Merge pull request #13562 from siw36/fix-typo-generic-oidc

Fix a typo in the help text for Generic OIDC
2026-02-09 21:54:43 -03:30 · 2023-02-13 12:33:42 -05:00 · 2023-02-13 17:11:29 +01:00 · 2023-02-08 17:04:35 -05:00 · 2023-02-08 16:19:29 -05:00 · 2023-02-08 15:12:49 -05:00
1305 changed files with 44924 additions and 25386 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,2 @@
 awx/ui/node_modules
 Dockerfile
 .git
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -25,7 +25,7 @@ Instead use the bug or feature request.
 <!--- Pick one below and delete the rest: -->
 - Breaking Change
 - New or Enhanced Feature
- - Bug or Docs Fix
+ - Bug, Docs Fix or other nominal change
 ##### COMPONENT NAME
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -20,6 +20,19 @@ body:
        - label: I understand that AWX is open source software provided for free and that I might not receive a timely response.
          required: true
  - type: dropdown
    id: feature-type
    attributes:
      label: Feature type
      description: >-
        What kind of feature is this?
      multiple: false
      options:
        - "New Feature"
        - "Enhancement to Existing Feature"
    validations:
      required: true
  - type: textarea
    id: summary
    attributes:
@@ -40,3 +53,36 @@ body:
        - label: CLI
        - label: Other
  - type: textarea
    id: steps-to-reproduce
    attributes:
      label: Steps to reproduce
      description: >-
        Describe the necessary steps to understand the scenario of the requested enhancement. 
        Include all the steps that will help the developer and QE team understand what you are requesting.
    validations:
      required: true
  - type: textarea
    id: current-results
    attributes:
      label: Current results
      description: What is currently happening on the scenario?
    validations:
      required: true
  - type: textarea
    id: sugested-results
    attributes:
      label: Sugested feature result
      description: What is the result this new feature will bring?
    validations:
      required: true
  - type: textarea
    id: additional-information
    attributes:
      label: Additional information
      description: Please provide any other information you think is relevant that could help us understand your feature request.
    validations:
      required: false
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -11,7 +11,7 @@ the change does.
 <!--- Pick one below and delete the rest: -->
 - Breaking Change 
 - New or Enhanced Feature
- - Bug or Docs Fix
+ - Bug, Docs Fix or other nominal change
 ##### COMPONENT NAME
 <!--- Name of the module/plugin/module/task -->
--- a/.github/triage_replies.md
+++ b/.github/triage_replies.md
@@ -1,5 +1,5 @@
 ## General
- For the roundup of all the different mailing lists available from AWX, Ansible, and beyond visit: https://docs.ansible.com/ansible/latest/community/communication.html 
+- For the roundup of all the different mailing lists available from AWX, Ansible, and beyond visit: https://docs.ansible.com/ansible/latest/community/communication.html
 - Hello, we think your question is answered in our FAQ. Does this: https://www.ansible.com/products/awx-project/faq cover your question?
 - You can find the latest documentation here: https://docs.ansible.com/automation-controller/latest/html/userguide/index.html
@@ -53,15 +53,25 @@ https://github.com/ansible/awx/#get-involved \
 Thank you once again for this and your interest in AWX!
 ### Red Hat Support Team
 - Hi! \
 \
 It appears that you are using an RPM build for RHEL. Please reach out to the Red Hat support team and submit a ticket. \
 \
 Here is the link to do so: \
 \
 https://access.redhat.com/support \
 \
 Thank you for your submission and for supporting AWX!
 ## Common
 ### Give us more info
- Hello, we'd love to help, but we need a little more information about the problem you're having. Screenshots, log outputs, or any reproducers would be very helpful. 
+- Hello, we'd love to help, but we need a little more information about the problem you're having. Screenshots, log outputs, or any reproducers would be very helpful.
 ### Code of Conduct
- Hello. Please keep in mind that Ansible adheres to a Code of Conduct in its community spaces. The spirit of the code of conduct is to be kind, and this is your friendly reminder to be so. Please see the full code of conduct here if you have questions: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html 
+- Hello. Please keep in mind that Ansible adheres to a Code of Conduct in its community spaces. The spirit of the code of conduct is to be kind, and this is your friendly reminder to be so. Please see the full code of conduct here if you have questions: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html
 ### EE Contents / Community General
 - Hello. The awx-ee contains the collections and dependencies needed for supported AWX features to function. Anything beyond that (like the community.general package) will require you to build your own EE. For information on how to do that, see https://ansible-builder.readthedocs.io/en/stable/ \
@@ -79,31 +89,41 @@ The Ansible Community is looking at building an EE that corresponds to all of th
 - Hello, we think your idea is good! Please consider contributing a PR for this following our contributing guidelines: https://github.com/ansible/awx/blob/devel/CONTRIBUTING.md
 ### Receptor
- You can find the receptor docs here: https://receptor.readthedocs.io/en/latest/ 
+- You can find the receptor docs here: https://receptor.readthedocs.io/en/latest/
 - Hello, your issue seems related to receptor. Could you please open an issue in the receptor repository? https://github.com/ansible/receptor. Thanks!
 ### Ansible Engine not AWX
- Hello, your question seems to be about Ansible development, not about AWX. Try asking on the Ansible-devel specific mailing list: https://groups.google.com/g/ansible-devel 
+- Hello, your question seems to be about Ansible development, not about AWX. Try asking on the Ansible-devel specific mailing list: https://groups.google.com/g/ansible-devel
 - Hello, your question seems to be about using Ansible, not about AWX. https://groups.google.com/g/ansible-project is the best place to visit for user questions about Ansible. Thanks!
 ### Ansible Galaxy not AWX
 - Hey there. That sounds like an FAQ question. Did this: https://www.ansible.com/products/awx-project/faq cover your question?
 ### Contributing Guidelines
- AWX: https://github.com/ansible/awx/blob/devel/CONTRIBUTING.md 
+- AWX: https://github.com/ansible/awx/blob/devel/CONTRIBUTING.md
 - AWX-Operator: https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md
 ### Oracle AWX
 We'd be happy to help if you can reproduce this with AWX since we do not have Oracle's Linux Automation Manager. If you need help with this specific version of Oracles Linux Automation Manager you will need to contact your Oracle for support. 
 ### Community Resolved
 Hi,
 We are happy to see that it appears a fix has been provided for your issue, so we will go ahead and close this ticket. Please feel free to reopen if any other problems arise.
 <name of community member who helped> thanks so much for taking the time to write a thoughtful and helpful response to this issue!
 ### AWX Release
-Subject: Announcing AWX X.Y.z
+Subject: Announcing AWX Xa.Ya.za and AWX-Operator Xb.Yb.zb
 - Hi all, \
 \
-We're happy to announce that the next release of AWX, version <X> is now available! \
+We're happy to announce that the next release of AWX, version <b>`Xa.Ya.za`</b> is now available! \
-In addition AWX Operator version <Y> has also been release! \
+In addition AWX Operator version <b>`Xb.Yb.zb`</b> has also been released! \
 \
 Please see the releases pages for more details: \
-	AWX: https://github.com/ansible/awx/releases/tag/<X> \
+	AWX: https://github.com/ansible/awx/releases/tag/Xa.Ya.za \
-	Operator: https://github.com/ansible/awx-operator/releases/tag/<Y> \
+	Operator: https://github.com/ansible/awx-operator/releases/tag/Xb.Yb.zb \
 \
 The AWX team.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,10 @@
 ---
 name: CI
 env:
-  BRANCH: ${{ github.base_ref || 'devel' }}
+  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
  CI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  DEV_DOCKER_TAG_BASE: ghcr.io/${{ github.repository_owner }}
  COMPOSE_TAG: ${{ github.base_ref || 'devel' }}
 on:
  pull_request:
 jobs:
@@ -17,85 +20,33 @@ jobs:
        tests:
          - name: api-test
            command: /start_tests.sh
            label: Run API Tests
          - name: api-lint
            command: /var/lib/awx/venv/awx/bin/tox -e linters
            label: Run API Linters
          - name: api-swagger
            command: /start_tests.sh swagger
            label: Generate API Reference
          - name: awx-collection
            command: /start_tests.sh test_collection_all
            label: Run Collection Tests
          - name: api-schema
            label: Check API Schema
            command: /start_tests.sh detect-schema-change SCHEMA_DIFF_BASE_BRANCH=${{ github.event.pull_request.base.ref }}
          - name: ui-lint
            label: Run UI Linters
            command: make ui-lint
          - name: ui-test-screens
            label: Run UI Screens Tests
            command: make ui-test-screens
          - name: ui-test-general
            label: Run UI General Tests
            command: make ui-test-general
    steps:
      - uses: actions/checkout@v2
-      - name: Get python version from Makefile
+      - name: Run check ${{ matrix.tests.name }}
-        run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
+        run: AWX_DOCKER_CMD='${{ matrix.tests.command }}' make github_ci_runner
      - name: Install python ${{ env.py_version }}
        uses: actions/setup-python@v2
        with:
          python-version: ${{ env.py_version }}
      - name: Log in to registry
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
      - name: Pre-pull image to warm build cache
        run: |
          docker pull ghcr.io/${{ github.repository_owner }}/awx_devel:${{ env.BRANCH }} || :
      - name: Build image
        run: |
          DEV_DOCKER_TAG_BASE=ghcr.io/${{ github.repository_owner }} COMPOSE_TAG=${{ env.BRANCH }} make docker-compose-build
      - name: ${{ matrix.texts.label }}
        run: |
          docker run -u $(id -u) --rm -v ${{ github.workspace}}:/awx_devel/:Z \
            --workdir=/awx_devel ghcr.io/${{ github.repository_owner }}/awx_devel:${{ env.BRANCH }} ${{ matrix.tests.command }}
  dev-env:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Get python version from Makefile
        run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
      - name: Install python ${{ env.py_version }}
        uses: actions/setup-python@v2
        with:
          python-version: ${{ env.py_version }}
      - name: Log in to registry
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
      - name: Pre-pull image to warm build cache
        run: |
          docker pull ghcr.io/${{ github.repository_owner }}/awx_devel:${{ env.BRANCH }} || :
      - name: Build image
        run: |
          DEV_DOCKER_TAG_BASE=ghcr.io/${{ github.repository_owner }} COMPOSE_TAG=${{ env.BRANCH }} make docker-compose-build
      - name: Run smoke test
-        run: |
+        run: make github_ci_setup && ansible-playbook tools/docker-compose/ansible/smoke-test.yml -v
          export DEV_DOCKER_TAG_BASE=ghcr.io/${{ github.repository_owner }}
          export COMPOSE_TAG=${{ env.BRANCH }}
          ansible-playbook tools/docker-compose/ansible/smoke-test.yml -e repo_dir=$(pwd) -v
  awx-operator:
    runs-on: ubuntu-latest
@@ -111,9 +62,18 @@ jobs:
          repository: ansible/awx-operator
          path: awx-operator
      - name: Get python version from Makefile
        working-directory: awx
        run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
      - name: Install python ${{ env.py_version }}
        uses: actions/setup-python@v2
        with:
          python-version: ${{ env.py_version }}
      - name: Install playbook dependencies
        run: |
-          python3 -m pip install docker setuptools_scm
+          python3 -m pip install docker
      - name: Build AWX image
        working-directory: awx
@@ -135,3 +95,22 @@ jobs:
        env:
          AWX_TEST_IMAGE: awx
          AWX_TEST_VERSION: ci
  collection-sanity:
    name: awx_collection sanity
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v2
      # The containers that GitHub Actions use have Ansible installed, so upgrade to make sure we have the latest version.
      - name: Upgrade ansible-core
        run: python3 -m pip install --upgrade ansible-core
      - name: Run sanity tests
        run: make test_collection_sanity
        env:
          # needed due to cgroupsv2. This is fixed, but a stable release
          # with the fix has not been made yet.
          ANSIBLE_TEST_PREFER_PODMAN: 1
--- a/.github/workflows/devel_images.yml
+++ b/.github/workflows/devel_images.yml
@@ -1,5 +1,7 @@
 ---
 name: Build/Push Development Images
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  push:
    branches:
--- a/.github/workflows/e2e_test.yml
+++ b/.github/workflows/e2e_test.yml
@@ -1,9 +1,12 @@
 ---
 name: E2E Tests
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  pull_request_target:
    types: [labeled]
-jobs:   
+jobs:
  e2e-test:
    if: contains(github.event.pull_request.labels.*.name, 'qe:e2e')
    runs-on: ubuntu-latest
@@ -104,5 +107,3 @@ jobs:
        with:
          name: AWX-logs-${{ matrix.job }}
          path: make-docker-compose-output.log
--- a/.github/workflows/feature_branch_deletion.yml
+++ b/.github/workflows/feature_branch_deletion.yml
@@ -0,0 +1,26 @@
 ---
 name: Feature branch deletion cleanup
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  delete:
    branches:
      - feature_**
 jobs:
  push:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: Delete API Schema
        env:
          AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
          AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
          AWS_REGION: 'us-east-1'
        run: |
          ansible localhost -c local, -m command -a "{{ ansible_python_interpreter + ' -m pip install boto3'}}"
          ansible localhost -c local -m aws_s3 \
            -a "bucket=awx-public-ci-files object=${GITHUB_REF##*/}/schema.json mode=delete permission=public-read"
--- a/.github/workflows/label_issue.yml
+++ b/.github/workflows/label_issue.yml
@@ -19,3 +19,34 @@ jobs:
          not-before: 2021-12-07T07:00:00Z
          configuration-path: .github/issue_labeler.yml
          enable-versioned-regex: 0
  community:
    runs-on: ubuntu-latest
    name: Label Issue - Community
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v4
      - name: Install python requests
        run: pip install requests
      - name: Check if user is a member of Ansible org
        uses: jannekem/run-python-script-action@v1
        id: check_user
        with:
          script: |
            import requests
            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
            is_member = False
            for org in response.json():
              if org['login'] == 'ansible':
                is_member = True
            if is_member:
                print("User is member")
            else:
                print("User is community")
      - name: Add community label if not a member
        if: contains(steps.check_user.outputs.stdout, 'community')
        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
        with:
          add-labels: "community"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/label_pr.yml
+++ b/.github/workflows/label_pr.yml
@@ -18,3 +18,34 @@ jobs:
        with:
          repo-token: "${{ secrets.GITHUB_TOKEN }}"
          configuration-path: .github/pr_labeler.yml
  community:
    runs-on: ubuntu-latest
    name: Label PR - Community
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v4
      - name: Install python requests
        run: pip install requests
      - name: Check if user is a member of Ansible org
        uses: jannekem/run-python-script-action@v1
        id: check_user
        with:
          script: |
            import requests
            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
            is_member = False
            for org in response.json():
              if org['login'] == 'ansible':
                is_member = True
            if is_member:
                print("User is member")
            else:
                print("User is community")
      - name: Add community label if not a member
        if: contains(steps.check_user.outputs.stdout, 'community')
        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
        with:
          add-labels: "community"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/pr_body_check.yml
+++ b/.github/workflows/pr_body_check.yml
@@ -0,0 +1,37 @@
 ---
 name: PR Check
 env:
  BRANCH: ${{ github.base_ref || 'devel' }}
 on:
  pull_request:
    types: [opened, edited, reopened, synchronize]
 jobs:
  pr-check:
    name: Scan PR description for semantic versioning keywords
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: Check for each of the lines
        env:
          PR_BODY: ${{ github.event.pull_request.body }}
        run: |
          echo "$PR_BODY" | grep "Bug, Docs Fix or other nominal change" > Z
          echo "$PR_BODY" | grep "New or Enhanced Feature" > Y
          echo "$PR_BODY" | grep "Breaking Change" > X
          exit 0
        # We exit 0 and set the shell to prevent the returns from the greps from failing this step
        # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
        shell: bash {0}
      - name: Check for exactly one item
        run: |
          if [ $(cat X Y Z | wc -l) != 1 ] ; then
            echo "The PR body must contain exactly one of [ 'Bug, Docs Fix or other nominal change', 'New or Enhanced Feature', 'Breaking Change' ]"
            echo "We counted $(cat X Y Z | wc -l)"
            echo "See the default PR body for examples"
            exit 255;
          else
            exit 0;
          fi
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -1,5 +1,9 @@
 ---
 name: Promote Release
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  release:
    types: [published]
@@ -34,9 +38,13 @@ jobs:
      - name: Build collection and publish to galaxy
        run: |
          COLLECTION_TEMPLATE_VERSION=true COLLECTION_NAMESPACE=${{ env.collection_namespace }} make build_collection
-          ansible-galaxy collection publish \
+          if [ "$(curl --head -sw '%{http_code}' https://galaxy.ansible.com/download/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz | tail -1)" == "302" ] ; then \
-            --token=${{ secrets.GALAXY_TOKEN }} \
+              echo "Galaxy release already done"; \
-            awx_collection_build/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz
+          else \
              ansible-galaxy collection publish \
                --token=${{ secrets.GALAXY_TOKEN }} \
                awx_collection_build/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz; \
          fi
      - name: Set official pypi info
        run: echo pypi_repo=pypi >> $GITHUB_ENV
@@ -48,6 +56,7 @@ jobs:
      - name: Build awxkit and upload to pypi
        run: |
          git reset --hard
          cd awxkit && python3 setup.py bdist_wheel
          twine upload \
            -r ${{ env.pypi_repo }} \
@@ -70,4 +79,6 @@ jobs:
          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
          docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
          docker push quay.io/${{ github.repository }}:latest
-
+          docker pull ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
          docker tag ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }} quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
          docker push quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
--- a/.github/workflows/stage.yml
+++ b/.github/workflows/stage.yml
@@ -1,5 +1,9 @@
 ---
 name: Stage Release
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  workflow_dispatch:
    inputs:
@@ -65,7 +69,7 @@ jobs:
      - name: Install playbook dependencies
        run: |
-          python3 -m pip install docker setuptools_scm
+          python3 -m pip install docker
      - name: Build and stage AWX
        working-directory: awx
@@ -80,6 +84,20 @@ jobs:
            -e push=yes \
            -e awx_official=yes
      - name: Log in to GHCR
        run: |
          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
      - name: Log in to Quay
        run: |
          echo ${{ secrets.QUAY_TOKEN }} | docker login quay.io -u ${{ secrets.QUAY_USER }} --password-stdin
      - name: tag awx-ee:latest with version input
        run: |
          docker pull quay.io/ansible/awx-ee:latest
          docker tag quay.io/ansible/awx-ee:latest ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
          docker push ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
      - name: Build and stage awx-operator
        working-directory: awx-operator
        run: |
@@ -99,6 +117,7 @@ jobs:
        env:
          AWX_TEST_IMAGE: ${{ github.repository }}
          AWX_TEST_VERSION: ${{ github.event.inputs.version }}
          AWX_EE_TEST_IMAGE: ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
      - name: Create draft release for AWX
        working-directory: awx
--- a/.github/workflows/update_dependabot_prs.yml
+++ b/.github/workflows/update_dependabot_prs.yml
@@ -0,0 +1,29 @@
 ---
 name: Dependency Pr Update
 on:
  pull_request:
    types: [labeled, opened, reopened]
 jobs:
  pr-check:
    name: Update Dependabot Prs
    if:  contains(github.event.pull_request.labels.*.name, 'dependencies') && contains(github.event.pull_request.labels.*.name, 'component:ui')
    runs-on: ubuntu-latest
    steps:
      - name: Checkout branch
        uses: actions/checkout@v3
      - name: Update PR Body
        env:
            GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
            OWNER: ${{ github.repository_owner }}
            REPO: ${{ github.event.repository.name }}
            PR: ${{github.event.pull_request.number}}
            PR_BODY: ${{github.event.pull_request.body}}
        run: |
          gh pr checkout ${{ env.PR }}
          echo "${{ env.PR_BODY }}" > my_pr_body.txt
          echo "" >> my_pr_body.txt
          echo "Bug, Docs Fix or other nominal change" >> my_pr_body.txt
          gh pr edit ${{env.PR}} --body-file my_pr_body.txt
--- a/.github/workflows/upload_schema.yml
+++ b/.github/workflows/upload_schema.yml
@@ -1,10 +1,15 @@
 ---
 name: Upload API Schema
 env:
  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
 on:
  push:
    branches:
      - devel
      - release_**
      - feature_**
 jobs:
  push:
    runs-on: ubuntu-latest
--- a/.gitignore
+++ b/.gitignore
@@ -153,9 +153,6 @@ use_dev_supervisor.txt
 /sanity/
 /awx_collection_build/
 # Setup for metrics gathering
 tools/prometheus/prometheus.yml
 .idea/*
 *.unison.tmp
 *.#
--- a/.yamllint
+++ b/.yamllint
@@ -8,6 +8,8 @@ ignore: |
  awx/ui/test/e2e/tests/smoke-vars.yml
  awx/ui/node_modules
  tools/docker-compose/_sources
  # django template files
  awx/api/templates/instance_install_bundle/**
 extends: default
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,16 +19,17 @@ Have questions about this document or anything not covered here? Come chat with
  - [Purging containers and images](#purging-containers-and-images)
  - [Pre commit hooks](#pre-commit-hooks)
 - [What should I work on?](#what-should-i-work-on)
  - [Translations](#translations)
 - [Submitting Pull Requests](#submitting-pull-requests)
 - [PR Checks run by Zuul](#pr-checks-run-by-zuul)
 - [Reporting Issues](#reporting-issues)
 - [Getting Help](#getting-help)
 ## Things to know prior to submitting code
 - All code submissions are done through pull requests against the `devel` branch.
 - You must use `git commit --signoff` for any commit to be merged, and agree that usage of --signoff constitutes agreement with the terms of [DCO 1.1](./DCO_1_1.md).
 - Take care to make sure no merge commits are in the submission, and use `git rebase` vs `git merge` for this reason.
-  - If collaborating with someone else on the same branch, consider using `--force-with-lease` instead of `--force`. This will prevent you from accidentally overwriting commits pushed by someone else. For more information, see https://git-scm.com/docs/git-push#git-push---force-with-leaseltrefnamegt
+  - If collaborating with someone else on the same branch, consider using `--force-with-lease` instead of `--force`. This will prevent you from accidentally overwriting commits pushed by someone else. For more information, see [git push docs](https://git-scm.com/docs/git-push#git-push---force-with-leaseltrefnamegt).
 - If submitting a large code change, it's a good idea to join the `#ansible-awx` channel on irc.libera.chat, and talk about what you would like to do or add first. This not only helps everyone know what's going on, it also helps save time and effort, if the community decides some changes are needed.
 - We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions, or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
@@ -42,8 +43,7 @@ The AWX development environment workflow and toolchain uses Docker and the docke
 Prior to starting the development services, you'll need `docker` and `docker-compose`. On Linux, you can generally find these in your distro's packaging, but you may find that Docker themselves maintain a separate repo that tracks more closely to the latest releases.
-For macOS and Windows, we recommend [Docker for Mac](https://www.docker.com/docker-mac) and [Docker for Windows](https://www.docker.com/docker-windows)
+For macOS and Windows, we recommend [Docker for Mac](https://www.docker.com/docker-mac) and [Docker for Windows](https://www.docker.com/docker-windows) respectively.
 respectively.
 For Linux platforms, refer to the following from Docker:
@@ -79,17 +79,13 @@ See the [README.md](./tools/docker-compose/README.md) for docs on how to build t
 ### Building API Documentation
-AWX includes support for building [Swagger/OpenAPI
+AWX includes support for building [Swagger/OpenAPI documentation](https://swagger.io). To build the documentation locally, run:
 documentation](https://swagger.io). To build the documentation locally, run:
 ```bash
 (container)/awx_devel$ make swagger
 ```
-This will write a file named `swagger.json` that contains the API specification
+This will write a file named `swagger.json` that contains the API specification in OpenAPI format. A variety of online tools are available for translating this data into more consumable formats (such as HTML). http://editor.swagger.io is an example of one such service.
 in OpenAPI format. A variety of online tools are available for translating
 this data into more consumable formats (such as HTML). http://editor.swagger.io
 is an example of one such service.
