate,
+    SmartInventoryMembership,
+)
 from awx.main.models.jobs import (  # noqa
     Job,
     JobHostSummary,
@@ -224,7 +233,6 @@ activity_stream_registrar.connect(AdHocCommand)
 # activity_stream_registrar.connect(JobEvent)
 # activity_stream_registrar.connect(Profile)
 activity_stream_registrar.connect(Schedule)
-activity_stream_registrar.connect(CustomInventoryScript)
 activity_stream_registrar.connect(NotificationTemplate)
 activity_stream_registrar.connect(Notification)
 activity_stream_registrar.connect(Label)

awx/main/models/activity_stream.py

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.
 
-# Tower
+# AWX
 from awx.api.versioning import reverse
 from awx.main.fields import JSONField
 from awx.main.models.base import accepts_json
@@ -74,7 +74,6 @@ class ActivityStream(models.Model):
     unified_job = models.ManyToManyField("UnifiedJob", blank=True, related_name='activity_stream_as_unified_job+')
     ad_hoc_command = models.ManyToManyField("AdHocCommand", blank=True)
     schedule = models.ManyToManyField("Schedule", blank=True)
-    custom_inventory_script = models.ManyToManyField("CustomInventoryScript", blank=True)
     execution_environment = models.ManyToManyField("ExecutionEnvironment", blank=True)
     notification_template = models.ManyToManyField("NotificationTemplate", blank=True)
     notification = models.ManyToManyField("Notification", blank=True)

awx/main/models/ad_hoc_commands.py

@@ -146,10 +146,6 @@ class AdHocCommand(UnifiedJob, JobNotificationMixin):
 
         return RunAdHocCommand
 
-    @classmethod
-    def supports_isolation(cls):
-        return True
-
     @property
     def is_container_group_task(self):
         return bool(self.instance_group and self.instance_group.is_container_group)

awx/main/models/base.py

@@ -62,7 +62,7 @@ PROJECT_UPDATE_JOB_TYPE_CHOICES = [
     (PERM_INVENTORY_CHECK, _('Check')),
 ]
 
-CLOUD_INVENTORY_SOURCES = list(CLOUD_PROVIDERS) + ['scm', 'custom']
+CLOUD_INVENTORY_SOURCES = list(CLOUD_PROVIDERS) + ['scm']
 
 VERBOSITY_CHOICES = [
     (0, '0 (Normal)'),
@@ -354,7 +354,7 @@ class PrimordialModel(HasEditsMixin, CreatedModifiedModel):
 
 
 class CommonModel(PrimordialModel):
-    ''' a base model where the name is unique '''
+    '''a base model where the name is unique'''
 
     class Meta:
         abstract = True
@@ -366,7 +366,7 @@ class CommonModel(PrimordialModel):
 
 
 class CommonModelNameNotUnique(PrimordialModel):
-    ''' a base model where the name is not unique '''
+    '''a base model where the name is not unique'''
 
     class Meta:
         abstract = True

awx/main/models/credential/__init__.py

@@ -31,6 +31,7 @@ from awx.main.fields import (
 )
 from awx.main.utils import decrypt_field, classproperty
 from awx.main.utils.safe_yaml import safe_dump
+from awx.main.utils.execution_environments import to_container_path
 from awx.main.validators import validate_ssh_private_key
 from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel, PrimordialModel
 from awx.main.models.mixins import ResourceMixin
@@ -89,7 +90,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         related_name='credentials',
         null=False,
         on_delete=models.CASCADE,
-        help_text=_('Specify the type of credential you want to create. Refer ' 'to the Ansible Tower documentation for details on each type.'),
+        help_text=_('Specify the type of credential you want to create. Refer ' 'to the documentation for details on each type.'),
     )
     managed_by_tower = models.BooleanField(default=False, editable=False)
     organization = models.ForeignKey(
@@ -101,7 +102,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         related_name='credentials',
     )
     inputs = CredentialInputField(
-        blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the Ansible Tower documentation for example syntax.')
+        blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the documentation for example syntax.')
     )
     admin_role = ImplicitRoleField(
         parent_role=[
@@ -295,6 +296,15 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
             return True
         return field_name in self.inputs and self.inputs[field_name] not in ('', None)
 