 ### Accessing the AWX web interface
@@ -115,20 +111,30 @@ While you can use environment variables to skip the pre-commit hooks GitHub will
 ## What should I work on?
 We have a ["good first issue" label](https://github.com/ansible/awx/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) we put on some issues that might be a good starting point for new contributors.
 Fixing bugs and updating the documentation are always appreciated, so reviewing the backlog of issues is always a good place to start.
 For feature work, take a look at the current [Enhancements](https://github.com/ansible/awx/issues?q=is%3Aissue+is%3Aopen+label%3Atype%3Aenhancement).
 If it has someone assigned to it then that person is the person responsible for working the enhancement. If you feel like you could contribute then reach out to that person.
-Fixing bugs, adding translations, and updating the documentation are always appreciated, so reviewing the backlog of issues is always a good place to start. For extra information on debugging tools, see [Debugging](./docs/debugging/).
+**NOTES**
 > Issue assignment will only be done for maintainers of the project. If you decide to work on an issue, please feel free to add a comment in the issue to let others know that you are working on it; but know that we will accept the first pull request from whomever is able to fix an issue. Once your PR is accepted we can add you as an assignee to an issue upon request. 
 **NOTE**
 > If you work in a part of the codebase that is going through active development, your changes may be rejected, or you may be asked to `rebase`. A good idea before starting work is to have a discussion with us in the `#ansible-awx` channel on irc.libera.chat, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 **NOTE**
 > If you're planning to develop features or fixes for the UI, please review the [UI Developer doc](./awx/ui/README.md).
 ### Translations
 At this time we do not accept PRs for adding additional language translations as we have an automated process for generating our translations. This is because translations require constant care as new strings are added and changed in the code base. Because of this the .po files are overwritten during every translation release cycle. We also can't support a lot of translations on AWX as its an open source project and each language adds time and cost to maintain. If you would like to see AWX translated into a new language please create an issue and ask others you know to upvote the issue. Our translation team will review the needs of the community and see what they can do around supporting additional language.
 If you find an issue with an existing translation, please see the [Reporting Issues](#reporting-issues) section to open an issue and our translation team will work with you on a resolution. 
 ## Submitting Pull Requests
 Fixes and Features for AWX will go through the Github pull request process. Submit your pull request (PR) against the `devel` branch.
@@ -152,28 +158,14 @@ We like to keep our commit history clean, and will require resubmission of pull
 Sometimes it might take us a while to fully review your PR. We try to keep the `devel` branch in good working order, and so we review requests carefully. Please be patient.
-All submitted PRs will have the linter and unit tests run against them via Zuul, and the status reported in the PR.
+When your PR is initially submitted the checks will not be run until a maintainer allows them to be. Once a maintainer has done a quick review of your work the PR will have the linter and unit tests run against them via GitHub Actions, and the status reported in the PR.
 ## PR Checks run by Zuul
 Zuul jobs for awx are defined in the [zuul-jobs](https://github.com/ansible/zuul-jobs) repo.
 Zuul runs the following checks that must pass:
 1. `tox-awx-api-lint`
 2. `tox-awx-ui-lint`
 3. `tox-awx-api`
 4. `tox-awx-ui`
 5. `tox-awx-swagger`
 Zuul runs the following checks that are non-voting (can not pass but serve to inform PR reviewers):
 1. `tox-awx-detect-schema-change`
   This check generates the schema and diffs it against a reference copy of the `devel` version of the schema.
   Reviewers should inspect the `job-output.txt.gz` related to the check if their is a failure (grep for `diff -u -b` to find beginning of diff).
   If the schema change is expected and makes sense in relation to the changes made by the PR, then you are good to go!
   If not, the schema changes should be fixed, but this decision must be enforced by reviewers.
 ## Reporting Issues
-
+ 
 We welcome your feedback, and encourage you to file an issue when you run into a problem. But before opening a new issues, we ask that you please view our [Issues guide](./ISSUES.md).
 ## Getting Help
 If you require additional assistance, please reach out to us at `#ansible-awx` on irc.libera.chat, or submit your question to the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 For extra information on debugging tools, see [Debugging](./docs/debugging/).
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -3,7 +3,7 @@ recursive-include awx *.po
 recursive-include awx *.mo
 recursive-include awx/static *
 recursive-include awx/templates *.html
-recursive-include awx/api/templates *.md *.html
+recursive-include awx/api/templates *.md *.html *.yml
 recursive-include awx/ui/build *.html
 recursive-include awx/ui/build *
 recursive-include awx/playbooks *.yml
@@ -12,7 +12,7 @@ recursive-include awx/plugins *.ps1
 recursive-include requirements *.txt
 recursive-include requirements *.yml
 recursive-include config *
-recursive-include docs/licenses *
+recursive-include licenses *
 recursive-exclude awx devonly.py*
 recursive-exclude awx/api/tests *
 recursive-exclude awx/main/tests *
--- a/175
+++ b/175
@@ -6,7 +6,20 @@ CHROMIUM_BIN=/tmp/chrome-linux/chrome
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 MANAGEMENT_COMMAND ?= awx-manage
 VERSION := $(shell $(PYTHON) tools/scripts/scm_version.py)
-COLLECTION_VERSION := $(shell $(PYTHON) tools/scripts/scm_version.py | cut -d . -f 1-3)
+
 # ansible-test requires semver compatable version, so we allow overrides to hack it
 COLLECTION_VERSION ?= $(shell $(PYTHON) tools/scripts/scm_version.py | cut -d . -f 1-3)
 # args for the ansible-test sanity command
 COLLECTION_SANITY_ARGS ?= --docker
 # collection unit testing directories
 COLLECTION_TEST_DIRS ?= awx_collection/test/awx
 # collection integration test directories (defaults to all)
 COLLECTION_TEST_TARGET ?=
 # args for collection install
 COLLECTION_PACKAGE ?= awx
 COLLECTION_NAMESPACE ?= awx
 COLLECTION_INSTALL = ~/.ansible/collections/ansible_collections/$(COLLECTION_NAMESPACE)/$(COLLECTION_PACKAGE)
 COLLECTION_TEMPLATE_VERSION ?= false
 # NOTE: This defaults the container image version to the branch that's active
 COMPOSE_TAG ?= $(GIT_BRANCH)
@@ -34,7 +47,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 SRC_ONLY_PKGS ?= cffi,pycparser,psycopg2,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
-VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==58.2.0 setuptools_scm[toml]==6.4.2 wheel==0.36.2
+VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==65.6.3 setuptools_scm[toml]==7.0.5 wheel==0.38.4
 NAME ?= awx
@@ -52,7 +65,7 @@ I18N_FLAG_FILE = .i18n_built
 	sdist \
 	ui-release ui-devel \
 	VERSION PYTHON_VERSION docker-compose-sources \
-	.git/hooks/pre-commit
+	.git/hooks/pre-commit github_ci_setup github_ci_runner
 clean-tmp:
 	rm -rf tmp/
@@ -72,7 +85,7 @@ clean-languages:
 	rm -f $(I18N_FLAG_FILE)
 	find ./awx/locale/ -type f -regex ".*\.mo$" -delete
-# Remove temporary build files, compiled Python files.
+## Remove temporary build files, compiled Python files.
 clean: clean-ui clean-api clean-awxkit clean-dist
 	rm -rf awx/public
 	rm -rf awx/lib/site-packages
@@ -85,6 +98,7 @@ clean: clean-ui clean-api clean-awxkit clean-dist
 clean-api:
 	rm -rf build $(NAME)-$(VERSION) *.egg-info
 	rm -rf .tox
 	find . -type f -regex ".*\.py[co]$$" -delete
 	find . -type d -name "__pycache__" -delete
 	rm -f awx/awx_test.sqlite3*
@@ -94,7 +108,7 @@ clean-api:
 clean-awxkit:
 	rm -rf awxkit/*.egg-info awxkit/.tox awxkit/build/*
-# convenience target to assert environment variables are defined
+## convenience target to assert environment variables are defined
 guard-%:
 	@if [ "$${$*}" = "" ]; then \
 	    echo "The required environment variable '$*' is not set"; \
@@ -117,7 +131,7 @@ virtualenv_awx:
 		fi; \
 	fi
-# Install third-party requirements needed for AWX's environment.
+## Install third-party requirements needed for AWX's environment.
 # this does not use system site packages intentionally
 requirements_awx: virtualenv_awx
 	if [[ "$(PIP_OPTIONS)" == *"--no-index"* ]]; then \
@@ -136,7 +150,7 @@ requirements_dev: requirements_awx requirements_awx_dev
 requirements_test: requirements
-# "Install" awx package in development mode.
+## "Install" awx package in development mode.
 develop:
 	@if [ "$(VIRTUAL_ENV)" ]; then \
 	    pip uninstall -y awx; \
@@ -153,21 +167,21 @@ version_file:
 	fi; \
 	$(PYTHON) -c "import awx; print(awx.__version__)" > /var/lib/awx/.awx_version; \
-# Refresh development environment after pulling new code.
+## Refresh development environment after pulling new code.
 refresh: clean requirements_dev version_file develop migrate
-# Create Django superuser.
+## Create Django superuser.
 adduser:
 	$(MANAGEMENT_COMMAND) createsuperuser
-# Create database tables and apply any new migrations.
+## Create database tables and apply any new migrations.
 migrate:
 	if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
 	$(MANAGEMENT_COMMAND) migrate --noinput
-# Run after making changes to the models to create a new migration.
+## Run after making changes to the models to create a new migration.
 dbchange:
 	$(MANAGEMENT_COMMAND) makemigrations
@@ -181,7 +195,7 @@ collectstatic:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
-	mkdir -p awx/public/static && $(PYTHON) manage.py collectstatic --clear --noinput > /dev/null 2>&1
+	$(PYTHON) manage.py collectstatic --clear --noinput > /dev/null 2>&1
 DEV_RELOAD_COMMAND ?= supervisorctl restart tower-processes:*
@@ -218,7 +232,7 @@ wsbroadcast:
 	fi; \
 	$(PYTHON) manage.py run_wsbroadcast
-# Run to start the background task dispatcher for development.
+## Run to start the background task dispatcher for development.
 dispatcher:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
@@ -226,7 +240,7 @@ dispatcher:
 	$(PYTHON) manage.py run_dispatcher
-# Run to start the zeromq callback receiver
+## Run to start the zeromq callback receiver
 receiver:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
@@ -278,7 +292,7 @@ awx-link:
 TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests awx/sso/tests
 PYTEST_ARGS ?= -n auto
-# Run all API unit tests.
+## Run all API unit tests.
 test:
 	if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
@@ -287,19 +301,28 @@ test:
 	cd awxkit && $(VENV_BASE)/awx/bin/tox -re py3
 	awx-manage check_migrations --dry-run --check  -n 'missing_migration_file'
-COLLECTION_TEST_DIRS ?= awx_collection/test/awx
+## Login to Github container image registry, pull image, then build image.
-COLLECTION_TEST_TARGET ?=
+github_ci_setup:
-COLLECTION_PACKAGE ?= awx
+	# GITHUB_ACTOR is automatic github actions env var
-COLLECTION_NAMESPACE ?= awx
+	# CI_GITHUB_TOKEN is defined in .github files
-COLLECTION_INSTALL = ~/.ansible/collections/ansible_collections/$(COLLECTION_NAMESPACE)/$(COLLECTION_PACKAGE)
+	echo $(CI_GITHUB_TOKEN) | docker login ghcr.io -u $(GITHUB_ACTOR) --password-stdin
-COLLECTION_TEMPLATE_VERSION ?= false
+	docker pull $(DEVEL_IMAGE_NAME) || :  # Pre-pull image to warm build cache
 	make docker-compose-build
 ## Runs AWX_DOCKER_CMD inside a new docker container.
 docker-runner:
 	docker run -u $(shell id -u) --rm -v $(shell pwd):/awx_devel/:Z --workdir=/awx_devel $(DEVEL_IMAGE_NAME) $(AWX_DOCKER_CMD)
 ## Builds image and runs AWX_DOCKER_CMD in it, mainly for .github checks.
 github_ci_runner: github_ci_setup docker-runner
 test_collection:
 	rm -f $(shell ls -d $(VENV_BASE)/awx/lib/python* | head -n 1)/no-global-site-packages.txt
 	if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi && \
-	pip install ansible-core && \
+	if ! [ -x "$(shell command -v ansible-playbook)" ]; then pip install ansible-core; fi
 	ansible --version
 	py.test $(COLLECTION_TEST_DIRS) -v
 	# The python path needs to be modified so that the tests can find Ansible within the container
 	# First we will use anything expility set as PYTHONPATH
@@ -329,8 +352,13 @@ install_collection: build_collection
 	rm -rf $(COLLECTION_INSTALL)
 	ansible-galaxy collection install awx_collection_build/$(COLLECTION_NAMESPACE)-$(COLLECTION_PACKAGE)-$(COLLECTION_VERSION).tar.gz
-test_collection_sanity: install_collection
+test_collection_sanity:
-	cd $(COLLECTION_INSTALL) && ansible-test sanity
+	rm -rf awx_collection_build/
 	rm -rf $(COLLECTION_INSTALL)
 	if ! [ -x "$(shell command -v ansible-test)" ]; then pip install ansible-core; fi
 	ansible --version
 	COLLECTION_VERSION=1.0.0 make install_collection
 	cd $(COLLECTION_INSTALL) && ansible-test sanity $(COLLECTION_SANITY_ARGS)
 test_collection_integration: install_collection
 	cd $(COLLECTION_INSTALL) && ansible-test integration $(COLLECTION_TEST_TARGET)
@@ -341,23 +369,24 @@ test_unit:
 	fi; \
 	py.test awx/main/tests/unit awx/conf/tests/unit awx/sso/tests/unit
-# Run all API unit tests with coverage enabled.
+## Run all API unit tests with coverage enabled.
 test_coverage:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
 	py.test --create-db --cov=awx --cov-report=xml --junitxml=./reports/junit.xml $(TEST_DIRS)
-# Output test coverage as HTML (into htmlcov directory).
+## Output test coverage as HTML (into htmlcov directory).
 coverage_html:
 	coverage html
-# Run API unit tests across multiple Python/Django versions with Tox.
+## Run API unit tests across multiple Python/Django versions with Tox.
 test_tox:
 	tox -v
-# Make fake data
+
 DATA_GEN_PRESET = ""
 ## Make fake data
 bulk_data:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
@@ -376,28 +405,29 @@ clean-ui:
 	rm -rf awx/ui/build
 	rm -rf awx/ui/src/locales/_build
 	rm -rf $(UI_BUILD_FLAG_FILE)
        # the collectstatic command doesn't like it if this dir doesn't exist.
 	mkdir -p awx/ui/build/static
 awx/ui/node_modules:
-	NODE_OPTIONS=--max-old-space-size=6144 $(NPM_BIN) --prefix awx/ui --loglevel warn ci
+	NODE_OPTIONS=--max-old-space-size=6144 $(NPM_BIN) --prefix awx/ui --loglevel warn --force ci
-$(UI_BUILD_FLAG_FILE): awx/ui/node_modules
+$(UI_BUILD_FLAG_FILE):
 	$(MAKE) awx/ui/node_modules
 	$(PYTHON) tools/scripts/compilemessages.py
 	$(NPM_BIN) --prefix awx/ui --loglevel warn run compile-strings
 	$(NPM_BIN) --prefix awx/ui --loglevel warn run build
 	mkdir -p awx/public/static/css
 	mkdir -p awx/public/static/js
 	mkdir -p awx/public/static/media
 	cp -r awx/ui/build/static/css/* awx/public/static/css
 	cp -r awx/ui/build/static/js/* awx/public/static/js
 	cp -r awx/ui/build/static/media/* awx/public/static/media
 	touch $@
 ui-release: $(UI_BUILD_FLAG_FILE)
 ui-devel: awx/ui/node_modules
 	@$(MAKE) -B $(UI_BUILD_FLAG_FILE)
 	mkdir -p /var/lib/awx/public/static/css
 	mkdir -p /var/lib/awx/public/static/js
 	mkdir -p /var/lib/awx/public/static/media
 	cp -r awx/ui/build/static/css/* /var/lib/awx/public/static/css
 	cp -r awx/ui/build/static/js/* /var/lib/awx/public/static/js
 	cp -r awx/ui/build/static/media/* /var/lib/awx/public/static/media
 ui-devel-instrumented: awx/ui/node_modules
 	$(NPM_BIN) --prefix awx/ui --loglevel warn run start-instrumented
@@ -449,12 +479,18 @@ awx/projects:
 COMPOSE_UP_OPTS ?=
 COMPOSE_OPTS ?=
 CONTROL_PLANE_NODE_COUNT ?= 1
-EXECUTION_NODE_COUNT ?= 2
+EXECUTION_NODE_COUNT ?= 0
 MINIKUBE_CONTAINER_GROUP ?= false
 MINIKUBE_SETUP ?= false # if false, run minikube separately
 EXTRA_SOURCES_ANSIBLE_OPTS ?=
 ifneq ($(ADMIN_PASSWORD),)
 	EXTRA_SOURCES_ANSIBLE_OPTS := -e admin_password=$(ADMIN_PASSWORD) $(EXTRA_SOURCES_ANSIBLE_OPTS)
 endif
 docker-compose-sources: .git/hooks/pre-commit
 	@if [ $(MINIKUBE_CONTAINER_GROUP) = true ]; then\
-	    ansible-playbook -i tools/docker-compose/inventory tools/docker-compose-minikube/deploy.yml; \
+	    ansible-playbook -i tools/docker-compose/inventory -e minikube_setup=$(MINIKUBE_SETUP) tools/docker-compose-minikube/deploy.yml; \
 	fi;
 	ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/sources.yml \
@@ -468,7 +504,8 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_ldap=$(LDAP) \
 	    -e enable_splunk=$(SPLUNK) \
 	    -e enable_prometheus=$(PROMETHEUS) \
-	    -e enable_grafana=$(GRAFANA)
+	    -e enable_grafana=$(GRAFANA) $(EXTRA_SOURCES_ANSIBLE_OPTS)
 docker-compose: awx/projects docker-compose-sources
@@ -502,7 +539,7 @@ docker-compose-container-group-clean:
 	fi
 	rm -rf tools/docker-compose-minikube/_sources/
-# Base development image build
+## Base development image build
 docker-compose-build:
 	ansible-playbook tools/ansible/dockerfile.yml -e build_dev=True -e receptor_image=$(RECEPTOR_IMAGE)
 	DOCKER_BUILDKIT=1 docker build -t $(DEVEL_IMAGE_NAME) \
@@ -520,7 +557,7 @@ docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
 docker-refresh: docker-clean docker-compose
-# Docker Development Environment with Elastic Stack Connected
+## Docker Development Environment with Elastic Stack Connected
 docker-compose-elk: awx/projects docker-compose-sources
 	docker-compose -f tools/docker-compose/_sources/docker-compose.yml -f tools/elastic/docker-compose.logstash-link.yml -f tools/elastic/docker-compose.elastic-override.yml up --no-recreate
@@ -557,31 +594,73 @@ Dockerfile.kube-dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 	    -e template_dest=_build_kube_dev \
 	    -e receptor_image=$(RECEPTOR_IMAGE)
 ## Build awx_kube_devel image for development on local Kubernetes environment.
 awx-kube-dev-build: Dockerfile.kube-dev
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile.kube-dev \
 	    --build-arg BUILDKIT_INLINE_CACHE=1 \
 	    --cache-from=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
 	    -t $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) .
 ## Build awx image for deployment on Kubernetes environment.
 awx-kube-build: Dockerfile
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile \
 		--build-arg VERSION=$(VERSION) \
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
 		-t $(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG) .
 # Translation TASKS
 # --------------------------------------
-# generate UI .pot file, an empty template of strings yet to be translated
+## generate UI .pot file, an empty template of strings yet to be translated
 pot: $(UI_BUILD_FLAG_FILE)
 	$(NPM_BIN) --prefix awx/ui --loglevel warn run extract-template --clean
-# generate UI .po files for each locale (will update translated strings for `en`)
+## generate UI .po files for each locale (will update translated strings for `en`)
 po: $(UI_BUILD_FLAG_FILE)
 	$(NPM_BIN) --prefix awx/ui --loglevel warn run extract-strings -- --clean
-# generate API django .pot .po
+## generate API django .pot .po
 LANG = "en-us"
 messages:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
-	$(PYTHON) manage.py makemessages -l $(LANG) --keep-pot
+	$(PYTHON) manage.py makemessages -l en_us --keep-pot
 print-%:
 	@echo $($*)
 # HELP related targets
 # --------------------------------------
 HELP_FILTER=.PHONY
 ## Display help targets
 help:
 	@printf "Available targets:\n"
 	@make -s help/generate | grep -vE "\w($(HELP_FILTER))"
 ## Display help for all targets
 help/all:
 	@printf "Available targets:\n"
 	@make -s help/generate
 ## Generate help output from MAKEFILE_LIST
 help/generate:
 	@awk '/^[-a-zA-Z_0-9%:\\\.\/]+:/ { \
 		helpMessage = match(lastLine, /^## (.*)/); \
 		if (helpMessage) { \
 			helpCommand = $$1; \
 			helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \
 			gsub("\\\\", "", helpCommand); \
 			gsub(":+$$", "", helpCommand); \
 			printf "  \x1b[32;01m%-35s\x1b[0m %s\n", helpCommand, helpMessage; \
 		} else { \
 			helpCommand = $$1; \
 			gsub("\\\\", "", helpCommand); \
 			gsub(":+$$", "", helpCommand); \
 			printf "  \x1b[32;01m%-35s\x1b[0m %s\n", helpCommand, "No help available"; \
 		} \
 	} \
 	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort -u
 	@printf "\n"
--- a/awx/init.py
+++ b/awx/init.py
@@ -67,7 +67,6 @@ else:
    from django.db import connection
 if HAS_DJANGO is True:
    # See upgrade blocker note in requirements/README.md
    try:
        names_digest('foo', 'bar', 'baz', length=8)
@@ -190,7 +189,7 @@ def manage():
        sys.stdout.write('%s\n' % __version__)
    # If running as a user without permission to read settings, display an
    # error message.  Allow --help to still work.
-    elif settings.SECRET_KEY == 'permission-denied':
+    elif not os.getenv('SKIP_SECRET_KEY_CHECK', False) and settings.SECRET_KEY == 'permission-denied':
        if len(sys.argv) == 1 or len(sys.argv) >= 2 and sys.argv[1] in ('-h', '--help', 'help'):
            execute_from_command_line(sys.argv)
            sys.stdout.write('\n')
--- a/awx/api/conf.py
+++ b/awx/api/conf.py
@@ -96,6 +96,15 @@ register(
    category=_('Authentication'),
    category_slug='authentication',
 )
 register(
    'ALLOW_METRICS_FOR_ANONYMOUS_USERS',
    field_class=fields.BooleanField,
    default=False,
    label=_('Allow anonymous users to poll metrics'),
    help_text=_('If true, anonymous users are allowed to poll metrics.'),
    category=_('Authentication'),
    category_slug='authentication',
 )
 def authentication_validate(serializer, attrs):
--- a/awx/api/fields.py
+++ b/awx/api/fields.py
@@ -80,7 +80,6 @@ class VerbatimField(serializers.Field):
 class OAuth2ProviderField(fields.DictField):
    default_error_messages = {'invalid_key_names': _('Invalid key names: {invalid_key_names}')}
    valid_key_names = {'ACCESS_TOKEN_EXPIRE_SECONDS', 'AUTHORIZATION_CODE_EXPIRE_SECONDS', 'REFRESH_TOKEN_EXPIRE_SECONDS'}
    child = fields.IntegerField(min_value=1)
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -157,10 +157,9 @@ class FieldLookupBackend(BaseFilterBackend):
    # A list of fields that we know can be filtered on without the possiblity
    # of introducing duplicates
-    NO_DUPLICATES_ALLOW_LIST = (CharField, IntegerField, BooleanField)
+    NO_DUPLICATES_ALLOW_LIST = (CharField, IntegerField, BooleanField, TextField)
    def get_fields_from_lookup(self, model, lookup):
        if '__' in lookup and lookup.rsplit('__', 1)[-1] in self.SUPPORTED_LOOKUPS:
            path, suffix = lookup.rsplit('__', 1)
        else:
@@ -232,6 +231,9 @@ class FieldLookupBackend(BaseFilterBackend):
                re.compile(value)
            except re.error as e:
                raise ValueError(e.args[0])
        elif new_lookup.endswith('__iexact'):
            if not isinstance(field, (CharField, TextField)):
                raise ValueError(f'{field.name} is not a text field and cannot be filtered by case-insensitive search')
        elif new_lookup.endswith('__search'):
            related_model = getattr(field, 'related_model', None)
            if not related_model:
@@ -258,8 +260,8 @@ class FieldLookupBackend(BaseFilterBackend):
            search_filters = {}
            needs_distinct = False
            # Can only have two values: 'AND', 'OR'
-            # If 'AND' is used, an iterm must satisfy all condition to show up in the results.
+            # If 'AND' is used, an item must satisfy all conditions to show up in the results.
-            # If 'OR' is used, an item just need to satisfy one condition to appear in results.
+            # If 'OR' is used, an item just needs to satisfy one condition to appear in results.
            search_filter_relation = 'OR'
            for key, values in request.query_params.lists():
                if key in self.RESERVED_NAMES:
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -6,7 +6,6 @@ import inspect
 import logging
 import time
 import uuid
 import urllib.parse
 # Django
 from django.conf import settings
@@ -14,7 +13,7 @@ from django.contrib.auth import views as auth_views
 from django.contrib.contenttypes.models import ContentType
 from django.core.cache import cache
 from django.core.exceptions import FieldDoesNotExist
-from django.db import connection
+from django.db import connection, transaction
 from django.db.models.fields.related import OneToOneRel
 from django.http import QueryDict
 from django.shortcuts import get_object_or_404
@@ -30,7 +29,7 @@ from rest_framework.response import Response
 from rest_framework import status
 from rest_framework import views
 from rest_framework.permissions import AllowAny
-from rest_framework.renderers import StaticHTMLRenderer, JSONRenderer
+from rest_framework.renderers import StaticHTMLRenderer
 from rest_framework.negotiation import DefaultContentNegotiation
 # AWX
@@ -41,7 +40,7 @@ from awx.main.utils import camelcase_to_underscore, get_search_fields, getattrd,
 from awx.main.utils.db import get_all_field_names
 from awx.main.utils.licensing import server_product_name
 from awx.main.views import ApiErrorView
-from awx.api.serializers import ResourceAccessListElementSerializer, CopySerializer, UserSerializer
+from awx.api.serializers import ResourceAccessListElementSerializer, CopySerializer
 from awx.api.versioning import URLPathVersioning
 from awx.api.metadata import SublistAttachDetatchMetadata, Metadata
 from awx.conf import settings_registry
@@ -63,9 +62,9 @@ __all__ = [
    'SubDetailAPIView',
    'ResourceAccessList',
    'ParentMixin',
    'DeleteLastUnattachLabelMixin',
    'SubListAttachDetachAPIView',
    'CopyAPIView',
    'GenericCancelView',
    'BaseUsersList',
 ]
@@ -91,14 +90,9 @@ class LoggedLoginView(auth_views.LoginView):
    def post(self, request, *args, **kwargs):
        ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
        current_user = getattr(request, 'user', None)
        if request.user.is_authenticated:
            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
            ret.set_cookie('userLoggedIn', 'true')
            current_user = UserSerializer(self.request.user)
            current_user = smart_str(JSONRenderer().render(current_user.data))
            current_user = urllib.parse.quote('%s' % current_user, '')
            ret.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
            ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
            return ret
@@ -141,7 +135,6 @@ def get_default_schema():
 class APIView(views.APIView):
    schema = get_default_schema()
    versioning_class = URLPathVersioning
@@ -255,7 +248,7 @@ class APIView(views.APIView):
            response['X-API-Query-Time'] = '%0.3fs' % sum(q_times)
        if getattr(self, 'deprecated', False):
-            response['Warning'] = '299 awx "This resource has been deprecated and will be removed in a future release."'  # noqa
+            response['Warning'] = '299 awx "This resource has been deprecated and will be removed in a future release."'
        return response
@@ -775,28 +768,6 @@ class SubListAttachDetachAPIView(SubListCreateAttachDetachAPIView):
        return {'id': None}
 class DeleteLastUnattachLabelMixin(object):
    """
    Models for which you want the last instance to be deleted from the database
    when the last disassociate is called should inherit from this class. Further,
    the model should implement is_detached()
    """
    def unattach(self, request, *args, **kwargs):
        (sub_id, res) = super(DeleteLastUnattachLabelMixin, self).unattach_validate(request)
        if res:
            return res
        res = super(DeleteLastUnattachLabelMixin, self).unattach_by_id(request, sub_id)
        obj = self.model.objects.get(id=sub_id)
        if obj.is_detached():
            obj.delete()
        return res
 class SubDetailAPIView(ParentMixin, generics.RetrieveAPIView, GenericAPIView):
    pass
@@ -828,7 +799,6 @@ class RetrieveUpdateDestroyAPIView(RetrieveUpdateAPIView, DestroyAPIView):
 class ResourceAccessList(ParentMixin, ListAPIView):
    serializer_class = ResourceAccessListElementSerializer
    ordering = ('username',)
@@ -851,7 +821,6 @@ def trigger_delayed_deep_copy(*args, **kwargs):
 class CopyAPIView(GenericAPIView):
    serializer_class = CopySerializer
    permission_classes = (AllowAny,)
    copy_return_serializer_class = None
@@ -1014,6 +983,23 @@ class CopyAPIView(GenericAPIView):
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
 class GenericCancelView(RetrieveAPIView):
    # In subclass set model, serializer_class
    obj_permission_type = 'cancel'
    @transaction.non_atomic_requests
    def dispatch(self, *args, **kwargs):
        return super(GenericCancelView, self).dispatch(*args, **kwargs)
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
        if obj.can_cancel:
            obj.cancel()
            return Response(status=status.HTTP_202_ACCEPTED)
        else:
            return self.http_method_not_allowed(request, *args, **kwargs)
 class BaseUsersList(SubListCreateAttachDetachAPIView):
    def post(self, request, *args, **kwargs):
        ret = super(BaseUsersList, self).post(request, *args, **kwargs)
--- a/awx/api/metadata.py
+++ b/awx/api/metadata.py
@@ -128,7 +128,7 @@ class Metadata(metadata.SimpleMetadata):
        # Special handling of notification configuration where the required properties
        # are conditional on the type selected.
        if field.field_name == 'notification_configuration':
-            for (notification_type_name, notification_tr_name, notification_type_class) in NotificationTemplate.NOTIFICATION_TYPES:
+            for notification_type_name, notification_tr_name, notification_type_class in NotificationTemplate.NOTIFICATION_TYPES:
                field_info[notification_type_name] = notification_type_class.init_parameters
        # Special handling of notification messages where the required properties
@@ -138,7 +138,7 @@ class Metadata(metadata.SimpleMetadata):
        except (AttributeError, KeyError):
            view_model = None
        if view_model == NotificationTemplate and field.field_name == 'messages':
-            for (notification_type_name, notification_tr_name, notification_type_class) in NotificationTemplate.NOTIFICATION_TYPES:
+            for notification_type_name, notification_tr_name, notification_type_class in NotificationTemplate.NOTIFICATION_TYPES:
                field_info[notification_type_name] = notification_type_class.default_messages
        # Update type of fields returned...
--- a/awx/api/pagination.py
+++ b/awx/api/pagination.py
@@ -24,7 +24,6 @@ class DisabledPaginator(DjangoPaginator):
 class Pagination(pagination.PageNumberPagination):
    page_size_query_param = 'page_size'
    max_page_size = settings.MAX_PAGE_SIZE
    count_disabled = False
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -24,7 +24,6 @@ __all__ = [
    'InventoryInventorySourcesUpdatePermission',
    'UserPermission',
    'IsSystemAdminOrAuditor',
    'InstanceGroupTowerPermission',
    'WorkflowApprovalPermission',
 ]
--- a/awx/api/renderers.py
+++ b/awx/api/renderers.py
@@ -22,7 +22,6 @@ class SurrogateEncoder(encoders.JSONEncoder):
 class DefaultJSONRenderer(renderers.JSONRenderer):
    encoder_class = SurrogateEncoder
@@ -95,7 +94,6 @@ class BrowsableAPIRenderer(renderers.BrowsableAPIRenderer):
 class PlainTextRenderer(renderers.BaseRenderer):
    media_type = 'text/plain'
    format = 'txt'
@@ -106,18 +104,15 @@ class PlainTextRenderer(renderers.BaseRenderer):
 class DownloadTextRenderer(PlainTextRenderer):
    format = "txt_download"
 class AnsiTextRenderer(PlainTextRenderer):
    media_type = 'text/plain'
    format = 'ansi'
 class AnsiDownloadRenderer(PlainTextRenderer):
    format = "ansi_download"
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -29,7 +29,7 @@ from django.utils.translation import gettext_lazy as _
 from django.utils.encoding import force_str
 from django.utils.text import capfirst
 from django.utils.timezone import now
-from django.utils.functional import cached_property
+from django.core.validators import RegexValidator, MaxLengthValidator
 # Django REST Framework
 from rest_framework.exceptions import ValidationError, PermissionDenied
@@ -113,7 +113,7 @@ from awx.main.utils import (
 )
 from awx.main.utils.filters import SmartFilter
 from awx.main.utils.named_url_graph import reset_counters
-from awx.main.scheduler.task_manager_models import TaskManagerInstanceGroups, TaskManagerInstances
+from awx.main.scheduler.task_manager_models import TaskManagerModels
 from awx.main.redact import UriCleaner, REPLACE_STR
 from awx.main.validators import vars_validate_or_raise
@@ -121,6 +121,9 @@ from awx.main.validators import vars_validate_or_raise
 from awx.api.versioning import reverse
 from awx.api.fields import BooleanNullField, CharNullField, ChoiceNullField, VerbatimField, DeprecatedCredentialField
 # AWX Utils
 from awx.api.validators import HostnameRegexValidator
 logger = logging.getLogger('awx.api.serializers')
 # Fields that should be summarized regardless of object type.
@@ -155,6 +158,7 @@ SUMMARIZABLE_FK_FIELDS = {
    'source_project': DEFAULT_SUMMARY_FIELDS + ('status', 'scm_type'),
    'project_update': DEFAULT_SUMMARY_FIELDS + ('status', 'failed'),
    'credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'cloud', 'kubernetes', 'credential_type_id'),
    'signature_validation_credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'credential_type_id'),
    'job': DEFAULT_SUMMARY_FIELDS + ('status', 'failed', 'elapsed', 'type', 'canceled_on'),
    'job_template': DEFAULT_SUMMARY_FIELDS,
    'workflow_job_template': DEFAULT_SUMMARY_FIELDS,
@@ -196,7 +200,6 @@ def reverse_gfk(content_object, request):
 class CopySerializer(serializers.Serializer):
    name = serializers.CharField()
    def validate(self, attrs):
@@ -428,7 +431,6 @@ class BaseSerializer(serializers.ModelSerializer, metaclass=BaseSerializerMetacl
                    continue
                summary_fields[fk] = OrderedDict()
                for field in related_fields:
                    fval = getattr(fkval, field, None)
                    if fval is None and field == 'type':
@@ -615,7 +617,7 @@ class BaseSerializer(serializers.ModelSerializer, metaclass=BaseSerializerMetacl
    def validate(self, attrs):
        attrs = super(BaseSerializer, self).validate(attrs)
        try:
-            # Create/update a model instance and run it's full_clean() method to
+            # Create/update a model instance and run its full_clean() method to
            # do any validation implemented on the model class.
            exclusions = self.get_validation_exclusions(self.instance)
            obj = self.instance or self.Meta.model()
@@ -926,7 +928,6 @@ class UnifiedJobListSerializer(UnifiedJobSerializer):
 class UnifiedJobStdoutSerializer(UnifiedJobSerializer):
    result_stdout = serializers.SerializerMethodField()
    class Meta:
@@ -940,7 +941,6 @@ class UnifiedJobStdoutSerializer(UnifiedJobSerializer):
 class UserSerializer(BaseSerializer):
    password = serializers.CharField(required=False, default='', write_only=True, help_text=_('Write-only field used to change the password.'))
    ldap_dn = serializers.CharField(source='profile.ldap_dn', read_only=True)
    external_account = serializers.SerializerMethodField(help_text=_('Set if the account is managed by an external service'))
@@ -1100,7 +1100,6 @@ class UserActivityStreamSerializer(UserSerializer):
 class BaseOAuth2TokenSerializer(BaseSerializer):
    refresh_token = serializers.SerializerMethodField()
    token = serializers.SerializerMethodField()
    ALLOWED_SCOPES = ['read', 'write']
@@ -1218,7 +1217,6 @@ class UserPersonalTokenSerializer(BaseOAuth2TokenSerializer):
 class OAuth2ApplicationSerializer(BaseSerializer):
    show_capabilities = ['edit', 'delete']
    class Meta:
@@ -1453,7 +1451,6 @@ class ExecutionEnvironmentSerializer(BaseSerializer):
 class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
    status = serializers.ChoiceField(choices=Project.PROJECT_STATUS_CHOICES, read_only=True)
    last_update_failed = serializers.BooleanField(read_only=True)
    last_updated = serializers.DateTimeField(read_only=True)
@@ -1471,6 +1468,7 @@ class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
            'allow_override',
            'custom_virtualenv',
            'default_environment',
            'signature_validation_credential',
        ) + (
            'last_update_failed',
            'last_updated',
@@ -1543,7 +1541,6 @@ class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):
 class ProjectPlaybooksSerializer(ProjectSerializer):
    playbooks = serializers.SerializerMethodField(help_text=_('Array of playbooks available within this project.'))
    class Meta:
@@ -1561,7 +1558,6 @@ class ProjectPlaybooksSerializer(ProjectSerializer):
 class ProjectInventoriesSerializer(ProjectSerializer):
    inventory_files = serializers.ReadOnlyField(help_text=_('Array of inventory files and directories available within this project, ' 'not comprehensive.'))
    class Meta:
@@ -1576,7 +1572,6 @@ class ProjectInventoriesSerializer(ProjectSerializer):
 class ProjectUpdateViewSerializer(ProjectSerializer):
    can_update = serializers.BooleanField(read_only=True)
    class Meta:
@@ -1606,7 +1601,6 @@ class ProjectUpdateSerializer(UnifiedJobSerializer, ProjectOptionsSerializer):
 class ProjectUpdateDetailSerializer(ProjectUpdateSerializer):
    playbook_counts = serializers.SerializerMethodField(help_text=_('A count of all plays and tasks for the job run.'))
    class Meta:
@@ -1629,7 +1623,6 @@ class ProjectUpdateListSerializer(ProjectUpdateSerializer, UnifiedJobListSeriali
 class ProjectUpdateCancelSerializer(ProjectUpdateSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -1679,6 +1672,7 @@ class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables):
            'total_inventory_sources',
            'inventory_sources_with_failures',
            'pending_deletion',
            'prevent_instance_group_fallback',
        )
    def get_related(self, obj):
@@ -1966,7 +1960,6 @@ class GroupSerializer(BaseSerializerWithVariables):
 class GroupTreeSerializer(GroupSerializer):
    children = serializers.SerializerMethodField()
    class Meta:
@@ -2064,7 +2057,6 @@ class InventorySourceOptionsSerializer(BaseSerializer):
 class InventorySourceSerializer(UnifiedJobTemplateSerializer, InventorySourceOptionsSerializer):
    status = serializers.ChoiceField(choices=InventorySource.INVENTORY_SOURCE_STATUS_CHOICES, read_only=True)
    last_update_failed = serializers.BooleanField(read_only=True)
    last_updated = serializers.DateTimeField(read_only=True)
@@ -2209,15 +2201,22 @@ class InventorySourceSerializer(UnifiedJobTemplateSerializer, InventorySourceOpt
 class InventorySourceUpdateSerializer(InventorySourceSerializer):
    can_update = serializers.BooleanField(read_only=True)
    class Meta:
        fields = ('can_update',)
    def validate(self, attrs):
        project = self.instance.source_project
        if project:
            failed_reason = project.get_reason_if_failed()
            if failed_reason:
                raise serializers.ValidationError(failed_reason)
        return super(InventorySourceUpdateSerializer, self).validate(attrs)
 class InventoryUpdateSerializer(UnifiedJobSerializer, InventorySourceOptionsSerializer):
    custom_virtualenv = serializers.ReadOnlyField()
    class Meta:
@@ -2231,6 +2230,7 @@ class InventoryUpdateSerializer(UnifiedJobSerializer, InventorySourceOptionsSeri
            'source_project_update',
            'custom_virtualenv',
            'instance_group',
            'scm_revision',
        )
    def get_related(self, obj):
@@ -2257,7 +2257,6 @@ class InventoryUpdateSerializer(UnifiedJobSerializer, InventorySourceOptionsSeri
 class InventoryUpdateDetailSerializer(InventoryUpdateSerializer):
    source_project = serializers.SerializerMethodField(help_text=_('The project used for this job.'), method_name='get_source_project_id')
    class Meta:
@@ -2308,7 +2307,6 @@ class InventoryUpdateListSerializer(InventoryUpdateSerializer, UnifiedJobListSer
 class InventoryUpdateCancelSerializer(InventoryUpdateSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -2666,7 +2664,6 @@ class CredentialSerializer(BaseSerializer):
 class CredentialSerializerCreate(CredentialSerializer):
    user = serializers.PrimaryKeyRelatedField(
        queryset=User.objects.all(),
        required=False,
@@ -2921,6 +2918,12 @@ class JobTemplateSerializer(JobTemplateMixin, UnifiedJobTemplateSerializer, JobO
            'ask_verbosity_on_launch',
            'ask_inventory_on_launch',
            'ask_credential_on_launch',
            'ask_execution_environment_on_launch',
            'ask_labels_on_launch',
            'ask_forks_on_launch',
            'ask_job_slice_count_on_launch',
            'ask_timeout_on_launch',
            'ask_instance_groups_on_launch',
            'survey_enabled',
            'become_enabled',
            'diff_mode',
@@ -2929,6 +2932,7 @@ class JobTemplateSerializer(JobTemplateMixin, UnifiedJobTemplateSerializer, JobO
            'job_slice_count',
            'webhook_service',
            'webhook_credential',
            'prevent_instance_group_fallback',
        )
        read_only_fields = ('*', 'custom_virtualenv')
@@ -3014,7 +3018,6 @@ class JobTemplateWithSpecSerializer(JobTemplateSerializer):
 class JobSerializer(UnifiedJobSerializer, JobOptionsSerializer):
    passwords_needed_to_start = serializers.ReadOnlyField()
    artifacts = serializers.SerializerMethodField()
@@ -3097,7 +3100,6 @@ class JobSerializer(UnifiedJobSerializer, JobOptionsSerializer):
 class JobDetailSerializer(JobSerializer):
    playbook_counts = serializers.SerializerMethodField(help_text=_('A count of all plays and tasks for the job run.'))