+    def has_inputs(self, field_names=()):
+        for name in field_names:
+            if name in self.inputs:
+                if self.inputs[name] in ('', None):
+                    return False
+            else:
+                raise ValueError('{} is not an input field'.format(name))
+        return True
+
     def _get_dynamic_input(self, field_name):
         for input_source in self.input_sources.all():
             if input_source.input_field_name == field_name:
@@ -334,12 +344,12 @@ class CredentialType(CommonModelNameNotUnique):
     managed_by_tower = models.BooleanField(default=False, editable=False)
     namespace = models.CharField(max_length=1024, null=True, default=None, editable=False)
     inputs = CredentialTypeInputField(
-        blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the Ansible Tower documentation for example syntax.')
+        blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the documentation for example syntax.')
     )
     injectors = CredentialTypeInjectorField(
         blank=True,
         default=dict,
-        help_text=_('Enter injectors using either JSON or YAML syntax. ' 'Refer to the Ansible Tower documentation for example syntax.'),
+        help_text=_('Enter injectors using either JSON or YAML syntax. ' 'Refer to the documentation for example syntax.'),
     )
 
     @classmethod
@@ -484,12 +494,11 @@ class CredentialType(CommonModelNameNotUnique):
 
         for file_label, file_tmpl in file_tmpls.items():
             data = sandbox_env.from_string(file_tmpl).render(**namespace)
-            _, path = tempfile.mkstemp(dir=private_data_dir)
+            _, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
             with open(path, 'w') as f:
                 f.write(data)
             os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
-            # FIXME: develop some better means of referencing paths inside containers
-            container_path = os.path.join('/runner', os.path.basename(path))
+            container_path = to_container_path(path, private_data_dir)
 
             # determine if filename indicates single file or many
             if file_label.find('.') == -1:
@@ -517,7 +526,7 @@ class CredentialType(CommonModelNameNotUnique):
                 extra_vars[var_name] = sandbox_env.from_string(tmpl).render(**namespace)
 
             def build_extra_vars_file(vars, private_dir):
-                handle, path = tempfile.mkstemp(dir=private_dir)
+                handle, path = tempfile.mkstemp(dir=os.path.join(private_dir, 'env'))
                 f = os.fdopen(handle, 'w')
                 f.write(safe_dump(vars))
                 f.close()
@@ -526,8 +535,7 @@ class CredentialType(CommonModelNameNotUnique):
 
             if extra_vars:
                 path = build_extra_vars_file(extra_vars, private_data_dir)
-                # FIXME: develop some better means of referencing paths inside containers
-                container_path = os.path.join('/runner', os.path.basename(path))
+                container_path = to_container_path(path, private_data_dir)
                 args.extend(['-e', '@%s' % container_path])
 