    custom_virtualenv = serializers.ReadOnlyField()
@@ -3115,7 +3117,6 @@ class JobDetailSerializer(JobSerializer):
 class JobCancelSerializer(BaseSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -3124,7 +3125,6 @@ class JobCancelSerializer(BaseSerializer):
 class JobRelaunchSerializer(BaseSerializer):
    passwords_needed_to_start = serializers.SerializerMethodField()
    retry_counts = serializers.SerializerMethodField()
    hosts = serializers.ChoiceField(
@@ -3183,8 +3183,7 @@ class JobRelaunchSerializer(BaseSerializer):
        return attrs
-class JobCreateScheduleSerializer(BaseSerializer):
+class JobCreateScheduleSerializer(LabelsListMixin, BaseSerializer):
    can_schedule = serializers.SerializerMethodField()
    prompts = serializers.SerializerMethodField()
@@ -3209,14 +3208,17 @@ class JobCreateScheduleSerializer(BaseSerializer):
        try:
            config = obj.launch_config
            ret = config.prompts_dict(display=True)
-            if 'inventory' in ret:
+            for field_name in ('inventory', 'execution_environment'):
-                ret['inventory'] = self._summarize('inventory', ret['inventory'])
+                if field_name in ret:
-            if 'credentials' in ret:
+                    ret[field_name] = self._summarize(field_name, ret[field_name])
-                all_creds = [self._summarize('credential', cred) for cred in ret['credentials']]
+            for field_name, singular in (('credentials', 'credential'), ('instance_groups', 'instance_group')):
-                ret['credentials'] = all_creds
+                if field_name in ret:
                    ret[field_name] = [self._summarize(singular, obj) for obj in ret[field_name]]
            if 'labels' in ret:
                ret['labels'] = self._summary_field_labels(config)
            return ret
        except JobLaunchConfig.DoesNotExist:
-            return {'all': _('Unknown, job may have been ran before launch configurations were saved.')}
+            return {'all': _('Unknown, job may have been run before launch configurations were saved.')}
 class AdHocCommandSerializer(UnifiedJobSerializer):
@@ -3307,7 +3309,6 @@ class AdHocCommandDetailSerializer(AdHocCommandSerializer):
 class AdHocCommandCancelSerializer(AdHocCommandSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -3346,7 +3347,6 @@ class SystemJobTemplateSerializer(UnifiedJobTemplateSerializer):
 class SystemJobSerializer(UnifiedJobSerializer):
    result_stdout = serializers.SerializerMethodField()
    class Meta:
@@ -3373,7 +3373,6 @@ class SystemJobSerializer(UnifiedJobSerializer):
 class SystemJobCancelSerializer(SystemJobSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -3386,6 +3385,9 @@ class WorkflowJobTemplateSerializer(JobTemplateMixin, LabelsListMixin, UnifiedJo
    limit = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    scm_branch = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    skip_tags = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    job_tags = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    class Meta:
        model = WorkflowJobTemplate
        fields = (
@@ -3404,6 +3406,11 @@ class WorkflowJobTemplateSerializer(JobTemplateMixin, LabelsListMixin, UnifiedJo
            'webhook_service',
            'webhook_credential',
            '-execution_environment',
            'ask_labels_on_launch',
            'ask_skip_tags_on_launch',
            'ask_tags_on_launch',
            'skip_tags',
            'job_tags',
        )
    def get_related(self, obj):
@@ -3447,7 +3454,7 @@ class WorkflowJobTemplateSerializer(JobTemplateMixin, LabelsListMixin, UnifiedJo
        # process char_prompts, these are not direct fields on the model
        mock_obj = self.Meta.model()
-        for field_name in ('scm_branch', 'limit'):
+        for field_name in ('scm_branch', 'limit', 'skip_tags', 'job_tags'):
            if field_name in attrs:
                setattr(mock_obj, field_name, attrs[field_name])
                attrs.pop(field_name)
@@ -3473,6 +3480,9 @@ class WorkflowJobSerializer(LabelsListMixin, UnifiedJobSerializer):
    limit = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    scm_branch = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    skip_tags = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    job_tags = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    class Meta:
        model = WorkflowJob
        fields = (
@@ -3492,6 +3502,8 @@ class WorkflowJobSerializer(LabelsListMixin, UnifiedJobSerializer):
            'webhook_service',
            'webhook_credential',
            'webhook_guid',
            'skip_tags',
            'job_tags',
        )
    def get_related(self, obj):
@@ -3525,7 +3537,6 @@ class WorkflowJobListSerializer(WorkflowJobSerializer, UnifiedJobListSerializer)
 class WorkflowJobCancelSerializer(WorkflowJobSerializer):
    can_cancel = serializers.BooleanField(read_only=True)
    class Meta:
@@ -3539,7 +3550,6 @@ class WorkflowApprovalViewSerializer(UnifiedJobSerializer):
 class WorkflowApprovalSerializer(UnifiedJobSerializer):
    can_approve_or_deny = serializers.SerializerMethodField()
    approval_expiration = serializers.SerializerMethodField()
    timed_out = serializers.ReadOnlyField()
@@ -3608,6 +3618,9 @@ class LaunchConfigurationBaseSerializer(BaseSerializer):
    skip_tags = serializers.CharField(allow_blank=True, allow_null=True, required=False, default=None)
    diff_mode = serializers.BooleanField(required=False, allow_null=True, default=None)
    verbosity = serializers.ChoiceField(allow_null=True, required=False, default=None, choices=VERBOSITY_CHOICES)
    forks = serializers.IntegerField(required=False, allow_null=True, min_value=0, default=None)
    job_slice_count = serializers.IntegerField(required=False, allow_null=True, min_value=0, default=None)
    timeout = serializers.IntegerField(required=False, allow_null=True, default=None)
    exclude_errors = ()
    class Meta:
@@ -3623,13 +3636,21 @@ class LaunchConfigurationBaseSerializer(BaseSerializer):
            'skip_tags',
            'diff_mode',
            'verbosity',
            'execution_environment',
            'forks',
            'job_slice_count',
            'timeout',
        )
    def get_related(self, obj):
        res = super(LaunchConfigurationBaseSerializer, self).get_related(obj)
        if obj.inventory_id:
            res['inventory'] = self.reverse('api:inventory_detail', kwargs={'pk': obj.inventory_id})
        if obj.execution_environment_id:
            res['execution_environment'] = self.reverse('api:execution_environment_detail', kwargs={'pk': obj.execution_environment_id})
        res['labels'] = self.reverse('api:{}_labels_list'.format(get_type_for_model(self.Meta.model)), kwargs={'pk': obj.pk})
        res['credentials'] = self.reverse('api:{}_credentials_list'.format(get_type_for_model(self.Meta.model)), kwargs={'pk': obj.pk})
        res['instance_groups'] = self.reverse('api:{}_instance_groups_list'.format(get_type_for_model(self.Meta.model)), kwargs={'pk': obj.pk})
        return res
    def _build_mock_obj(self, attrs):
@@ -3709,7 +3730,11 @@ class LaunchConfigurationBaseSerializer(BaseSerializer):
        # Build unsaved version of this config, use it to detect prompts errors
        mock_obj = self._build_mock_obj(attrs)
-        accepted, rejected, errors = ujt._accept_or_ignore_job_kwargs(_exclude_errors=self.exclude_errors, **mock_obj.prompts_dict())
+        if set(list(ujt.get_ask_mapping().keys()) + ['extra_data']) & set(attrs.keys()):
            accepted, rejected, errors = ujt._accept_or_ignore_job_kwargs(_exclude_errors=self.exclude_errors, **mock_obj.prompts_dict())
        else:
            # Only perform validation of prompts if prompts fields are provided
            errors = {}
        # Remove all unprocessed $encrypted$ strings, indicating default usage
        if 'extra_data' in attrs and password_dict:
@@ -3919,7 +3944,6 @@ class JobHostSummarySerializer(BaseSerializer):
 class JobEventSerializer(BaseSerializer):
    event_display = serializers.CharField(source='get_event_display2', read_only=True)
    event_level = serializers.IntegerField(read_only=True)
@@ -4015,7 +4039,6 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
 class AdHocCommandEventSerializer(BaseSerializer):
    event_display = serializers.CharField(source='get_event_display', read_only=True)
    class Meta:
@@ -4081,7 +4104,6 @@ class SystemJobEventSerializer(AdHocCommandEventSerializer):
 class JobLaunchSerializer(BaseSerializer):
    # Representational fields
    passwords_needed_to_start = serializers.ReadOnlyField()
    can_start_without_user_input = serializers.BooleanField(read_only=True)
@@ -4104,6 +4126,12 @@ class JobLaunchSerializer(BaseSerializer):
    skip_tags = serializers.CharField(required=False, write_only=True, allow_blank=True)
    limit = serializers.CharField(required=False, write_only=True, allow_blank=True)
    verbosity = serializers.ChoiceField(required=False, choices=VERBOSITY_CHOICES, write_only=True)
    execution_environment = serializers.PrimaryKeyRelatedField(queryset=ExecutionEnvironment.objects.all(), required=False, write_only=True)
    labels = serializers.PrimaryKeyRelatedField(many=True, queryset=Label.objects.all(), required=False, write_only=True)
    forks = serializers.IntegerField(required=False, write_only=True, min_value=0)
    job_slice_count = serializers.IntegerField(required=False, write_only=True, min_value=0)
    timeout = serializers.IntegerField(required=False, write_only=True)
    instance_groups = serializers.PrimaryKeyRelatedField(many=True, queryset=InstanceGroup.objects.all(), required=False, write_only=True)
    class Meta:
        model = JobTemplate
@@ -4131,6 +4159,12 @@ class JobLaunchSerializer(BaseSerializer):
            'ask_verbosity_on_launch',
            'ask_inventory_on_launch',
            'ask_credential_on_launch',
            'ask_execution_environment_on_launch',
            'ask_labels_on_launch',
            'ask_forks_on_launch',
            'ask_job_slice_count_on_launch',
            'ask_timeout_on_launch',
            'ask_instance_groups_on_launch',
            'survey_enabled',
            'variables_needed_to_start',
            'credential_needed_to_start',
@@ -4138,6 +4172,12 @@ class JobLaunchSerializer(BaseSerializer):
            'job_template_data',
            'defaults',
            'verbosity',
            'execution_environment',
            'labels',
            'forks',
            'job_slice_count',
            'timeout',
            'instance_groups',
        )
        read_only_fields = (
            'ask_scm_branch_on_launch',
@@ -4150,6 +4190,12 @@ class JobLaunchSerializer(BaseSerializer):
            'ask_verbosity_on_launch',
            'ask_inventory_on_launch',
            'ask_credential_on_launch',
            'ask_execution_environment_on_launch',
            'ask_labels_on_launch',
            'ask_forks_on_launch',
            'ask_job_slice_count_on_launch',
            'ask_timeout_on_launch',
            'ask_instance_groups_on_launch',
        )
    def get_credential_needed_to_start(self, obj):
@@ -4174,6 +4220,17 @@ class JobLaunchSerializer(BaseSerializer):
                    if cred.credential_type.managed and 'vault_id' in cred.credential_type.defined_fields:
                        cred_dict['vault_id'] = cred.get_input('vault_id', default=None)
                    defaults_dict.setdefault(field_name, []).append(cred_dict)
            elif field_name == 'execution_environment':
                if obj.execution_environment_id:
                    defaults_dict[field_name] = {'id': obj.execution_environment.id, 'name': obj.execution_environment.name}
                else:
                    defaults_dict[field_name] = {}
            elif field_name == 'labels':
                for label in obj.labels.all():
                    label_dict = {'id': label.id, 'name': label.name}
                    defaults_dict.setdefault(field_name, []).append(label_dict)
            elif field_name == 'instance_groups':
                defaults_dict[field_name] = []
            else:
                defaults_dict[field_name] = getattr(obj, field_name)
        return defaults_dict
@@ -4193,8 +4250,10 @@ class JobLaunchSerializer(BaseSerializer):
        # Basic validation - cannot run a playbook without a playbook
        if not template.project:
            errors['project'] = _("A project is required to run a job.")
-        elif template.project.status in ('error', 'failed'):
+        else:
-            errors['playbook'] = _("Missing a revision to run due to failed project update.")
+            failure_reason = template.project.get_reason_if_failed()
            if failure_reason:
                errors['playbook'] = failure_reason
        # cannot run a playbook without an inventory
        if template.inventory and template.inventory.pending_deletion is True:
@@ -4261,7 +4320,6 @@ class JobLaunchSerializer(BaseSerializer):
 class WorkflowJobLaunchSerializer(BaseSerializer):
    can_start_without_user_input = serializers.BooleanField(read_only=True)
    defaults = serializers.SerializerMethodField()
    variables_needed_to_start = serializers.ReadOnlyField()
@@ -4272,6 +4330,10 @@ class WorkflowJobLaunchSerializer(BaseSerializer):
    scm_branch = serializers.CharField(required=False, write_only=True, allow_blank=True)
    workflow_job_template_data = serializers.SerializerMethodField()
    labels = serializers.PrimaryKeyRelatedField(many=True, queryset=Label.objects.all(), required=False, write_only=True)
    skip_tags = serializers.CharField(required=False, write_only=True, allow_blank=True)
    job_tags = serializers.CharField(required=False, write_only=True, allow_blank=True)
    class Meta:
        model = WorkflowJobTemplate
        fields = (
@@ -4291,8 +4353,22 @@ class WorkflowJobLaunchSerializer(BaseSerializer):
            'workflow_job_template_data',
            'survey_enabled',
            'ask_variables_on_launch',
            'ask_labels_on_launch',
            'labels',
            'ask_skip_tags_on_launch',
            'ask_tags_on_launch',
            'skip_tags',
            'job_tags',
        )
        read_only_fields = (
            'ask_inventory_on_launch',
            'ask_variables_on_launch',
            'ask_skip_tags_on_launch',
            'ask_labels_on_launch',
            'ask_limit_on_launch',
            'ask_scm_branch_on_launch',
            'ask_tags_on_launch',
        )
        read_only_fields = ('ask_inventory_on_launch', 'ask_variables_on_launch')
    def get_survey_enabled(self, obj):
        if obj:
@@ -4304,6 +4380,10 @@ class WorkflowJobLaunchSerializer(BaseSerializer):
        for field_name in WorkflowJobTemplate.get_ask_mapping().keys():
            if field_name == 'inventory':
                defaults_dict[field_name] = dict(name=getattrd(obj, '%s.name' % field_name, None), id=getattrd(obj, '%s.pk' % field_name, None))
            elif field_name == 'labels':
                for label in obj.labels.all():
                    label_dict = {"id": label.id, "name": label.name}
                    defaults_dict.setdefault(field_name, []).append(label_dict)
            else:
                defaults_dict[field_name] = getattr(obj, field_name)
        return defaults_dict
@@ -4329,6 +4409,7 @@ class WorkflowJobLaunchSerializer(BaseSerializer):
        WFJT_inventory = template.inventory
        WFJT_limit = template.limit
        WFJT_scm_branch = template.scm_branch
        super(WorkflowJobLaunchSerializer, self).validate(attrs)
        template.extra_vars = WFJT_extra_vars
        template.inventory = WFJT_inventory
@@ -4551,7 +4632,6 @@ class NotificationTemplateSerializer(BaseSerializer):
 class NotificationSerializer(BaseSerializer):
    body = serializers.SerializerMethodField(help_text=_('Notification body'))
    class Meta:
@@ -4720,6 +4800,8 @@ class ScheduleSerializer(LaunchConfigurationBaseSerializer, SchedulePreviewSeria
        if isinstance(obj.unified_job_template, SystemJobTemplate):
            summary_fields['unified_job_template']['job_type'] = obj.unified_job_template.job_type
        # We are not showing instance groups on summary fields because JTs don't either
        if 'inventory' in summary_fields:
            return summary_fields
@@ -4754,7 +4836,7 @@ class ScheduleSerializer(LaunchConfigurationBaseSerializer, SchedulePreviewSeria
 class InstanceLinkSerializer(BaseSerializer):
    class Meta:
        model = InstanceLink
-        fields = ('source', 'target')
+        fields = ('source', 'target', 'link_state')
    source = serializers.SlugRelatedField(slug_field="hostname", read_only=True)
    target = serializers.SlugRelatedField(slug_field="hostname", read_only=True)
@@ -4763,63 +4845,93 @@ class InstanceLinkSerializer(BaseSerializer):
 class InstanceNodeSerializer(BaseSerializer):
    class Meta:
        model = Instance
-        fields = ('id', 'hostname', 'node_type', 'node_state')
+        fields = ('id', 'hostname', 'node_type', 'node_state', 'enabled')
    node_state = serializers.SerializerMethodField()
    def get_node_state(self, obj):
        if not obj.enabled:
            return "disabled"
        return "error" if obj.errors else "healthy"
 class InstanceSerializer(BaseSerializer):
    show_capabilities = ['edit']
    consumed_capacity = serializers.SerializerMethodField()
    percent_capacity_remaining = serializers.SerializerMethodField()
-    jobs_running = serializers.IntegerField(help_text=_('Count of jobs in the running or waiting state that ' 'are targeted for this instance'), read_only=True)
+    jobs_running = serializers.IntegerField(help_text=_('Count of jobs in the running or waiting state that are targeted for this instance'), read_only=True)
    jobs_total = serializers.IntegerField(help_text=_('Count of all jobs that target this instance'), read_only=True)
    health_check_pending = serializers.SerializerMethodField()
    class Meta:
        model = Instance
-        read_only_fields = ('uuid', 'hostname', 'version', 'node_type')
+        read_only_fields = ('ip_address', 'uuid', 'version')
        fields = (
-            "id",
+            'id',
-            "type",
+            'hostname',
-            "url",
+            'type',
-            "related",
+            'url',
-            "uuid",
+            'related',
-            "hostname",
+            'summary_fields',
-            "created",
+            'uuid',
-            "modified",
+            'created',
-            "last_seen",
+            'modified',
-            "last_health_check",
+            'last_seen',
-            "errors",
+            'health_check_started',
            'health_check_pending',
            'last_health_check',
            'errors',
            'capacity_adjustment',
-            "version",
+            'version',
-            "capacity",
+            'capacity',
-            "consumed_capacity",
+            'consumed_capacity',
-            "percent_capacity_remaining",
+            'percent_capacity_remaining',
-            "jobs_running",
+            'jobs_running',
-            "jobs_total",
+            'jobs_total',
-            "cpu",
+            'cpu',
-            "memory",
+            'memory',
-            "cpu_capacity",
+            'cpu_capacity',
-            "mem_capacity",
+            'mem_capacity',
-            "enabled",
+            'enabled',
-            "managed_by_policy",
+            'managed_by_policy',
-            "node_type",
+            'node_type',
            'node_state',
            'ip_address',
            'listener_port',
        )
        extra_kwargs = {
            'node_type': {'initial': Instance.Types.EXECUTION, 'default': Instance.Types.EXECUTION},
            'node_state': {'initial': Instance.States.INSTALLED, 'default': Instance.States.INSTALLED},
            'hostname': {
                'validators': [
                    MaxLengthValidator(limit_value=250),
                    validators.UniqueValidator(queryset=Instance.objects.all()),
                    RegexValidator(
                        regex=r'^localhost$|^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*\:)*?:?0*1$',
                        flags=re.IGNORECASE,
                        inverse_match=True,
                        message="hostname cannot be localhost or 127.0.0.1",
                    ),
                    HostnameRegexValidator(),
                ],
            },
        }
    def get_related(self, obj):
        res = super(InstanceSerializer, self).get_related(obj)
        res['jobs'] = self.reverse('api:instance_unified_jobs_list', kwargs={'pk': obj.pk})
        res['instance_groups'] = self.reverse('api:instance_instance_groups_list', kwargs={'pk': obj.pk})
        if settings.IS_K8S and obj.node_type in (Instance.Types.EXECUTION,):
            res['install_bundle'] = self.reverse('api:instance_install_bundle', kwargs={'pk': obj.pk})
        res['peers'] = self.reverse('api:instance_peers_list', kwargs={"pk": obj.pk})
        if self.context['request'].user.is_superuser or self.context['request'].user.is_system_auditor:
-            if obj.node_type != 'hop':
+            if obj.node_type == 'execution':
                res['health_check'] = self.reverse('api:instance_health_check', kwargs={'pk': obj.pk})
        return res
    def get_summary_fields(self, obj):
        summary = super().get_summary_fields(obj)
        # use this handle to distinguish between a listView and a detailView
        if self.is_detail_view:
            summary['links'] = InstanceLinkSerializer(InstanceLink.objects.select_related('target', 'source').filter(source=obj), many=True).data
        return summary
    def get_consumed_capacity(self, obj):
        return obj.consumed_capacity
@@ -4829,10 +4941,58 @@ class InstanceSerializer(BaseSerializer):
        else:
            return float("{0:.2f}".format(((float(obj.capacity) - float(obj.consumed_capacity)) / (float(obj.capacity))) * 100))
-    def validate(self, attrs):
+    def get_health_check_pending(self, obj):
-        if self.instance.node_type == 'hop':
+        return obj.health_check_pending
-            raise serializers.ValidationError(_('Hop node instances may not be changed.'))
+
-        return attrs
+    def validate(self, data):
        if self.instance:
            if self.instance.node_type == Instance.Types.HOP:
                raise serializers.ValidationError("Hop node instances may not be changed.")
        else:
            if not settings.IS_K8S:
                raise serializers.ValidationError("Can only create instances on Kubernetes or OpenShift.")
        return data
    def validate_node_type(self, value):
        if not self.instance:
            if value not in (Instance.Types.EXECUTION,):
                raise serializers.ValidationError("Can only create execution nodes.")
        else:
            if self.instance.node_type != value:
                raise serializers.ValidationError("Cannot change node type.")
        return value
    def validate_node_state(self, value):
        if self.instance:
            if value != self.instance.node_state:
                if not settings.IS_K8S:
                    raise serializers.ValidationError("Can only change the state on Kubernetes or OpenShift.")
                if value != Instance.States.DEPROVISIONING:
                    raise serializers.ValidationError("Can only change instances to the 'deprovisioning' state.")
                if self.instance.node_type not in (Instance.Types.EXECUTION,):
                    raise serializers.ValidationError("Can only deprovision execution nodes.")
        else:
            if value and value != Instance.States.INSTALLED:
                raise serializers.ValidationError("Can only create instances in the 'installed' state.")
        return value
    def validate_hostname(self, value):
        """
        - Hostname cannot be "localhost" - but can be something like localhost.domain
        - Cannot change the hostname of an-already instantiated & initialized Instance object
        """
        if self.instance and self.instance.hostname != value:
            raise serializers.ValidationError("Cannot change hostname.")
        return value
    def validate_listener_port(self, value):
        if self.instance and self.instance.listener_port != value:
            raise serializers.ValidationError("Cannot change listener port.")
        return value
 class InstanceHealthCheckSerializer(BaseSerializer):
@@ -4843,14 +5003,11 @@ class InstanceHealthCheckSerializer(BaseSerializer):
 class InstanceGroupSerializer(BaseSerializer):
    show_capabilities = ['edit', 'delete']
-
+    capacity = serializers.SerializerMethodField()
    consumed_capacity = serializers.SerializerMethodField()
    percent_capacity_remaining = serializers.SerializerMethodField()
-    jobs_running = serializers.IntegerField(
+    jobs_running = serializers.SerializerMethodField()
        help_text=_('Count of jobs in the running or waiting state that ' 'are targeted for this instance group'), read_only=True
    )
    jobs_total = serializers.IntegerField(help_text=_('Count of all jobs that target this instance group'), read_only=True)
    instances = serializers.SerializerMethodField()
    is_container_group = serializers.BooleanField(
@@ -4876,6 +5033,22 @@ class InstanceGroupSerializer(BaseSerializer):
        label=_('Policy Instance Minimum'),
        help_text=_("Static minimum number of Instances that will be automatically assign to " "this group when new instances come online."),
    )
    max_concurrent_jobs = serializers.IntegerField(
        default=0,
        min_value=0,
        required=False,
        initial=0,
        label=_('Max Concurrent Jobs'),
        help_text=_("Maximum number of concurrent jobs to run on a group. When set to zero, no maximum is enforced."),
    )
    max_forks = serializers.IntegerField(
        default=0,
        min_value=0,
        required=False,
        initial=0,
        label=_('Max Forks'),
        help_text=_("Maximum number of forks to execute concurrently on a group. When set to zero, no maximum is enforced."),
    )
    policy_instance_list = serializers.ListField(
        child=serializers.CharField(),
        required=False,
@@ -4897,6 +5070,8 @@ class InstanceGroupSerializer(BaseSerializer):
            "consumed_capacity",
            "percent_capacity_remaining",
            "jobs_running",
            "max_concurrent_jobs",
            "max_forks",
            "jobs_total",
            "instances",
            "is_container_group",
@@ -4978,38 +5153,47 @@ class InstanceGroupSerializer(BaseSerializer):
        # Store capacity values (globally computed) in the context
        if 'task_manager_igs' not in self.context:
            instance_groups_queryset = None
            jobs_qs = UnifiedJob.objects.filter(status__in=('running', 'waiting'))
            if self.parent:  # Is ListView:
                instance_groups_queryset = self.parent.instance
-            instances = TaskManagerInstances(jobs_qs)
+            tm_models = TaskManagerModels.init_with_consumed_capacity(
-            instance_groups = TaskManagerInstanceGroups(instances_by_hostname=instances, instance_groups_queryset=instance_groups_queryset)
+                instance_fields=['uuid', 'version', 'capacity', 'cpu', 'memory', 'managed_by_policy', 'enabled'],
                instance_groups_queryset=instance_groups_queryset,
            )
-            self.context['task_manager_igs'] = instance_groups
+            self.context['task_manager_igs'] = tm_models.instance_groups
        return self.context['task_manager_igs']
    def get_consumed_capacity(self, obj):
        ig_mgr = self.get_ig_mgr()
        return ig_mgr.get_consumed_capacity(obj.name)
-    def get_percent_capacity_remaining(self, obj):
+    def get_capacity(self, obj):
        if not obj.capacity:
            return 0.0
        ig_mgr = self.get_ig_mgr()
-        return float("{0:.2f}".format((float(ig_mgr.get_remaining_capacity(obj.name)) / (float(obj.capacity))) * 100))
+        return ig_mgr.get_capacity(obj.name)
    def get_percent_capacity_remaining(self, obj):
        capacity = self.get_capacity(obj)
        if not capacity:
            return 0.0
        consumed_capacity = self.get_consumed_capacity(obj)
        return float("{0:.2f}".format(((float(capacity) - float(consumed_capacity)) / (float(capacity))) * 100))
    def get_instances(self, obj):
-        return obj.instances.count()
+        ig_mgr = self.get_ig_mgr()
        return len(ig_mgr.get_instances(obj.name))
    def get_jobs_running(self, obj):
        ig_mgr = self.get_ig_mgr()
        return ig_mgr.get_jobs_running(obj.name)
 class ActivityStreamSerializer(BaseSerializer):
    changes = serializers.SerializerMethodField()
    object_association = serializers.SerializerMethodField(help_text=_("When present, shows the field name of the role or relationship that changed."))
    object_type = serializers.SerializerMethodField(help_text=_("When present, shows the model on which the role or relationship was defined."))
-    @cached_property
+    def _local_summarizable_fk_fields(self, obj):
    def _local_summarizable_fk_fields(self):
        summary_dict = copy.copy(SUMMARIZABLE_FK_FIELDS)
        # Special requests
        summary_dict['group'] = summary_dict['group'] + ('inventory_id',)
@@ -5029,7 +5213,13 @@ class ActivityStreamSerializer(BaseSerializer):
            ('workflow_approval', ('id', 'name', 'unified_job_id')),
            ('instance', ('id', 'hostname')),
        ]
-        return field_list
+        # Optimization - do not attempt to summarize all fields, pair down to only relations that exist
        if not obj:
            return field_list
        existing_association_types = [obj.object1, obj.object2]
        if 'user' in existing_association_types:
            existing_association_types.append('role')
        return [entry for entry in field_list if entry[0] in existing_association_types]
    class Meta:
        model = ActivityStream
@@ -5113,7 +5303,7 @@ class ActivityStreamSerializer(BaseSerializer):
        data = {}
        if obj.actor is not None:
            data['actor'] = self.reverse('api:user_detail', kwargs={'pk': obj.actor.pk})
-        for fk, __ in self._local_summarizable_fk_fields:
+        for fk, __ in self._local_summarizable_fk_fields(obj):
            if not hasattr(obj, fk):
                continue
            m2m_list = self._get_related_objects(obj, fk)
@@ -5170,7 +5360,7 @@ class ActivityStreamSerializer(BaseSerializer):
    def get_summary_fields(self, obj):
        summary_fields = OrderedDict()
-        for fk, related_fields in self._local_summarizable_fk_fields:
+        for fk, related_fields in self._local_summarizable_fk_fields(obj):
            try:
                if not hasattr(obj, fk):
                    continue
--- a/awx/api/templates/api/job_template_launch.md
+++ b/awx/api/templates/api/job_template_launch.md
@@ -1,5 +1,5 @@
 Launch a Job Template:
-
+{% ifmeth GET %}
 Make a GET request to this resource to determine if the job_template can be
 launched and whether any passwords are required to launch the job_template.
 The response will include the following fields:
@@ -29,8 +29,8 @@ The response will include the following fields:
 * `inventory_needed_to_start`: Flag indicating the presence of an inventory
  associated with the job template.  If not then one should be supplied when
  launching the job (boolean, read-only)
-
+{% endifmeth %}
-Make a POST request to this resource to launch the job_template. If any
+{% ifmeth POST %}Make a POST request to this resource to launch the job_template. If any
 passwords, inventory, or extra variables (extra_vars) are required, they must
 be passed via POST data, with extra_vars given as a YAML or JSON string and
 escaped parentheses. If the `inventory_needed_to_start` is `True` then the
@@ -41,3 +41,4 @@ are not provided, a 400 status code will be returned.  If the job cannot be
 launched, a 405 status code will be returned. If the provided credential or
 inventory are not allowed to be used by the user, then a 403 status code will
 be returned.
 {% endifmeth %}
--- a/awx/api/templates/instance_install_bundle/group_vars/all.yml
+++ b/awx/api/templates/instance_install_bundle/group_vars/all.yml
@@ -0,0 +1,23 @@
 receptor_user: awx
 receptor_group: awx
 receptor_verify: true
 receptor_tls: true
 receptor_work_commands:
  ansible-runner:
    command: ansible-runner
    params: worker
    allowruntimeparams: true
    verifysignature: true
 custom_worksign_public_keyfile: receptor/work-public-key.pem
 custom_tls_certfile: receptor/tls/receptor.crt
 custom_tls_keyfile: receptor/tls/receptor.key
 custom_ca_certfile: receptor/tls/ca/receptor-ca.crt
 receptor_protocol: 'tcp'
 receptor_listener: true
 receptor_port: {{ instance.listener_port }}
 receptor_dependencies:
  - python39-pip
 {% verbatim %}
 podman_user: "{{ receptor_user }}"
 podman_group: "{{ receptor_group }}"
 {% endverbatim %}
--- a/awx/api/templates/instance_install_bundle/install_receptor.yml
+++ b/awx/api/templates/instance_install_bundle/install_receptor.yml
@@ -0,0 +1,20 @@
 {% verbatim %}
 ---
 - hosts: all
  become: yes
  tasks:
    - name: Create the receptor user
      user:
        name: "{{ receptor_user }}"
        shell: /bin/bash
    - name: Enable Copr repo for Receptor
      command: dnf copr enable ansible-awx/receptor -y
    - import_role:
        name: ansible.receptor.podman
    - import_role:
        name: ansible.receptor.setup
    - name: Install ansible-runner
      pip:
        name: ansible-runner
        executable: pip3.9
 {% endverbatim %}
--- a/awx/api/templates/instance_install_bundle/inventory.yml
+++ b/awx/api/templates/instance_install_bundle/inventory.yml
@@ -0,0 +1,7 @@
 ---
 all:
  hosts:
    remote-execution:
      ansible_host: {{ instance.hostname }}
      ansible_user: <username> # user provided
      ansible_ssh_private_key_file: ~/.ssh/id_rsa
--- a/awx/api/templates/instance_install_bundle/requirements.yml
+++ b/awx/api/templates/instance_install_bundle/requirements.yml
@@ -0,0 +1,4 @@
 ---
 collections:
  - name: ansible.receptor
    version: 1.1.0
--- a/awx/api/urls/debug.py
+++ b/awx/api/urls/debug.py
@@ -0,0 +1,17 @@
 from django.urls import re_path
 from awx.api.views.debug import (
    DebugRootView,
    TaskManagerDebugView,
    DependencyManagerDebugView,
    WorkflowManagerDebugView,
 )
 urls = [
    re_path(r'^$', DebugRootView.as_view(), name='debug'),
    re_path(r'^task_manager/$', TaskManagerDebugView.as_view(), name='task_manager'),
    re_path(r'^dependency_manager/$', DependencyManagerDebugView.as_view(), name='dependency_manager'),
    re_path(r'^workflow_manager/$', WorkflowManagerDebugView.as_view(), name='workflow_manager'),
 ]
 __all__ = ['urls']
--- a/awx/api/urls/instance.py
+++ b/awx/api/urls/instance.py
@@ -3,7 +3,15 @@
 from django.urls import re_path
-from awx.api.views import InstanceList, InstanceDetail, InstanceUnifiedJobsList, InstanceInstanceGroupsList, InstanceHealthCheck
+from awx.api.views import (
    InstanceList,
    InstanceDetail,
    InstanceUnifiedJobsList,
    InstanceInstanceGroupsList,
    InstanceHealthCheck,
    InstancePeersList,
 )
 from awx.api.views.instance_install_bundle import InstanceInstallBundle
 urls = [
@@ -12,6 +20,8 @@ urls = [
    re_path(r'^(?P<pk>[0-9]+)/jobs/$', InstanceUnifiedJobsList.as_view(), name='instance_unified_jobs_list'),
    re_path(r'^(?P<pk>[0-9]+)/instance_groups/$', InstanceInstanceGroupsList.as_view(), name='instance_instance_groups_list'),
    re_path(r'^(?P<pk>[0-9]+)/health_check/$', InstanceHealthCheck.as_view(), name='instance_health_check'),
    re_path(r'^(?P<pk>[0-9]+)/peers/$', InstancePeersList.as_view(), name='instance_peers_list'),
    re_path(r'^(?P<pk>[0-9]+)/install_bundle/$', InstanceInstallBundle.as_view(), name='instance_install_bundle'),
 ]
 __all__ = ['urls']
--- a/awx/api/urls/inventory.py
+++ b/awx/api/urls/inventory.py
@@ -3,26 +3,28 @@
 from django.urls import re_path
-from awx.api.views import (
+from awx.api.views.inventory import (
    InventoryList,
    InventoryDetail,
    InventoryHostsList,
    InventoryGroupsList,
    InventoryRootGroupsList,
    InventoryVariableData,
    InventoryScriptView,
    InventoryTreeView,
    InventoryInventorySourcesList,
    InventoryInventorySourcesUpdate,
    InventoryActivityStreamList,
    InventoryJobTemplateList,
    InventoryAdHocCommandsList,
    InventoryAccessList,
    InventoryObjectRolesList,
    InventoryInstanceGroupsList,
    InventoryLabelList,
    InventoryCopy,
 )
 from awx.api.views import (
    InventoryHostsList,
    InventoryGroupsList,
    InventoryInventorySourcesList,
    InventoryInventorySourcesUpdate,
    InventoryAdHocCommandsList,
    InventoryRootGroupsList,
    InventoryScriptView,
    InventoryTreeView,
    InventoryVariableData,
 )
 urls = [
--- a/awx/api/urls/inventory_update.py
+++ b/awx/api/urls/inventory_update.py
@@ -3,6 +3,9 @@
 from django.urls import re_path
 from awx.api.views.inventory import (
    InventoryUpdateEventsList,
 )
 from awx.api.views import (
    InventoryUpdateList,
    InventoryUpdateDetail,
@@ -10,7 +13,6 @@ from awx.api.views import (
    InventoryUpdateStdout,
    InventoryUpdateNotificationsList,
    InventoryUpdateCredentialsList,
    InventoryUpdateEventsList,
 )
--- a/awx/api/urls/label.py
+++ b/awx/api/urls/label.py
@@ -3,7 +3,7 @@
 from django.urls import re_path
-from awx.api.views import LabelList, LabelDetail
+from awx.api.views.labels import LabelList, LabelDetail
 urls = [re_path(r'^$', LabelList.as_view(), name='label_list'), re_path(r'^(?P<pk>[0-9]+)/$', LabelDetail.as_view(), name='label_detail')]
--- a/awx/api/urls/oauth2_root.py
+++ b/awx/api/urls/oauth2_root.py
@@ -10,7 +10,7 @@ from oauthlib import oauth2
 from oauth2_provider import views
 from awx.main.models import RefreshToken
-from awx.api.views import ApiOAuthAuthorizationRootView
+from awx.api.views.root import ApiOAuthAuthorizationRootView
 class TokenView(views.TokenView):
--- a/awx/api/urls/organization.py
+++ b/awx/api/urls/organization.py
@@ -3,7 +3,7 @@
 from django.urls import re_path
-from awx.api.views import (
+from awx.api.views.organization import (
    OrganizationList,
    OrganizationDetail,
    OrganizationUsersList,
@@ -14,7 +14,6 @@ from awx.api.views import (
    OrganizationJobTemplatesList,
    OrganizationWorkflowJobTemplatesList,
    OrganizationTeamsList,
    OrganizationCredentialList,
    OrganizationActivityStreamList,
    OrganizationNotificationTemplatesList,
    OrganizationNotificationTemplatesErrorList,
@@ -25,8 +24,8 @@ from awx.api.views import (
    OrganizationGalaxyCredentialsList,
    OrganizationObjectRolesList,
    OrganizationAccessList,
    OrganizationApplicationList,
 )
 from awx.api.views import OrganizationCredentialList, OrganizationApplicationList
 urls = [
--- a/awx/api/urls/schedule.py
+++ b/awx/api/urls/schedule.py
@@ -3,7 +3,7 @@
 from django.urls import re_path
-from awx.api.views import ScheduleList, ScheduleDetail, ScheduleUnifiedJobsList, ScheduleCredentialsList
+from awx.api.views import ScheduleList, ScheduleDetail, ScheduleUnifiedJobsList, ScheduleCredentialsList, ScheduleLabelsList, ScheduleInstanceGroupList
 urls = [
@@ -11,6 +11,8 @@ urls = [
    re_path(r'^(?P<pk>[0-9]+)/$', ScheduleDetail.as_view(), name='schedule_detail'),
    re_path(r'^(?P<pk>[0-9]+)/jobs/$', ScheduleUnifiedJobsList.as_view(), name='schedule_unified_jobs_list'),
    re_path(r'^(?P<pk>[0-9]+)/credentials/$', ScheduleCredentialsList.as_view(), name='schedule_credentials_list'),
    re_path(r'^(?P<pk>[0-9]+)/labels/$', ScheduleLabelsList.as_view(), name='schedule_labels_list'),
    re_path(r'^(?P<pk>[0-9]+)/instance_groups/$', ScheduleInstanceGroupList.as_view(), name='schedule_instance_groups_list'),
 ]
 __all__ = ['urls']
--- a/awx/api/urls/urls.py
+++ b/awx/api/urls/urls.py
@@ -2,17 +2,19 @@
 # All Rights Reserved.
 from __future__ import absolute_import, unicode_literals
 from django.conf import settings
 from django.urls import include, re_path
 from awx import MODE
 from awx.api.generics import LoggedLoginView, LoggedLogoutView
-from awx.api.views import (
+from awx.api.views.root import (
    ApiRootView,
    ApiV2RootView,
    ApiV2PingView,
    ApiV2ConfigView,
    ApiV2SubscriptionView,
    ApiV2AttachView,
 )
 from awx.api.views import (
    AuthView,
    UserMeList,
    DashboardView,
@@ -28,8 +30,8 @@ from awx.api.views import (
    OAuth2TokenList,
    ApplicationOAuth2TokenList,
    OAuth2ApplicationDetail,
    MeshVisualizer,
 )
 from awx.api.views.mesh_visualizer import MeshVisualizer
 from awx.api.views.metrics import MetricsView
@@ -145,7 +147,12 @@ urlpatterns = [
    re_path(r'^logout/$', LoggedLogoutView.as_view(next_page='/api/', redirect_field_name='next'), name='logout'),
    re_path(r'^o/', include(oauth2_root_urls)),
 ]
-if settings.SETTINGS_MODULE == 'awx.settings.development':
+if MODE == 'development':
    # Only include these if we are in the development environment
    from awx.api.swagger import SwaggerSchemaView
    urlpatterns += [re_path(r'^swagger/$', SwaggerSchemaView.as_view(), name='swagger_view')]
    from awx.api.urls.debug import urls as debug_urls
    urlpatterns += [re_path(r'^debug/', include(debug_urls))]
--- a/awx/api/urls/webhooks.py
+++ b/awx/api/urls/webhooks.py
@@ -1,6 +1,6 @@
 from django.urls import re_path
-from awx.api.views import WebhookKeyView, GithubWebhookReceiver, GitlabWebhookReceiver
+from awx.api.views.webhooks import WebhookKeyView, GithubWebhookReceiver, GitlabWebhookReceiver
 urlpatterns = [
--- a/awx/api/urls/workflow_job_node.py
+++ b/awx/api/urls/workflow_job_node.py
@@ -10,6 +10,8 @@ from awx.api.views import (
    WorkflowJobNodeFailureNodesList,
    WorkflowJobNodeAlwaysNodesList,
    WorkflowJobNodeCredentialsList,
    WorkflowJobNodeLabelsList,
    WorkflowJobNodeInstanceGroupsList,
 )
@@ -20,6 +22,8 @@ urls = [
    re_path(r'^(?P<pk>[0-9]+)/failure_nodes/$', WorkflowJobNodeFailureNodesList.as_view(), name='workflow_job_node_failure_nodes_list'),
    re_path(r'^(?P<pk>[0-9]+)/always_nodes/$', WorkflowJobNodeAlwaysNodesList.as_view(), name='workflow_job_node_always_nodes_list'),
    re_path(r'^(?P<pk>[0-9]+)/credentials/$', WorkflowJobNodeCredentialsList.as_view(), name='workflow_job_node_credentials_list'),
    re_path(r'^(?P<pk>[0-9]+)/labels/$', WorkflowJobNodeLabelsList.as_view(), name='workflow_job_node_labels_list'),
    re_path(r'^(?P<pk>[0-9]+)/instance_groups/$', WorkflowJobNodeInstanceGroupsList.as_view(), name='workflow_job_node_instance_groups_list'),
 ]
 __all__ = ['urls']
--- a/awx/api/urls/workflow_job_template_node.py
+++ b/awx/api/urls/workflow_job_template_node.py
@@ -11,6 +11,8 @@ from awx.api.views import (
    WorkflowJobTemplateNodeAlwaysNodesList,
    WorkflowJobTemplateNodeCredentialsList,
    WorkflowJobTemplateNodeCreateApproval,
    WorkflowJobTemplateNodeLabelsList,
    WorkflowJobTemplateNodeInstanceGroupsList,
 )
@@ -21,6 +23,8 @@ urls = [
    re_path(r'^(?P<pk>[0-9]+)/failure_nodes/$', WorkflowJobTemplateNodeFailureNodesList.as_view(), name='workflow_job_template_node_failure_nodes_list'),
    re_path(r'^(?P<pk>[0-9]+)/always_nodes/$', WorkflowJobTemplateNodeAlwaysNodesList.as_view(), name='workflow_job_template_node_always_nodes_list'),
    re_path(r'^(?P<pk>[0-9]+)/credentials/$', WorkflowJobTemplateNodeCredentialsList.as_view(), name='workflow_job_template_node_credentials_list'),
    re_path(r'^(?P<pk>[0-9]+)/labels/$', WorkflowJobTemplateNodeLabelsList.as_view(), name='workflow_job_template_node_labels_list'),
    re_path(r'^(?P<pk>[0-9]+)/instance_groups/$', WorkflowJobTemplateNodeInstanceGroupsList.as_view(), name='workflow_job_template_node_instance_groups_list'),
    re_path(r'^(?P<pk>[0-9]+)/create_approval_template/$', WorkflowJobTemplateNodeCreateApproval.as_view(), name='workflow_job_template_node_create_approval'),
 ]
--- a/awx/api/validators.py
+++ b/awx/api/validators.py
@@ -0,0 +1,54 @@
 import re
 from django.core.validators import RegexValidator, validate_ipv46_address
 from django.core.exceptions import ValidationError
 class HostnameRegexValidator(RegexValidator):
    """
    Fully validates a domain name that is compliant with norms in Linux/RHEL
        - Cannot start with a hyphen
        - Cannot begin with, or end with a "."
        - Cannot contain any whitespaces
        - Entire hostname is max 255 chars (including dots)
        - Each domain/label is between 1 and 63 characters, except top level domain, which must be at least 2 characters
        - Supports ipv4, ipv6, simple hostnames and FQDNs
        - Follows RFC 9210 (modern RFC 1123, 1178) requirements
    Accepts an IP Address or Hostname as the argument
    """
    regex = '^[a-z0-9][-a-z0-9]*$|^([a-z0-9][-a-z0-9]{0,62}[.])*[a-z0-9][-a-z0-9]{1,62}$'
    flags = re.IGNORECASE
    def __call__(self, value):
        regex_matches, err = self.__validate(value)
        invalid_input = regex_matches if self.inverse_match else not regex_matches
        if invalid_input:
            if err is None:
                err = ValidationError(self.message, code=self.code, params={"value": value})
            raise err
    def __str__(self):
        return f"regex={self.regex}, message={self.message}, code={self.code}, inverse_match={self.inverse_match}, flags={self.flags}"
    def __validate(self, value):
        if ' ' in value:
            return False, ValidationError("whitespaces in hostnames are illegal")
        """
        If we have an IP address, try and validate it.
        """
        try:
            validate_ipv46_address(value)
            return True, None
        except ValidationError:
            pass
        """
        By this point in the code, we probably have a simple hostname, FQDN or a strange hostname like "192.localhost.domain.101"
        """
        if not self.regex.match(value):
            return False, ValidationError(f"illegal characters detected in hostname={value}. Please verify.")
        return True, None
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
--- a/awx/api/views/debug.py
+++ b/awx/api/views/debug.py
@@ -0,0 +1,68 @@
 from collections import OrderedDict
 from django.conf import settings
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from awx.api.generics import APIView
 from awx.main.scheduler import TaskManager, DependencyManager, WorkflowManager
 class TaskManagerDebugView(APIView):
    _ignore_model_permissions = True
    exclude_from_schema = True
    permission_classes = [AllowAny]
    prefix = 'Task'
    def get(self, request):
        TaskManager().schedule()
        if not settings.AWX_DISABLE_TASK_MANAGERS:
            msg = f"Running {self.prefix} manager. To disable other triggers to the {self.prefix} manager, set AWX_DISABLE_TASK_MANAGERS to True"
        else:
            msg = f"AWX_DISABLE_TASK_MANAGERS is True, this view is the only way to trigger the {self.prefix} manager"
        return Response(msg)
 class DependencyManagerDebugView(APIView):
    _ignore_model_permissions = True
    exclude_from_schema = True
    permission_classes = [AllowAny]
    prefix = 'Dependency'
    def get(self, request):
        DependencyManager().schedule()
        if not settings.AWX_DISABLE_TASK_MANAGERS:
            msg = f"Running {self.prefix} manager. To disable other triggers to the {self.prefix} manager, set AWX_DISABLE_TASK_MANAGERS to True"
        else:
            msg = f"AWX_DISABLE_TASK_MANAGERS is True, this view is the only way to trigger the {self.prefix} manager"
        return Response(msg)
 class WorkflowManagerDebugView(APIView):
    _ignore_model_permissions = True
    exclude_from_schema = True
    permission_classes = [AllowAny]
    prefix = 'Workflow'
    def get(self, request):
        WorkflowManager().schedule()
        if not settings.AWX_DISABLE_TASK_MANAGERS:
            msg = f"Running {self.prefix} manager. To disable other triggers to the {self.prefix} manager, set AWX_DISABLE_TASK_MANAGERS to True"
        else:
            msg = f"AWX_DISABLE_TASK_MANAGERS is True, this view is the only way to trigger the {self.prefix} manager"
        return Response(msg)
 class DebugRootView(APIView):
    _ignore_model_permissions = True
    exclude_from_schema = True
    permission_classes = [AllowAny]
    def get(self, request, format=None):
        '''List of available debug urls'''
        data = OrderedDict()
        data['task_manager'] = '/api/debug/task_manager/'
        data['dependency_manager'] = '/api/debug/dependency_manager/'
        data['workflow_manager'] = '/api/debug/workflow_manager/'
        return Response(data)
--- a/awx/api/views/instance_install_bundle.py
+++ b/awx/api/views/instance_install_bundle.py
@@ -0,0 +1,199 @@
 # Copyright (c) 2018 Red Hat, Inc.
 # All Rights Reserved.
 import datetime
 import io
 import ipaddress
 import os
 import tarfile
 import asn1
 from awx.api import serializers
 from awx.api.generics import GenericAPIView, Response
 from awx.api.permissions import IsSystemAdminOrAuditor
 from awx.main import models
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.x509 import DNSName, IPAddress, ObjectIdentifier, OtherName