 
@@ -743,7 +751,7 @@ ManagedCredentialType(
                 'help_text': ugettext_noop(
                     'OpenStack domains define administrative boundaries. '
                     'It is only needed for Keystone v3 authentication '
-                    'URLs. Refer to Ansible Tower documentation for '
+                    'URLs. Refer to the documentation for '
                     'common scenarios.'
                 ),
             },
@@ -1023,9 +1031,7 @@ ManagedCredentialType(
                 'label': ugettext_noop('OAuth Token'),
                 'type': 'string',
                 'secret': True,
-                'help_text': ugettext_noop(
-                    'An OAuth token to use to authenticate to Tower with.' 'This should not be set if username/password are being used.'
-                ),
+                'help_text': ugettext_noop('An OAuth token to use to authenticate with.' 'This should not be set if username/password are being used.'),
             },
             {'id': 'verify_ssl', 'label': ugettext_noop('Verify SSL'), 'type': 'boolean', 'secret': False},
         ],
@@ -1097,16 +1103,16 @@ ManagedCredentialType(
             },
             {
                 'id': 'password',
-                'label': ugettext_noop('Password'),
+                'label': ugettext_noop('Password or Token'),
                 'type': 'string',
                 'secret': True,
+                'help_text': ugettext_noop('A password or token used to authenticate with'),
             },
             {
-                'id': 'token',
-                'label': ugettext_noop('Access Token'),
-                'type': 'string',
-                'secret': True,
-                'help_text': ugettext_noop('A token to use to authenticate with. ' 'This should not be set if username/password are being used.'),
+                'id': 'verify_ssl',
+                'label': ugettext_noop('Verify SSL'),
+                'type': 'boolean',
+                'default': True,
             },
         ],
         'required': ['host'],

awx/main/models/credential/injectors.py

@@ -6,6 +6,8 @@ import tempfile
 
 from django.conf import settings
 
+from awx.main.utils.execution_environments import to_container_path
+
 
 def aws(cred, env, private_data_dir):
     env['AWS_ACCESS_KEY_ID'] = cred.get_input('username', default='')
@@ -25,13 +27,14 @@ def gce(cred, env, private_data_dir):
         env['GCE_PROJECT'] = project
     json_cred['token_uri'] = 'https://oauth2.googleapis.com/token'
 
-    handle, path = tempfile.mkstemp(dir=private_data_dir)
+    handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
     f = os.fdopen(handle, 'w')
     json.dump(json_cred, f, indent=2)
     f.close()
     os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
-    env['GCE_CREDENTIALS_FILE_PATH'] = os.path.join('/runner', os.path.basename(path))
-    env['GCP_SERVICE_ACCOUNT_FILE'] = os.path.join('/runner', os.path.basename(path))
+    container_path = to_container_path(path, private_data_dir)
+    env['GCE_CREDENTIALS_FILE_PATH'] = container_path
+    env['GCP_SERVICE_ACCOUNT_FILE'] = container_path
 
     # Handle env variables for new module types.
     # This includes gcp_compute inventory plugin and
@@ -96,14 +99,13 @@ def _openstack_data(cred):
 
 
 def openstack(cred, env, private_data_dir):
-    handle, path = tempfile.mkstemp(dir=private_data_dir)
+    handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
     f = os.fdopen(handle, 'w')
     openstack_data = _openstack_data(cred)
     yaml.safe_dump(openstack_data, f, default_flow_style=False, allow_unicode=True)
     f.close()
     os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
-    # TODO: constant for container base path
-    env['OS_CLIENT_CONFIG_FILE'] = os.path.join('/runner', os.path.basename(path))
+    env['OS_CLIENT_CONFIG_FILE'] = to_container_path(path, private_data_dir)
 
 
 def kubernetes_bearer_token(cred, env, private_data_dir):
@@ -111,10 +113,10 @@ def kubernetes_bearer_token(cred, env, private_data_dir):
     env['K8S_AUTH_API_KEY'] = cred.get_input('bearer_token', default='')
     if cred.get_input('verify_ssl') and 'ssl_ca_cert' in cred.inputs:
         env['K8S_AUTH_VERIFY_SSL'] = 'True'
-        handle, path = tempfile.mkstemp(dir=private_data_dir)
+        handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
         with os.fdopen(handle, 'w') as f:
             os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
             f.write(cred.get_input('ssl_ca_cert'))
-        env['K8S_AUTH_SSL_CA_CERT'] = os.path.join('/runner', os.path.basename(path))
+        env['K8S_AUTH_SSL_CA_CERT'] = to_container_path(path, private_data_dir)
     else:
         env['K8S_AUTH_VERIFY_SSL'] = 'False'