 from cryptography.x509.oid import NameOID
 from django.http import HttpResponse
 from django.template.loader import render_to_string
 from django.utils.translation import gettext_lazy as _
 from rest_framework import status
 # Red Hat has an OID namespace (RHANANA). Receptor has its own designation under that.
 RECEPTOR_OID = "1.3.6.1.4.1.2312.19.1"
 # generate install bundle for the instance
 # install bundle directory structure
 # ├── install_receptor.yml (playbook)
 # ├── inventory.yml
 # ├── group_vars
 # │   └── all.yml
 # ├── receptor
 # │   ├── tls
 # │   │   ├── ca
 # │   │   │   └── receptor-ca.crt
 # │   │   ├── receptor.crt
 # │   │   └── receptor.key
 # │   └── work-public-key.pem
 # └── requirements.yml
 class InstanceInstallBundle(GenericAPIView):
    name = _('Install Bundle')
    model = models.Instance
    serializer_class = serializers.InstanceSerializer
    permission_classes = (IsSystemAdminOrAuditor,)
    def get(self, request, *args, **kwargs):
        instance_obj = self.get_object()
        if instance_obj.node_type not in ('execution',):
            return Response(
                data=dict(msg=_('Install bundle can only be generated for execution nodes.')),
                status=status.HTTP_400_BAD_REQUEST,
            )
        with io.BytesIO() as f:
            with tarfile.open(fileobj=f, mode='w:gz') as tar:
                # copy /etc/receptor/tls/ca/receptor-ca.crt to receptor/tls/ca in the tar file
                tar.add(
                    os.path.realpath('/etc/receptor/tls/ca/receptor-ca.crt'), arcname=f"{instance_obj.hostname}_install_bundle/receptor/tls/ca/receptor-ca.crt"
                )
                # copy /etc/receptor/signing/work-public-key.pem to receptor/work-public-key.pem
                tar.add('/etc/receptor/signing/work-public-key.pem', arcname=f"{instance_obj.hostname}_install_bundle/receptor/work-public-key.pem")
                # generate and write the receptor key to receptor/tls/receptor.key in the tar file
                key, cert = generate_receptor_tls(instance_obj)
                key_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/receptor/tls/receptor.key")
                key_tarinfo.size = len(key)
                tar.addfile(key_tarinfo, io.BytesIO(key))
                cert_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/receptor/tls/receptor.crt")
                cert_tarinfo.size = len(cert)
                tar.addfile(cert_tarinfo, io.BytesIO(cert))
                # generate and write install_receptor.yml to the tar file
                playbook = generate_playbook().encode('utf-8')
                playbook_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/install_receptor.yml")
                playbook_tarinfo.size = len(playbook)
                tar.addfile(playbook_tarinfo, io.BytesIO(playbook))
                # generate and write inventory.yml to the tar file
                inventory_yml = generate_inventory_yml(instance_obj).encode('utf-8')
                inventory_yml_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/inventory.yml")
                inventory_yml_tarinfo.size = len(inventory_yml)
                tar.addfile(inventory_yml_tarinfo, io.BytesIO(inventory_yml))
                # generate and write group_vars/all.yml to the tar file
                group_vars = generate_group_vars_all_yml(instance_obj).encode('utf-8')
                group_vars_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/group_vars/all.yml")
                group_vars_tarinfo.size = len(group_vars)
                tar.addfile(group_vars_tarinfo, io.BytesIO(group_vars))
                # generate and write requirements.yml to the tar file
                requirements_yml = generate_requirements_yml().encode('utf-8')
                requirements_yml_tarinfo = tarfile.TarInfo(f"{instance_obj.hostname}_install_bundle/requirements.yml")
                requirements_yml_tarinfo.size = len(requirements_yml)
                tar.addfile(requirements_yml_tarinfo, io.BytesIO(requirements_yml))
            # respond with the tarfile
            f.seek(0)
            response = HttpResponse(f.read(), status=status.HTTP_200_OK)
            response['Content-Disposition'] = f"attachment; filename={instance_obj.hostname}_install_bundle.tar.gz"
            return response
 def generate_playbook():
    return render_to_string("instance_install_bundle/install_receptor.yml")
 def generate_requirements_yml():
    return render_to_string("instance_install_bundle/requirements.yml")
 def generate_inventory_yml(instance_obj):
    return render_to_string("instance_install_bundle/inventory.yml", context=dict(instance=instance_obj))
 def generate_group_vars_all_yml(instance_obj):
    return render_to_string("instance_install_bundle/group_vars/all.yml", context=dict(instance=instance_obj))
 def generate_receptor_tls(instance_obj):
    # generate private key for the receptor
    key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
    # encode receptor hostname to asn1
    hostname = instance_obj.hostname
    encoder = asn1.Encoder()
    encoder.start()
    encoder.write(hostname.encode(), nr=asn1.Numbers.UTF8String)
    hostname_asn1 = encoder.output()
    san_params = [
        DNSName(hostname),
        OtherName(ObjectIdentifier(RECEPTOR_OID), hostname_asn1),
    ]
    try:
        san_params.append(IPAddress(ipaddress.IPv4Address(hostname)))
    except ipaddress.AddressValueError:
        pass
    # generate certificate for the receptor
    csr = (
        x509.CertificateSigningRequestBuilder()
        .subject_name(
            x509.Name(
                [
                    x509.NameAttribute(NameOID.COMMON_NAME, hostname),
                ]
            )
        )
        .add_extension(
            x509.SubjectAlternativeName(san_params),
            critical=False,
        )
        .sign(key, hashes.SHA256())
    )
    # sign csr with the receptor ca key from /etc/receptor/ca/receptor-ca.key
    with open('/etc/receptor/tls/ca/receptor-ca.key', 'rb') as f:
        ca_key = serialization.load_pem_private_key(
            f.read(),
            password=None,
        )
    with open('/etc/receptor/tls/ca/receptor-ca.crt', 'rb') as f:
        ca_cert = x509.load_pem_x509_certificate(f.read())
    cert = (
        x509.CertificateBuilder()
        .subject_name(csr.subject)
        .issuer_name(ca_cert.issuer)
        .public_key(csr.public_key())
        .serial_number(x509.random_serial_number())
        .not_valid_before(datetime.datetime.utcnow())
        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=3650))
        .add_extension(
            csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).value,
            critical=csr.extensions.get_extension_for_class(x509.SubjectAlternativeName).critical,
        )
        .sign(ca_key, hashes.SHA256())
    )
    key = key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption(),
    )
    cert = cert.public_bytes(
        encoding=serialization.Encoding.PEM,
    )
    return key, cert
--- a/awx/api/views/inventory.py
+++ b/awx/api/views/inventory.py
@@ -18,8 +18,6 @@ from rest_framework import status
 # AWX
 from awx.main.models import ActivityStream, Inventory, JobTemplate, Role, User, InstanceGroup, InventoryUpdateEvent, InventoryUpdate
 from awx.main.models.label import Label
 from awx.api.generics import (
    ListCreateAPIView,
    RetrieveUpdateDestroyAPIView,
@@ -27,9 +25,8 @@ from awx.api.generics import (
    SubListAttachDetachAPIView,
    ResourceAccessList,
    CopyAPIView,
    DeleteLastUnattachLabelMixin,
    SubListCreateAttachDetachAPIView,
 )
 from awx.api.views.labels import LabelSubListCreateAttachDetachView
 from awx.api.serializers import (
@@ -39,7 +36,6 @@ from awx.api.serializers import (
    InstanceGroupSerializer,
    InventoryUpdateEventSerializer,
    JobTemplateSerializer,
    LabelSerializer,
 )
 from awx.api.views.mixin import RelatedJobsPreventDeleteMixin
@@ -50,7 +46,6 @@ logger = logging.getLogger('awx.api.views.organization')
 class InventoryUpdateEventsList(SubListAPIView):
    model = InventoryUpdateEvent
    serializer_class = InventoryUpdateEventSerializer
    parent_model = InventoryUpdate
@@ -70,13 +65,11 @@ class InventoryUpdateEventsList(SubListAPIView):
 class InventoryList(ListCreateAPIView):
    model = Inventory
    serializer_class = InventorySerializer
 class InventoryDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
    model = Inventory
    serializer_class = InventorySerializer
@@ -102,7 +95,6 @@ class InventoryDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIVie
 class InventoryActivityStreamList(SubListAPIView):
    model = ActivityStream
    serializer_class = ActivityStreamSerializer
    parent_model = Inventory
@@ -117,7 +109,6 @@ class InventoryActivityStreamList(SubListAPIView):
 class InventoryInstanceGroupsList(SubListAttachDetachAPIView):
    model = InstanceGroup
    serializer_class = InstanceGroupSerializer
    parent_model = Inventory
@@ -125,13 +116,11 @@ class InventoryInstanceGroupsList(SubListAttachDetachAPIView):
 class InventoryAccessList(ResourceAccessList):
    model = User  # needs to be User for AccessLists's
    parent_model = Inventory
 class InventoryObjectRolesList(SubListAPIView):
    model = Role
    serializer_class = RoleSerializer
    parent_model = Inventory
@@ -144,7 +133,6 @@ class InventoryObjectRolesList(SubListAPIView):
 class InventoryJobTemplateList(SubListAPIView):
    model = JobTemplate
    serializer_class = JobTemplateSerializer
    parent_model = Inventory
@@ -157,31 +145,10 @@ class InventoryJobTemplateList(SubListAPIView):
        return qs.filter(inventory=parent)
-class InventoryLabelList(DeleteLastUnattachLabelMixin, SubListCreateAttachDetachAPIView, SubListAPIView):
+class InventoryLabelList(LabelSubListCreateAttachDetachView):
    model = Label
    serializer_class = LabelSerializer
    parent_model = Inventory
    relationship = 'labels'
    def post(self, request, *args, **kwargs):
        # If a label already exists in the database, attach it instead of erroring out
        # that it already exists
        if 'id' not in request.data and 'name' in request.data and 'organization' in request.data:
            existing = Label.objects.filter(name=request.data['name'], organization_id=request.data['organization'])
            if existing.exists():
                existing = existing[0]
                request.data['id'] = existing.id
                del request.data['name']
                del request.data['organization']
        if Label.objects.filter(inventory_labels=self.kwargs['pk']).count() > 100:
            return Response(
                dict(msg=_('Maximum number of labels for {} reached.'.format(self.parent_model._meta.verbose_name_raw))), status=status.HTTP_400_BAD_REQUEST
            )
        return super(InventoryLabelList, self).post(request, *args, **kwargs)
 class InventoryCopy(CopyAPIView):
    model = Inventory
    copy_return_serializer_class = InventorySerializer
--- a/awx/api/views/labels.py
+++ b/awx/api/views/labels.py
@@ -0,0 +1,69 @@
 # AWX
 from awx.api.generics import SubListCreateAttachDetachAPIView, RetrieveUpdateAPIView, ListCreateAPIView
 from awx.main.models import Label
 from awx.api.serializers import LabelSerializer
 # Django
 from django.utils.translation import gettext_lazy as _
 # Django REST Framework
 from rest_framework.response import Response
 from rest_framework.status import HTTP_400_BAD_REQUEST
 class LabelSubListCreateAttachDetachView(SubListCreateAttachDetachAPIView):
    """
    For related labels lists like /api/v2/inventories/N/labels/
    We want want the last instance to be deleted from the database
    when the last disassociate happens.
    Subclasses need to define parent_model
    """
    model = Label
    serializer_class = LabelSerializer
    relationship = 'labels'
    def unattach(self, request, *args, **kwargs):
        (sub_id, res) = super().unattach_validate(request)
        if res:
            return res
        res = super().unattach_by_id(request, sub_id)
        obj = self.model.objects.get(id=sub_id)
        if obj.is_detached():
            obj.delete()
        return res
    def post(self, request, *args, **kwargs):
        # If a label already exists in the database, attach it instead of erroring out
        # that it already exists
        if 'id' not in request.data and 'name' in request.data and 'organization' in request.data:
            existing = Label.objects.filter(name=request.data['name'], organization_id=request.data['organization'])
            if existing.exists():
                existing = existing[0]
                request.data['id'] = existing.id
                del request.data['name']
                del request.data['organization']
        # Give a 400 error if we have attached too many labels to this object
        label_filter = self.parent_model._meta.get_field(self.relationship).remote_field.name
        if Label.objects.filter(**{label_filter: self.kwargs['pk']}).count() > 100:
            return Response(dict(msg=_(f'Maximum number of labels for {self.parent_model._meta.verbose_name_raw} reached.')), status=HTTP_400_BAD_REQUEST)
        return super().post(request, *args, **kwargs)
 class LabelDetail(RetrieveUpdateAPIView):
    model = Label
    serializer_class = LabelSerializer
 class LabelList(ListCreateAPIView):
    name = _("Labels")
    model = Label
    serializer_class = LabelSerializer
--- a/awx/api/views/mesh_visualizer.py
+++ b/awx/api/views/mesh_visualizer.py
@@ -10,13 +10,11 @@ from awx.main.models import InstanceLink, Instance
 class MeshVisualizer(APIView):
    name = _("Mesh Visualizer")
    permission_classes = (IsSystemAdminOrAuditor,)
    swagger_topic = "System Configuration"
    def get(self, request, format=None):
        data = {
            'nodes': InstanceNodeSerializer(Instance.objects.all(), many=True).data,
            'links': InstanceLinkSerializer(InstanceLink.objects.select_related('target', 'source'), many=True).data,
--- a/awx/api/views/metrics.py
+++ b/awx/api/views/metrics.py
@@ -5,9 +5,11 @@
 import logging
 # Django
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 # Django REST Framework
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.exceptions import PermissionDenied
@@ -25,15 +27,19 @@ logger = logging.getLogger('awx.analytics')
 class MetricsView(APIView):
    name = _('Metrics')
    swagger_topic = 'Metrics'
    renderer_classes = [renderers.PlainTextRenderer, renderers.PrometheusJSONRenderer, renderers.BrowsableAPIRenderer]
    def initialize_request(self, request, *args, **kwargs):
        if settings.ALLOW_METRICS_FOR_ANONYMOUS_USERS:
            self.permission_classes = (AllowAny,)
        return super(APIView, self).initialize_request(request, *args, **kwargs)
    def get(self, request):
        '''Show Metrics Details'''
-        if request.user.is_superuser or request.user.is_system_auditor:
+        if settings.ALLOW_METRICS_FOR_ANONYMOUS_USERS or request.user.is_superuser or request.user.is_system_auditor:
            metrics_to_show = ''
            if not request.query_params.get('subsystemonly', "0") == "1":
                metrics_to_show += metrics().decode('UTF-8')
--- a/awx/api/views/mixin.py
+++ b/awx/api/views/mixin.py
@@ -16,7 +16,7 @@ from rest_framework import status
 from awx.main.constants import ACTIVE_STATES
 from awx.main.utils import get_object_or_400
-from awx.main.models.ha import Instance, InstanceGroup
+from awx.main.models.ha import Instance, InstanceGroup, schedule_policy_task
 from awx.main.models.organization import Team
 from awx.main.models.projects import Project
 from awx.main.models.inventory import Inventory
@@ -107,6 +107,11 @@ class InstanceGroupMembershipMixin(object):
                if inst_name in ig_obj.policy_instance_list:
                    ig_obj.policy_instance_list.pop(ig_obj.policy_instance_list.index(inst_name))
                    ig_obj.save(update_fields=['policy_instance_list'])
            # sometimes removing an instance has a non-obvious consequence
            # this is almost always true if policy_instance_percentage or _minimum is non-zero
            # after removing a single instance, the other memberships need to be re-balanced
            schedule_policy_task()
        return response
--- a/awx/api/views/organization.py
+++ b/awx/api/views/organization.py
@@ -58,7 +58,6 @@ logger = logging.getLogger('awx.api.views.organization')
 class OrganizationList(OrganizationCountsMixin, ListCreateAPIView):
    model = Organization
    serializer_class = OrganizationSerializer
@@ -70,7 +69,6 @@ class OrganizationList(OrganizationCountsMixin, ListCreateAPIView):
 class OrganizationDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
    model = Organization
    serializer_class = OrganizationSerializer
@@ -106,7 +104,6 @@ class OrganizationDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPI
 class OrganizationInventoriesList(SubListAPIView):
    model = Inventory
    serializer_class = InventorySerializer
    parent_model = Organization
@@ -114,7 +111,6 @@ class OrganizationInventoriesList(SubListAPIView):
 class OrganizationUsersList(BaseUsersList):
    model = User
    serializer_class = UserSerializer
    parent_model = Organization
@@ -123,7 +119,6 @@ class OrganizationUsersList(BaseUsersList):
 class OrganizationAdminsList(BaseUsersList):
    model = User
    serializer_class = UserSerializer
    parent_model = Organization
@@ -132,7 +127,6 @@ class OrganizationAdminsList(BaseUsersList):
 class OrganizationProjectsList(SubListCreateAPIView):
    model = Project
    serializer_class = ProjectSerializer
    parent_model = Organization
@@ -140,7 +134,6 @@ class OrganizationProjectsList(SubListCreateAPIView):
 class OrganizationExecutionEnvironmentsList(SubListCreateAttachDetachAPIView):
    model = ExecutionEnvironment
    serializer_class = ExecutionEnvironmentSerializer
    parent_model = Organization
@@ -150,7 +143,6 @@ class OrganizationExecutionEnvironmentsList(SubListCreateAttachDetachAPIView):
 class OrganizationJobTemplatesList(SubListCreateAPIView):
    model = JobTemplate
    serializer_class = JobTemplateSerializer
    parent_model = Organization
@@ -158,7 +150,6 @@ class OrganizationJobTemplatesList(SubListCreateAPIView):
 class OrganizationWorkflowJobTemplatesList(SubListCreateAPIView):
    model = WorkflowJobTemplate
    serializer_class = WorkflowJobTemplateSerializer
    parent_model = Organization
@@ -166,7 +157,6 @@ class OrganizationWorkflowJobTemplatesList(SubListCreateAPIView):
 class OrganizationTeamsList(SubListCreateAttachDetachAPIView):
    model = Team
    serializer_class = TeamSerializer
    parent_model = Organization
@@ -175,7 +165,6 @@ class OrganizationTeamsList(SubListCreateAttachDetachAPIView):
 class OrganizationActivityStreamList(SubListAPIView):
    model = ActivityStream
    serializer_class = ActivityStreamSerializer
    parent_model = Organization
@@ -184,7 +173,6 @@ class OrganizationActivityStreamList(SubListAPIView):
 class OrganizationNotificationTemplatesList(SubListCreateAttachDetachAPIView):
    model = NotificationTemplate
    serializer_class = NotificationTemplateSerializer
    parent_model = Organization
@@ -193,34 +181,28 @@ class OrganizationNotificationTemplatesList(SubListCreateAttachDetachAPIView):
 class OrganizationNotificationTemplatesAnyList(SubListCreateAttachDetachAPIView):
    model = NotificationTemplate
    serializer_class = NotificationTemplateSerializer
    parent_model = Organization
 class OrganizationNotificationTemplatesStartedList(OrganizationNotificationTemplatesAnyList):
    relationship = 'notification_templates_started'
 class OrganizationNotificationTemplatesErrorList(OrganizationNotificationTemplatesAnyList):
    relationship = 'notification_templates_error'
 class OrganizationNotificationTemplatesSuccessList(OrganizationNotificationTemplatesAnyList):
    relationship = 'notification_templates_success'
 class OrganizationNotificationTemplatesApprovalList(OrganizationNotificationTemplatesAnyList):
    relationship = 'notification_templates_approvals'
 class OrganizationInstanceGroupsList(SubListAttachDetachAPIView):
    model = InstanceGroup
    serializer_class = InstanceGroupSerializer
    parent_model = Organization
@@ -228,7 +210,6 @@ class OrganizationInstanceGroupsList(SubListAttachDetachAPIView):
 class OrganizationGalaxyCredentialsList(SubListAttachDetachAPIView):
    model = Credential
    serializer_class = CredentialSerializer
    parent_model = Organization
@@ -240,13 +221,11 @@ class OrganizationGalaxyCredentialsList(SubListAttachDetachAPIView):
 class OrganizationAccessList(ResourceAccessList):
    model = User  # needs to be User for AccessLists's
    parent_model = Organization
 class OrganizationObjectRolesList(SubListAPIView):
    model = Role
    serializer_class = RoleSerializer
    parent_model = Organization
--- a/awx/api/views/root.py
+++ b/awx/api/views/root.py
@@ -36,7 +36,6 @@ logger = logging.getLogger('awx.api.views.root')
 class ApiRootView(APIView):
    permission_classes = (AllowAny,)
    name = _('REST API')
    versioning_class = None
@@ -59,7 +58,6 @@ class ApiRootView(APIView):
 class ApiOAuthAuthorizationRootView(APIView):
    permission_classes = (AllowAny,)
    name = _("API OAuth 2 Authorization Root")
    versioning_class = None
@@ -74,7 +72,6 @@ class ApiOAuthAuthorizationRootView(APIView):
 class ApiVersionRootView(APIView):
    permission_classes = (AllowAny,)
    swagger_topic = 'Versioning'
@@ -172,7 +169,6 @@ class ApiV2PingView(APIView):
 class ApiV2SubscriptionView(APIView):
    permission_classes = (IsAuthenticated,)
    name = _('Subscriptions')
    swagger_topic = 'System Configuration'
@@ -212,7 +208,6 @@ class ApiV2SubscriptionView(APIView):
 class ApiV2AttachView(APIView):
    permission_classes = (IsAuthenticated,)
    name = _('Attach Subscription')
    swagger_topic = 'System Configuration'
@@ -230,7 +225,6 @@ class ApiV2AttachView(APIView):
        user = getattr(settings, 'SUBSCRIPTIONS_USERNAME', None)
        pw = getattr(settings, 'SUBSCRIPTIONS_PASSWORD', None)
        if pool_id and user and pw:
            data = request.data.copy()
            try:
                with set_environ(**settings.AWX_TASK_ENV):
@@ -258,7 +252,6 @@ class ApiV2AttachView(APIView):
 class ApiV2ConfigView(APIView):
    permission_classes = (IsAuthenticated,)
    name = _('Configuration')
    swagger_topic = 'System Configuration'
--- a/awx/conf/apps.py
+++ b/awx/conf/apps.py
@@ -8,7 +8,6 @@ from django.utils.translation import gettext_lazy as _
 class ConfConfig(AppConfig):
    name = 'awx.conf'
    verbose_name = _('Configuration')
@@ -16,7 +15,6 @@ class ConfConfig(AppConfig):
        self.module.autodiscover()
        if not set(sys.argv) & {'migrate', 'check_migrations'}:
            from .settings import SettingsWrapper
            SettingsWrapper.initialize()
--- a/awx/conf/fields.py
+++ b/awx/conf/fields.py
@@ -47,7 +47,6 @@ class IntegerField(IntegerField):
 class StringListField(ListField):
    child = CharField()
    def to_representation(self, value):
@@ -57,7 +56,6 @@ class StringListField(ListField):
 class StringListBooleanField(ListField):
    default_error_messages = {'type_error': _('Expected None, True, False, a string or list of strings but got {input_type} instead.')}
    child = CharField()
@@ -96,7 +94,6 @@ class StringListBooleanField(ListField):
 class StringListPathField(StringListField):
    default_error_messages = {'type_error': _('Expected list of strings but got {input_type} instead.'), 'path_error': _('{path} is not a valid path choice.')}
    def to_internal_value(self, paths):
@@ -126,7 +123,6 @@ class StringListIsolatedPathField(StringListField):
    }
    def to_internal_value(self, paths):
        if isinstance(paths, (list, tuple)):
            for p in paths:
                if not isinstance(p, str):
--- a/awx/conf/migrations/0001_initial.py
+++ b/awx/conf/migrations/0001_initial.py
@@ -8,7 +8,6 @@ import awx.main.fields
 class Migration(migrations.Migration):
    dependencies = [migrations.swappable_dependency(settings.AUTH_USER_MODEL)]
    operations = [
--- a/awx/conf/migrations/0002_v310_copy_tower_settings.py
+++ b/awx/conf/migrations/0002_v310_copy_tower_settings.py
@@ -48,7 +48,6 @@ def revert_tower_settings(apps, schema_editor):
 class Migration(migrations.Migration):
    dependencies = [('conf', '0001_initial'), ('main', '0004_squashed_v310_release')]
    run_before = [('main', '0005_squashed_v310_v313_updates')]
--- a/awx/conf/migrations/0003_v310_JSONField_changes.py
+++ b/awx/conf/migrations/0003_v310_JSONField_changes.py
@@ -7,7 +7,6 @@ import awx.main.fields
 class Migration(migrations.Migration):
    dependencies = [('conf', '0002_v310_copy_tower_settings')]
    operations = [migrations.AlterField(model_name='setting', name='value', field=awx.main.fields.JSONBlob(null=True))]
--- a/awx/conf/migrations/0004_v320_reencrypt.py
+++ b/awx/conf/migrations/0004_v320_reencrypt.py
@@ -5,7 +5,6 @@ from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [('conf', '0003_v310_JSONField_changes')]
    operations = [
--- a/awx/conf/migrations/0005_v330_rename_two_session_settings.py
+++ b/awx/conf/migrations/0005_v330_rename_two_session_settings.py
@@ -15,7 +15,6 @@ def reverse_copy_session_settings(apps, schema_editor):
 class Migration(migrations.Migration):
    dependencies = [('conf', '0004_v320_reencrypt')]
    operations = [migrations.RunPython(copy_session_settings, reverse_copy_session_settings)]
--- a/awx/conf/migrations/0006_v331_ldap_group_type.py
+++ b/awx/conf/migrations/0006_v331_ldap_group_type.py
@@ -8,7 +8,6 @@ from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [('conf', '0005_v330_rename_two_session_settings')]
    operations = [migrations.RunPython(fill_ldap_group_type_params)]
--- a/awx/conf/migrations/0007_v380_rename_more_settings.py
+++ b/awx/conf/migrations/0007_v380_rename_more_settings.py
@@ -9,7 +9,6 @@ def copy_allowed_ips(apps, schema_editor):
 class Migration(migrations.Migration):
    dependencies = [('conf', '0006_v331_ldap_group_type')]
    operations = [migrations.RunPython(copy_allowed_ips)]
--- a/awx/conf/migrations/0008_subscriptions.py
+++ b/awx/conf/migrations/0008_subscriptions.py
@@ -14,7 +14,6 @@ def _noop(apps, schema_editor):
 class Migration(migrations.Migration):
    dependencies = [('conf', '0007_v380_rename_more_settings')]
    operations = [migrations.RunPython(clear_old_license, _noop), migrations.RunPython(prefill_rh_credentials, _noop)]
--- a/awx/conf/migrations/0009_rename_proot_settings.py
+++ b/awx/conf/migrations/0009_rename_proot_settings.py
@@ -10,7 +10,6 @@ def rename_proot_settings(apps, schema_editor):
 class Migration(migrations.Migration):
    dependencies = [('conf', '0008_subscriptions')]
    operations = [migrations.RunPython(rename_proot_settings)]
--- a/awx/conf/migrations/_rename_setting.py
+++ b/awx/conf/migrations/_rename_setting.py
@@ -10,7 +10,6 @@ __all__ = ['rename_setting']
 def rename_setting(apps, schema_editor, old_key, new_key):
    old_setting = None
    Setting = apps.get_model('conf', 'Setting')
    if Setting.objects.filter(key=new_key).exists() or hasattr(settings, new_key):
--- a/awx/conf/models.py
+++ b/awx/conf/models.py
@@ -17,7 +17,6 @@ __all__ = ['Setting']
 class Setting(CreatedModifiedModel):
    key = models.CharField(max_length=255)
    value = JSONBlob(null=True)
    user = prevent_search(models.ForeignKey('auth.User', related_name='settings', default=None, null=True, editable=False, on_delete=models.CASCADE))
--- a/awx/conf/settings.py
+++ b/awx/conf/settings.py
@@ -80,7 +80,7 @@ def _ctit_db_wrapper(trans_safe=False):
        yield
    except DBError as exc:
        if trans_safe:
-            level = logger.exception
+            level = logger.warning
            if isinstance(exc, ProgrammingError):
                if 'relation' in str(exc) and 'does not exist' in str(exc):
                    # this generally means we can't fetch Tower configuration
@@ -89,7 +89,7 @@ def _ctit_db_wrapper(trans_safe=False):
                    # has come up *before* the database has finished migrating, and
                    # especially that the conf.settings table doesn't exist yet
                    level = logger.debug
-            level('Database settings are not available, using defaults.')
+            level(f'Database settings are not available, using defaults. error: {str(exc)}')
        else:
            logger.exception('Error modifying something related to database settings.')
    finally:
@@ -104,7 +104,6 @@ def filter_sensitive(registry, key, value):
 class TransientSetting(object):
    __slots__ = ('pk', 'value')
    def __init__(self, pk, value):
--- a/awx/conf/tests/unit/test_fields.py
+++ b/awx/conf/tests/unit/test_fields.py
@@ -5,7 +5,6 @@ from awx.conf.fields import StringListBooleanField, StringListPathField, ListTup
 class TestStringListBooleanField:
    FIELD_VALUES = [
        ("hello", "hello"),
        (("a", "b"), ["a", "b"]),
@@ -53,7 +52,6 @@ class TestStringListBooleanField:
 class TestListTuplesField:
    FIELD_VALUES = [([('a', 'b'), ('abc', '123')], [("a", "b"), ("abc", "123")])]
    FIELD_VALUES_INVALID = [("abc", type("abc")), ([('a', 'b', 'c'), ('abc', '123', '456')], type(('a',))), (['a', 'b'], type('a')), (123, type(123))]
@@ -73,7 +71,6 @@ class TestListTuplesField:
 class TestStringListPathField:
    FIELD_VALUES = [
        ((".", "..", "/"), [".", "..", "/"]),
        (("/home",), ["/home"]),
--- a/awx/conf/views.py
+++ b/awx/conf/views.py
@@ -36,7 +36,6 @@ SettingCategory = collections.namedtuple('SettingCategory', ('url', 'slug', 'nam
 class SettingCategoryList(ListAPIView):
    model = Setting  # Not exactly, but needed for the view.
    serializer_class = SettingCategorySerializer
    filter_backends = []
@@ -58,7 +57,6 @@ class SettingCategoryList(ListAPIView):
 class SettingSingletonDetail(RetrieveUpdateDestroyAPIView):
    model = Setting  # Not exactly, but needed for the view.
    serializer_class = SettingSingletonSerializer
    filter_backends = []
@@ -146,7 +144,6 @@ class SettingSingletonDetail(RetrieveUpdateDestroyAPIView):
 class SettingLoggingTest(GenericAPIView):
    name = _('Logging Connectivity Test')
    model = Setting
    serializer_class = SettingSingletonSerializer
--- a/awx/locale/es/LC_MESSAGES/django.po
+++ b/awx/locale/es/LC_MESSAGES/django.po
@@ -6237,4 +6237,5 @@ msgstr "%s se está actualizando."
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "Esta página se actualizará cuando se complete."
+msgstr "Esta página se actualizará cuando se complete."
--- a/awx/locale/fr/LC_MESSAGES/django.po
+++ b/awx/locale/fr/LC_MESSAGES/django.po
@@ -721,7 +721,7 @@ msgstr "DTSTART valide obligatoire dans rrule. La valeur doit commencer par : DT
 #: awx/api/serializers.py:4657
 msgid ""
 "DTSTART cannot be a naive datetime.  Specify ;TZINFO= or YYYYMMDDTHHMMSSZZ."
-msgstr "DTSTART ne peut correspondre à une DateHeure naïve. Spécifier ;TZINFO= ou YYYYMMDDTHHMMSSZZ."
+msgstr "DTSTART ne peut correspondre à une date-heure naïve. Spécifier ;TZINFO= ou YYYYMMDDTHHMMSSZZ."
 #: awx/api/serializers.py:4659
 msgid "Multiple DTSTART is not supported."
@@ -6239,4 +6239,5 @@ msgstr "%s est en cours de mise à niveau."
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "Cette page sera rafraîchie une fois terminée."
+msgstr "Cette page sera rafraîchie une fois terminée."
--- a/awx/locale/ja/LC_MESSAGES/django.po
+++ b/awx/locale/ja/LC_MESSAGES/django.po
@@ -1440,7 +1440,7 @@ msgstr "指定した認証情報は無効 (HTTP 401) です。"
 #: awx/api/views/root.py:193 awx/api/views/root.py:234
 msgid "Unable to connect to proxy server."
-msgstr "プロキシサーバーに接続できません。"
+msgstr "プロキシーサーバーに接続できません。"
 #: awx/api/views/root.py:195 awx/api/views/root.py:236
 msgid "Could not connect to subscription service."
@@ -1976,7 +1976,7 @@ msgstr "リモートホスト名または IP を判別するために検索す
 #: awx/main/conf.py:85
 msgid "Proxy IP Allowed List"
-msgstr "プロキシ IP 許可リスト"
+msgstr "プロキシー IP 許可リスト"
 #: awx/main/conf.py:87
 msgid ""
@@ -2198,7 +2198,7 @@ msgid ""
 "Follow symbolic links when scanning for playbooks. Be aware that setting "
 "this to True can lead to infinite recursion if a link points to a parent "
 "directory of itself."
-msgstr "Playbook をスキャンするときは、シンボリックリンクをたどってください。リンクがそれ自体の親ディレクトリーを指している場合は、これを True に設定すると、無限再帰が発生する可能性があることに注意してください。"
+msgstr "Playbook のスキャン時にシンボリックリンクをたどります。リンクが親ディレクトリーを参照している場合には、この設定を True に指定すると無限再帰が発生する可能性があります。"
 #: awx/main/conf.py:337
 msgid "Ignore Ansible Galaxy SSL Certificate Verification"
@@ -2499,7 +2499,7 @@ msgstr "Insights for Ansible Automation Platform の最終収集日。"
 msgid ""
 "Last gathered entries for expensive collectors for Insights for Ansible "
 "Automation Platform."
-msgstr "Insights for Ansible Automation Platform の高価なコレクターの最後に収集されたエントリー。"
+msgstr "Insights for Ansible Automation Platform でコストがかかっているコレクターに関して最後に収集されたエントリー"
 #: awx/main/conf.py:686
 msgid "Insights for Ansible Automation Platform Gather Interval"
@@ -3692,7 +3692,7 @@ msgstr "タスクの開始"
 #: awx/main/models/events.py:189
 msgid "Variables Prompted"
-msgstr "変数のプロモート"
+msgstr "提示される変数"
 #: awx/main/models/events.py:190
 msgid "Gathering Facts"
@@ -3741,15 +3741,15 @@ msgstr "エラー"
 #: awx/main/models/execution_environments.py:17
 msgid "Always pull container before running."
-msgstr "実行前に必ずコンテナーをプルしてください。"
+msgstr "実行前に必ずコンテナーをプルする"
 #: awx/main/models/execution_environments.py:18
 msgid "Only pull the image if not present before running."
-msgstr "実行する前に、存在しない場合にのみイメージをプルしてください。"
+msgstr "イメージが存在しない場合のみ実行前にプルする"
 #: awx/main/models/execution_environments.py:19
 msgid "Never pull container before running."
-msgstr "実行前にコンテナーをプルしないでください。"
+msgstr "実行前にコンテナーをプルしない"
 #: awx/main/models/execution_environments.py:29
 msgid ""
@@ -5228,7 +5228,7 @@ msgid ""
 "SSL) or \"ldaps://ldap.example.com:636\" (SSL). Multiple LDAP servers may be "
 "specified by separating with spaces or commas. LDAP authentication is "
 "disabled if this parameter is empty."
-msgstr "\"ldap://ldap.example.com:389\" (非 SSL) または \"ldaps://ldap.example.com:636\" (SSL) などの LDAP サーバーに接続する URI です。複数の LDAP サーバーをスペースまたはカンマで区切って指定できます。LDAP 認証は、このパラメーターが空の場合は無効になります。"
+msgstr "\"ldap://ldap.example.com:389\" (非 SSL) または \"ldaps://ldap.example.com:636\" (SSL) などの LDAP サーバーに接続する URI です。複数の LDAP サーバーをスペースまたはコンマで区切って指定できます。LDAP 認証は、このパラメーターが空の場合は無効になります。"
 #: awx/sso/conf.py:170 awx/sso/conf.py:187 awx/sso/conf.py:198
 #: awx/sso/conf.py:209 awx/sso/conf.py:226 awx/sso/conf.py:244
@@ -6236,4 +6236,5 @@ msgstr "%s が現在アップグレード中です。"
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "このページは完了すると更新されます。"
+msgstr "このページは完了すると更新されます。"
--- a/awx/locale/ko/LC_MESSAGES/django.po
+++ b/awx/locale/ko/LC_MESSAGES/django.po
@@ -956,7 +956,7 @@ msgstr "인스턴스 그룹의 인스턴스"
 #: awx/api/views/__init__.py:450
 msgid "Schedules"
-msgstr "일정"
+msgstr "스케줄"
 #: awx/api/views/__init__.py:464
 msgid "Schedule Recurrence Rule Preview"
@@ -3261,7 +3261,7 @@ msgstr "JSON 또는 YAML 구문을 사용하여 인젝터를 입력합니다.
 #: awx/main/models/credential/__init__.py:412
 #, python-format
 msgid "adding %s credential type"
-msgstr "인증 정보 유형 %s 추가 중"
+msgstr "인증 정보 유형  %s 추가 중"
 #: awx/main/models/credential/__init__.py:590
 #: awx/main/models/credential/__init__.py:672
@@ -6236,4 +6236,5 @@ msgstr "%s 현재 업그레이드 중입니다."
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "완료되면 이 페이지가 새로 고침됩니다."
+msgstr "완료되면 이 페이지가 새로 고침됩니다."
--- a/awx/locale/nl/LC_MESSAGES/django.po
+++ b/awx/locale/nl/LC_MESSAGES/django.po
@@ -6237,4 +6237,5 @@ msgstr "Er wordt momenteel een upgrade van%s geïnstalleerd."
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "Deze pagina wordt vernieuwd als hij klaar is."
+msgstr "Deze pagina wordt vernieuwd als hij klaar is."
--- a/awx/locale/zh/LC_MESSAGES/django.po
+++ b/awx/locale/zh/LC_MESSAGES/django.po
@@ -348,7 +348,7 @@ msgstr "SCM track_submodules 只能用于 git 项目。"
 msgid ""
 "Only Container Registry credentials can be associated with an Execution "
 "Environment"
-msgstr "只有容器 registry 凭证可以与执行环境关联"
+msgstr "只有容器注册表凭证才可以与执行环境关联"
 #: awx/api/serializers.py:1440
 msgid "Cannot change the organization of an execution environment"
@@ -629,7 +629,7 @@ msgstr "不支持在不替换的情况下在启动时删除 {} 凭证。提供
 #: awx/api/serializers.py:4338
 msgid "The inventory associated with this Workflow is being deleted."
-msgstr "与此 Workflow 关联的清单将被删除。"
+msgstr "与此工作流关联的清单将被删除。"
 #: awx/api/serializers.py:4405
 msgid "Message type '{}' invalid, must be either 'message' or 'body'"
@@ -3229,7 +3229,7 @@ msgstr "云"
 #: awx/main/models/credential/__init__.py:336
 #: awx/main/models/credential/__init__.py:1113
 msgid "Container Registry"
-msgstr "容器 Registry"
+msgstr "容器注册表"
 #: awx/main/models/credential/__init__.py:337
 msgid "Personal Access Token"
@@ -3560,7 +3560,7 @@ msgstr "身份验证 URL"
 #: awx/main/models/credential/__init__.py:1120
 msgid "Authentication endpoint for the container registry."
-msgstr "容器 registry 的身份验证端点。"
+msgstr "容器注册表的身份验证端点。"
 #: awx/main/models/credential/__init__.py:1130
 msgid "Password or Token"
@@ -3764,7 +3764,7 @@ msgstr "镜像位置"
 msgid ""
 "The full image location, including the container registry, image name, and "
 "version tag."
-msgstr "完整镜像位置，包括容器 registry、镜像名称和版本标签。"
+msgstr "完整镜像位置，包括容器注册表、镜像名称和版本标签。"
 #: awx/main/models/execution_environments.py:51
 msgid "Pull image before running?"
@@ -6238,4 +6238,5 @@ msgstr "%s 当前正在升级。"
 #: awx/ui/urls.py:24
 msgid "This page will refresh when complete."
-msgstr "完成后，此页面会刷新。"
+msgstr "完成后，此页面会刷新。"
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -12,7 +12,7 @@ from django.conf import settings
 from django.db.models import Q, Prefetch
 from django.contrib.auth.models import User
 from django.utils.translation import gettext_lazy as _
-from django.core.exceptions import ObjectDoesNotExist
+from django.core.exceptions import ObjectDoesNotExist, FieldDoesNotExist
 # Django REST Framework
 from rest_framework.exceptions import ParseError, PermissionDenied
@@ -281,13 +281,23 @@ class BaseAccess(object):
        """
        return True
    def assure_relationship_exists(self, obj, relationship):
        if '.' in relationship:
            return  # not attempting validation for complex relationships now
        try:
            obj._meta.get_field(relationship)
        except FieldDoesNotExist:
            raise NotImplementedError(f'The relationship {relationship} does not exist for model {type(obj)}')
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        self.assure_relationship_exists(obj, relationship)
        if skip_sub_obj_read_check:
            return self.can_change(obj, None)
        else:
            return bool(self.can_change(obj, None) and self.user.can_access(type(sub_obj), 'read', sub_obj))
    def can_unattach(self, obj, sub_obj, relationship, data=None):
        self.assure_relationship_exists(obj, relationship)
        return self.can_change(obj, data)
    def check_related(self, field, Model, data, role_field='admin_role', obj=None, mandatory=False):
@@ -328,6 +338,8 @@ class BaseAccess(object):
            role = getattr(resource, role_field, None)
            if role is None:
                # Handle special case where resource does not have direct roles
                if role_field == 'read_role':
                    return self.user.can_access(type(resource), 'read', resource)
                access_method_type = {'admin_role': 'change', 'execute_role': 'start'}[role_field]
                return self.user.can_access(type(resource), access_method_type, resource, None)
            return self.user in role
@@ -499,6 +511,21 @@ class BaseAccess(object):
        return False
 class UnifiedCredentialsMixin(BaseAccess):
    """
    The credentials many-to-many is a standard relationship for JT, jobs, and others
    Permission to attach is always use permission, and permission to unattach is admin to the parent object
    """
    @check_superuser
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        if relationship == 'credentials':
            if not isinstance(sub_obj, Credential):
                raise RuntimeError(f'Can only attach credentials to credentials relationship, got {type(sub_obj)}')
            return self.can_change(obj, None) and (self.user in sub_obj.use_role)
        return super().can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
 class NotificationAttachMixin(BaseAccess):
    """For models that can have notifications attached
@@ -534,7 +561,6 @@ class NotificationAttachMixin(BaseAccess):
 class InstanceAccess(BaseAccess):
    model = Instance
    prefetch_related = ('rampart_groups',)
@@ -552,7 +578,7 @@ class InstanceAccess(BaseAccess):
        return super(InstanceAccess, self).can_unattach(obj, sub_obj, relationship, relationship, data=data)
    def can_add(self, data):
-        return False
+        return self.user.is_superuser
    def can_change(self, obj, data):
        return False
@@ -562,7 +588,6 @@ class InstanceAccess(BaseAccess):
 class InstanceGroupAccess(BaseAccess):
    model = InstanceGroup
    prefetch_related = ('instances',)
@@ -965,9 +990,6 @@ class HostAccess(BaseAccess):
        if data and 'name' in data:
            self.check_license(add_host_name=data['name'])
            # Check the per-org limit
            self.check_org_host_limit({'inventory': obj.inventory}, add_host_name=data['name'])
        # Checks for admin or change permission on inventory, controls whether
        # the user can edit variable data.
        return obj and self.user in obj.inventory.admin_role
@@ -1005,7 +1027,9 @@ class GroupAccess(BaseAccess):
        return Group.objects.filter(inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role'))
    def can_add(self, data):
-        if not data or 'inventory' not in data:
+        if not data:  # So the browseable API will work
            return Inventory.accessible_objects(self.user, 'admin_role').exists()
        if 'inventory' not in data:
            return False
        # Checks for admin or change permission on inventory.
        return self.check_related('inventory', Inventory, data)
@@ -1031,7 +1055,7 @@ class GroupAccess(BaseAccess):
        return bool(obj and self.user in obj.inventory.admin_role)
-class InventorySourceAccess(NotificationAttachMixin, BaseAccess):
+class InventorySourceAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAccess):
    """
    I can see inventory sources whenever I can see their inventory.
    I can change inventory sources whenever I can change their inventory.
@@ -1075,18 +1099,6 @@ class InventorySourceAccess(NotificationAttachMixin, BaseAccess):
            return self.user in obj.inventory.update_role
        return False
    @check_superuser
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        if relationship == 'credentials' and isinstance(sub_obj, Credential):
            return obj and obj.inventory and self.user in obj.inventory.admin_role and self.user in sub_obj.use_role
        return super(InventorySourceAccess, self).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
        if relationship == 'credentials' and isinstance(sub_obj, Credential):
            return obj and obj.inventory and self.user in obj.inventory.admin_role
        return super(InventorySourceAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
 class InventoryUpdateAccess(BaseAccess):
    """
@@ -1485,7 +1497,7 @@ class ProjectUpdateAccess(BaseAccess):
        return obj and self.user in obj.project.admin_role
-class JobTemplateAccess(NotificationAttachMixin, BaseAccess):
+class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAccess):
    """
    I can see job templates when:
     - I have read role for the job template.
@@ -1549,8 +1561,7 @@ class JobTemplateAccess(NotificationAttachMixin, BaseAccess):
            if self.user not in inventory.use_role:
                return False
-        ee = get_value(ExecutionEnvironment, 'execution_environment')
+        if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
        if ee and not self.user.can_access(ExecutionEnvironment, 'read', ee):
            return False
        project = get_value(Project, 'project')
@@ -1600,10 +1611,8 @@ class JobTemplateAccess(NotificationAttachMixin, BaseAccess):
        if self.changes_are_non_sensitive(obj, data):
            return True
-        if data.get('execution_environment'):
+        if not self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'):
-            ee = get_object_from_data('execution_environment', ExecutionEnvironment, data)
+            return False
            if not self.user.can_access(ExecutionEnvironment, 'read', ee):
                return False
        for required_field, cls in (('inventory', Inventory), ('project', Project)):
            is_mandatory = True
@@ -1667,17 +1676,13 @@ class JobTemplateAccess(NotificationAttachMixin, BaseAccess):
            if not obj.organization:
                return False
            return self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.organization.admin_role
        if relationship == 'credentials' and isinstance(sub_obj, Credential):
            return self.user in obj.admin_role and self.user in sub_obj.use_role
        return super(JobTemplateAccess, self).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
        if relationship == "instance_groups":
            return self.can_attach(obj, sub_obj, relationship, *args, **kwargs)
-        if relationship == 'credentials' and isinstance(sub_obj, Credential):
+        return super(JobTemplateAccess, self).can_unattach(obj, sub_obj, relationship, *args, **kwargs)
            return self.user in obj.admin_role
        return super(JobTemplateAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
 class JobAccess(BaseAccess):
@@ -1824,7 +1829,7 @@ class SystemJobAccess(BaseAccess):
        return False  # no relaunching of system jobs
-class JobLaunchConfigAccess(BaseAccess):
+class JobLaunchConfigAccess(UnifiedCredentialsMixin, BaseAccess):
    """
    Launch configs must have permissions checked for
     - relaunching
@@ -1832,63 +1837,69 @@ class JobLaunchConfigAccess(BaseAccess):
    In order to create a new object with a copy of this launch config, I need:
     - use access to related inventory (if present)
     - read access to Execution Environment (if present), unless the specified ee is already in the template
     - use role to many-related credentials (if any present)
     - read access to many-related labels (if any present), unless the specified label is already in the template
     - read access to many-related instance groups (if any present), unless the specified instance group is already in the template
    """
    model = JobLaunchConfig
    select_related = 'job'
    prefetch_related = ('credentials', 'inventory')
-    def _unusable_creds_exist(self, qs):
+    M2M_CHECKS = {'credentials': Credential, 'labels': Label, 'instance_groups': InstanceGroup}
        return qs.exclude(pk__in=Credential._accessible_pk_qs(Credential, self.user, 'use_role')).exists()
-    def has_credentials_access(self, obj):
+    def _related_filtered_queryset(self, cls):
-        # user has access if no related credentials exist that the user lacks use role for
+        if cls is Label:
-        return not self._unusable_creds_exist(obj.credentials)
+            return LabelAccess(self.user).filtered_queryset()
        elif cls is InstanceGroup:
            return InstanceGroupAccess(self.user).filtered_queryset()
        else:
            return cls._accessible_pk_qs(cls, self.user, 'use_role')
    def has_obj_m2m_access(self, obj):
        for relationship, cls in self.M2M_CHECKS.items():
            if getattr(obj, relationship).exclude(pk__in=self._related_filtered_queryset(cls)).exists():
                return False
        return True
    @check_superuser
    def can_add(self, data, template=None):
        # This is a special case, we don't check related many-to-many elsewhere
        # launch RBAC checks use this
-        if 'credentials' in data and data['credentials'] or 'reference_obj' in data:
+        if 'reference_obj' in data:
-            if 'reference_obj' in data:
+            if not self.has_obj_m2m_access(data['reference_obj']):
                prompted_cred_qs = data['reference_obj'].credentials.all()
            else:
                # If given model objects, only use the primary key from them
                cred_pks = [cred.pk for cred in data['credentials']]
                if template:
                    for cred in template.credentials.all():
                        if cred.pk in cred_pks:
                            cred_pks.remove(cred.pk)
                prompted_cred_qs = Credential.objects.filter(pk__in=cred_pks)
            if self._unusable_creds_exist(prompted_cred_qs):
                return False
-        return self.check_related('inventory', Inventory, data, role_field='use_role')
+        else:
            for relationship, cls in self.M2M_CHECKS.items():
                if relationship in data and data[relationship]:
                    # If given model objects, only use the primary key from them
                    sub_obj_pks = [sub_obj.pk for sub_obj in data[relationship]]
                    if template:
                        for sub_obj in getattr(template, relationship).all():
                            if sub_obj.pk in sub_obj_pks:
                                sub_obj_pks.remove(sub_obj.pk)
                    if cls.objects.filter(pk__in=sub_obj_pks).exclude(pk__in=self._related_filtered_queryset(cls)).exists():
                        return False
        return self.check_related('inventory', Inventory, data, role_field='use_role') and self.check_related(
            'execution_environment', ExecutionEnvironment, data, role_field='read_role'
        )
    @check_superuser
    def can_use(self, obj):
-        return self.check_related('inventory', Inventory, {}, obj=obj, role_field='use_role', mandatory=True) and self.has_credentials_access(obj)
+        return (
            self.has_obj_m2m_access(obj)
            and self.check_related('inventory', Inventory, {}, obj=obj, role_field='use_role', mandatory=True)
            and self.check_related('execution_environment', ExecutionEnvironment, {}, obj=obj, role_field='read_role')
        )
    def can_change(self, obj, data):
-        return self.check_related('inventory', Inventory, data, obj=obj, role_field='use_role')
+        return self.check_related('inventory', Inventory, data, obj=obj, role_field='use_role') and self.check_related(
-
+            'execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'
-    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
+        )
        if isinstance(sub_obj, Credential) and relationship == 'credentials':
            return self.user in sub_obj.use_role
        else:
            raise NotImplementedError('Only credentials can be attached to launch configurations.')
    def can_unattach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        if isinstance(sub_obj, Credential) and relationship == 'credentials':
            if skip_sub_obj_read_check:
                return True
            else:
                return self.user in sub_obj.read_role
        else:
            raise NotImplementedError('Only credentials can be attached to launch configurations.')
-class WorkflowJobTemplateNodeAccess(BaseAccess):
+class WorkflowJobTemplateNodeAccess(UnifiedCredentialsMixin, BaseAccess):
    """
    I can see/use a WorkflowJobTemplateNode if I have read permission
        to associated Workflow Job Template
@@ -1911,7 +1922,7 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
    """
    model = WorkflowJobTemplateNode
-    prefetch_related = ('success_nodes', 'failure_nodes', 'always_nodes', 'unified_job_template', 'credentials', 'workflow_job_template')
+    prefetch_related = ('success_nodes', 'failure_nodes', 'always_nodes', 'unified_job_template', 'workflow_job_template')
    def filtered_queryset(self):
        return self.model.objects.filter(workflow_job_template__in=WorkflowJobTemplate.accessible_objects(self.user, 'read_role'))
@@ -1923,7 +1934,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
        return (
            self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True)
            and self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role')
-            and JobLaunchConfigAccess(self.user).can_add(data)
+            and self.check_related('inventory', Inventory, data, role_field='use_role')
            and self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role')
        )
    def wfjt_admin(self, obj):
@@ -1932,17 +1944,14 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
        else:
            return self.user in obj.workflow_job_template.admin_role
-    def ujt_execute(self, obj):
+    def ujt_execute(self, obj, data=None):
        if not obj.unified_job_template:
            return True
-        return self.check_related('unified_job_template', UnifiedJobTemplate, {}, obj=obj, role_field='execute_role', mandatory=True)
+        return self.check_related('unified_job_template', UnifiedJobTemplate, data, obj=obj, role_field='execute_role', mandatory=True)
    def can_change(self, obj, data):
        if not data:
            return True
        # should not be able to edit the prompts if lacking access to UJT or WFJT
-        return self.ujt_execute(obj) and self.wfjt_admin(obj) and JobLaunchConfigAccess(self.user).can_change(obj, data)
+        return self.ujt_execute(obj, data=data) and self.wfjt_admin(obj) and JobLaunchConfigAccess(self.user).can_change(obj, data)
    def can_delete(self, obj):
        return self.wfjt_admin(obj)
@@ -1955,29 +1964,14 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
        return True
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
-        if not self.wfjt_admin(obj):
+        if relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
-            return False
+            return self.wfjt_admin(obj) and self.check_same_WFJT(obj, sub_obj)
-        if relationship == 'credentials':
+        return super().can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
            # Need permission to related template to attach a credential
            if not self.ujt_execute(obj):
                return False
            return JobLaunchConfigAccess(self.user).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
        elif relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
            return self.check_same_WFJT(obj, sub_obj)
        else:
            raise NotImplementedError('Relationship {} not understood for WFJT nodes.'.format(relationship))
-    def can_unattach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
+    def can_unattach(self, obj, sub_obj, relationship, data=None):
-        if not self.wfjt_admin(obj):
+        if relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
-            return False
+            return self.wfjt_admin(obj)
-        if relationship == 'credentials':
+        return super().can_unattach(obj, sub_obj, relationship, data=None)
            if not self.ujt_execute(obj):
                return False
            return JobLaunchConfigAccess(self.user).can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
        elif relationship in ('success_nodes', 'failure_nodes', 'always_nodes'):
            return self.check_same_WFJT(obj, sub_obj)
        else:
            raise NotImplementedError('Relationship {} not understood for WFJT nodes.'.format(relationship))
 class WorkflowJobNodeAccess(BaseAccess):
@@ -2052,13 +2046,10 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
        if not data:  # So the browseable API will work
            return Organization.accessible_objects(self.user, 'workflow_admin_role').exists()
-        if data.get('execution_environment'):
+        return bool(
-            ee = get_object_from_data('execution_environment', ExecutionEnvironment, data)
+            self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True)
-            if not self.user.can_access(ExecutionEnvironment, 'read', ee):
+            and self.check_related('inventory', Inventory, data, role_field='use_role')
-                return False
+            and self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role')
        return self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True) and self.check_related(
            'inventory', Inventory, data, role_field='use_role'
        )
    def can_copy(self, obj):
@@ -2104,14 +2095,10 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
        if self.user.is_superuser:
            return True
        if data and data.get('execution_environment'):
            ee = get_object_from_data('execution_environment', ExecutionEnvironment, data)
            if not self.user.can_access(ExecutionEnvironment, 'read', ee):
                return False
        return (
            self.check_related('organization', Organization, data, role_field='workflow_admin_role', obj=obj)
            and self.check_related('inventory', Inventory, data, role_field='use_role', obj=obj)
            and self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role')
            and self.user in obj.admin_role
        )
@@ -2364,7 +2351,6 @@ class JobEventAccess(BaseAccess):
 class UnpartitionedJobEventAccess(JobEventAccess):
    model = UnpartitionedJobEvent
@@ -2518,7 +2504,7 @@ class UnifiedJobAccess(BaseAccess):
        return super(UnifiedJobAccess, self).get_queryset().filter(workflowapproval__isnull=True)
-class ScheduleAccess(BaseAccess):
+class ScheduleAccess(UnifiedCredentialsMixin, BaseAccess):
    """
    I can see a schedule if I can see it's related unified job, I can create them or update them if I have write access
    """
@@ -2559,12 +2545,6 @@ class ScheduleAccess(BaseAccess):
    def can_delete(self, obj):
        return self.can_change(obj, {})
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        return JobLaunchConfigAccess(self.user).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
    def can_unattach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        return JobLaunchConfigAccess(self.user).can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
 class NotificationTemplateAccess(BaseAccess):
    """
@@ -2715,46 +2695,66 @@ class ActivityStreamAccess(BaseAccess):
        # 'job_template', 'job', 'project', 'project_update', 'workflow_job',
        # 'inventory_source', 'workflow_job_template'
-        inventory_set = Inventory.accessible_objects(self.user, 'read_role')
+        q = Q(user=self.user)
-        credential_set = Credential.accessible_objects(self.user, 'read_role')
+        inventory_set = Inventory.accessible_pk_qs(self.user, 'read_role')
        if inventory_set:
            q |= (
                Q(ad_hoc_command__inventory__in=inventory_set)
                | Q(inventory__in=inventory_set)
                | Q(host__inventory__in=inventory_set)
                | Q(group__inventory__in=inventory_set)
                | Q(inventory_source__inventory__in=inventory_set)
                | Q(inventory_update__inventory_source__inventory__in=inventory_set)
            )
        credential_set = Credential.accessible_pk_qs(self.user, 'read_role')
        if credential_set:
            q |= Q(credential__in=credential_set)
        auditing_orgs = (
            (Organization.accessible_objects(self.user, 'admin_role') | Organization.accessible_objects(self.user, 'auditor_role'))
            .distinct()
            .values_list('id', flat=True)
        )
-        project_set = Project.accessible_objects(self.user, 'read_role')
+        if auditing_orgs:
-        jt_set = JobTemplate.accessible_objects(self.user, 'read_role')
+            q |= (
-        team_set = Team.accessible_objects(self.user, 'read_role')
+                Q(user__in=auditing_orgs.values('member_role__members'))
-        wfjt_set = WorkflowJobTemplate.accessible_objects(self.user, 'read_role')
+                | Q(organization__in=auditing_orgs)
-        app_set = OAuth2ApplicationAccess(self.user).filtered_queryset()
+                | Q(notification_template__organization__in=auditing_orgs)
-        token_set = OAuth2TokenAccess(self.user).filtered_queryset()
+                | Q(notification__notification_template__organization__in=auditing_orgs)
                | Q(label__organization__in=auditing_orgs)
                | Q(role__in=Role.objects.filter(ancestors__in=self.user.roles.all()) if auditing_orgs else [])
            )
-        return qs.filter(
+        project_set = Project.accessible_pk_qs(self.user, 'read_role')
-            Q(ad_hoc_command__inventory__in=inventory_set)
+        if project_set:
-            | Q(o_auth2_application__in=app_set)
+            q |= Q(project__in=project_set) | Q(project_update__project__in=project_set)
-            | Q(o_auth2_access_token__in=token_set)
+
-            | Q(user__in=auditing_orgs.values('member_role__members'))
+        jt_set = JobTemplate.accessible_pk_qs(self.user, 'read_role')
-            | Q(user=self.user)
+        if jt_set:
-            | Q(organization__in=auditing_orgs)
+            q |= Q(job_template__in=jt_set) | Q(job__job_template__in=jt_set)
-            | Q(inventory__in=inventory_set)
+
-            | Q(host__inventory__in=inventory_set)
+        wfjt_set = WorkflowJobTemplate.accessible_pk_qs(self.user, 'read_role')
-            | Q(group__inventory__in=inventory_set)
+        if wfjt_set:
-            | Q(inventory_source__inventory__in=inventory_set)
+            q |= (
-            | Q(inventory_update__inventory_source__inventory__in=inventory_set)
+                Q(workflow_job_template__in=wfjt_set)
-            | Q(credential__in=credential_set)
+                | Q(workflow_job_template_node__workflow_job_template__in=wfjt_set)
-            | Q(team__in=team_set)
+                | Q(workflow_job__workflow_job_template__in=wfjt_set)
-            | Q(project__in=project_set)
+            )
-            | Q(project_update__project__in=project_set)
+
-            | Q(job_template__in=jt_set)
+        team_set = Team.accessible_pk_qs(self.user, 'read_role')
-            | Q(job__job_template__in=jt_set)
+        if team_set:
-            | Q(workflow_job_template__in=wfjt_set)
+            q |= Q(team__in=team_set)
-            | Q(workflow_job_template_node__workflow_job_template__in=wfjt_set)
+
-            | Q(workflow_job__workflow_job_template__in=wfjt_set)
+        app_set = OAuth2ApplicationAccess(self.user).filtered_queryset()
-            | Q(notification_template__organization__in=auditing_orgs)
+        if app_set:
-            | Q(notification__notification_template__organization__in=auditing_orgs)
+            q |= Q(o_auth2_application__in=app_set)
-            | Q(label__organization__in=auditing_orgs)
+
-            | Q(role__in=Role.objects.filter(ancestors__in=self.user.roles.all()) if auditing_orgs else [])
+        token_set = OAuth2TokenAccess(self.user).filtered_queryset()
-        ).distinct()
+        if token_set:
            q |= Q(o_auth2_access_token__in=token_set)
        return qs.filter(q).distinct()
    def can_add(self, data):
        return False
--- a/awx/main/analytics/broadcast_websocket.py
+++ b/awx/main/analytics/broadcast_websocket.py
@@ -1,8 +1,8 @@
 import datetime
 import asyncio
 import logging
 import aioredis
 import redis
 import redis.asyncio
 import re
 from prometheus_client import (
@@ -82,7 +82,7 @@ class BroadcastWebsocketStatsManager:
    async def run_loop(self):
        try:
-            redis_conn = await aioredis.create_redis_pool(settings.BROKER_URL)
+            redis_conn = await redis.asyncio.Redis.from_url(settings.BROKER_URL)
            while True:
                stats_data_str = ''.join(stat.serialize() for stat in self._stats.values())
                await redis_conn.set(self._redis_key, stats_data_str)
@@ -122,8 +122,8 @@ class BroadcastWebsocketStats:
            'Number of messages received, to be forwarded, by the broadcast websocket system',
            registry=self._registry,
        )
-        self._messages_received = Gauge(
+        self._messages_received_current_conn = Gauge(
-            f'awx_{self.remote_name}_messages_received',
+            f'awx_{self.remote_name}_messages_received_currrent_conn',
            'Number forwarded messages received by the broadcast websocket system, for the duration of the current connection',
            registry=self._registry,
        )
@@ -144,13 +144,13 @@ class BroadcastWebsocketStats:
    def record_message_received(self):
        self._internal_messages_received_per_minute.record()
-        self._messages_received.inc()
+        self._messages_received_current_conn.inc()
        self._messages_received_total.inc()
    def record_connection_established(self):
        self._connection.state('connected')
        self._connection_start.set_to_current_time()
-        self._messages_received.set(0)
+        self._messages_received_current_conn.set(0)
    def record_connection_lost(self):
        self._connection.state('disconnected')
--- a/awx/main/analytics/collectors.py
+++ b/awx/main/analytics/collectors.py
@@ -16,6 +16,7 @@ from awx.conf.license import get_license
 from awx.main.utils import get_awx_version, camelcase_to_underscore, datetime_hook
 from awx.main import models
 from awx.main.analytics import register
 from awx.main.scheduler.task_manager_models import TaskManagerModels
 """
 This module is used to define metrics collected by awx.main.analytics.gather()
@@ -235,25 +236,25 @@ def projects_by_scm_type(since, **kwargs):
@register('instance_info', '1.2', description=_('Cluster topology and capacity'))
 def instance_info(since, include_hostnames=False, **kwargs):
    info = {}
-    instances = models.Instance.objects.values_list('hostname').values(
+    # Use same method that the TaskManager does to compute consumed capacity without querying all running jobs for each Instance
-        'uuid', 'version', 'capacity', 'cpu', 'memory', 'managed_by_policy', 'hostname', 'enabled'
+    tm_models = TaskManagerModels.init_with_consumed_capacity(instance_fields=['uuid', 'version', 'capacity', 'cpu', 'memory', 'managed_by_policy', 'enabled'])
-    )
+    for tm_instance in tm_models.instances.instances_by_hostname.values():
-    for instance in instances:
+        instance = tm_instance.obj
        consumed_capacity = sum(x.task_impact for x in models.UnifiedJob.objects.filter(execution_node=instance['hostname'], status__in=('running', 'waiting')))
        instance_info = {
-            'uuid': instance['uuid'],
+            'uuid': instance.uuid,
-            'version': instance['version'],
+            'version': instance.version,
-            'capacity': instance['capacity'],
+            'capacity': instance.capacity,
-            'cpu': instance['cpu'],
+            'cpu': instance.cpu,
-            'memory': instance['memory'],
+            'memory': instance.memory,
-            'managed_by_policy': instance['managed_by_policy'],
+            'managed_by_policy': instance.managed_by_policy,
-            'enabled': instance['enabled'],
+            'enabled': instance.enabled,
-            'consumed_capacity': consumed_capacity,
+            'consumed_capacity': tm_instance.consumed_capacity,
-            'remaining_capacity': instance['capacity'] - consumed_capacity,
+            'remaining_capacity': instance.capacity - tm_instance.consumed_capacity,
            'node_type': instance.node_type,
        }
        if include_hostnames is True:
-            instance_info['hostname'] = instance['hostname']
+            instance_info['hostname'] = instance.hostname
-        info[instance['uuid']] = instance_info
+        info[instance.uuid] = instance_info
    return info
@@ -396,7 +397,7 @@ def events_table_partitioned_modified(since, full_path, until, **kwargs):
    return _events_table(since, full_path, until, 'main_jobevent', 'modified', project_job_created=True, **kwargs)
-@register('unified_jobs_table', '1.3', format='csv', description=_('Data on jobs run'), expensive=four_hour_slicing)
+@register('unified_jobs_table', '1.4', format='csv', description=_('Data on jobs run'), expensive=four_hour_slicing)
 def unified_jobs_table(since, full_path, until, **kwargs):
    unified_job_query = '''COPY (SELECT main_unifiedjob.id,
                                 main_unifiedjob.polymorphic_ctype_id,
@@ -422,7 +423,8 @@ def unified_jobs_table(since, full_path, until, **kwargs):
                                 main_unifiedjob.job_explanation,
                                 main_unifiedjob.instance_group_id,
                                 main_unifiedjob.installed_collections,
-                                 main_unifiedjob.ansible_version
+                                 main_unifiedjob.ansible_version,
                                 main_job.forks
                                 FROM main_unifiedjob
                                 JOIN django_content_type ON main_unifiedjob.polymorphic_ctype_id = django_content_type.id
                                 LEFT JOIN main_job ON main_unifiedjob.id = main_job.unifiedjob_ptr_id
--- a/awx/main/analytics/metrics.py
+++ b/awx/main/analytics/metrics.py
@@ -3,6 +3,7 @@ from prometheus_client import CollectorRegistry, Gauge, Info, generate_latest
 from awx.conf.license import get_license
 from awx.main.utils import get_awx_version
 from awx.main.models import UnifiedJob
 from awx.main.analytics.collectors import (
    counts,
    instance_info,
@@ -56,6 +57,7 @@ def metrics():
        [
            'hostname',
            'instance_uuid',
            'node_type',
        ],
        registry=REGISTRY,
    )
@@ -83,6 +85,7 @@ def metrics():
        [
            'hostname',
            'instance_uuid',
            'node_type',
        ],
        registry=REGISTRY,
    )
@@ -110,6 +113,7 @@ def metrics():
        [
            'hostname',
            'instance_uuid',
            'node_type',
        ],
        registry=REGISTRY,
    )
@@ -119,6 +123,7 @@ def metrics():
        [
            'hostname',
            'instance_uuid',
            'node_type',
        ],
        registry=REGISTRY,
    )
@@ -169,8 +174,9 @@ def metrics():
    all_job_data = job_counts(None)
    statuses = all_job_data.get('status', {})
-    for status, value in statuses.items():
+    states = set(dict(UnifiedJob.STATUS_CHOICES).keys()) - set(['new'])
-        STATUS.labels(status=status).set(value)
+    for state in states:
        STATUS.labels(status=state).set(statuses.get(state, 0))
    RUNNING_JOBS.set(current_counts['running_jobs'])
    PENDING_JOBS.set(current_counts['pending_jobs'])
@@ -178,12 +184,13 @@ def metrics():
    instance_data = instance_info(None, include_hostnames=True)
    for uuid, info in instance_data.items():
        hostname = info['hostname']
-        INSTANCE_CAPACITY.labels(hostname=hostname, instance_uuid=uuid).set(instance_data[uuid]['capacity'])
+        node_type = info['node_type']
        INSTANCE_CAPACITY.labels(hostname=hostname, instance_uuid=uuid, node_type=node_type).set(instance_data[uuid]['capacity'])
        INSTANCE_CPU.labels(hostname=hostname, instance_uuid=uuid).set(instance_data[uuid]['cpu'])
        INSTANCE_MEMORY.labels(hostname=hostname, instance_uuid=uuid).set(instance_data[uuid]['memory'])
-        INSTANCE_CONSUMED_CAPACITY.labels(hostname=hostname, instance_uuid=uuid).set(instance_data[uuid]['consumed_capacity'])
+        INSTANCE_CONSUMED_CAPACITY.labels(hostname=hostname, instance_uuid=uuid, node_type=node_type).set(instance_data[uuid]['consumed_capacity'])
-        INSTANCE_REMAINING_CAPACITY.labels(hostname=hostname, instance_uuid=uuid).set(instance_data[uuid]['remaining_capacity'])
+        INSTANCE_REMAINING_CAPACITY.labels(hostname=hostname, instance_uuid=uuid, node_type=node_type).set(instance_data[uuid]['remaining_capacity'])
-        INSTANCE_INFO.labels(hostname=hostname, instance_uuid=uuid).info(
+        INSTANCE_INFO.labels(hostname=hostname, instance_uuid=uuid, node_type=node_type).info(
            {
                'enabled': str(instance_data[uuid]['enabled']),
                'managed_by_policy': str(instance_data[uuid]['managed_by_policy']),
--- a/awx/main/analytics/subsystem_metrics.py
+++ b/awx/main/analytics/subsystem_metrics.py
@@ -5,7 +5,9 @@ import logging
 from django.conf import settings
 from django.apps import apps
 from awx.main.consumers import emit_channel_notification
 from awx.main.utils import is_testing
 root_key = 'awx_metrics'
 logger = logging.getLogger('awx.main.analytics')
@@ -163,10 +165,10 @@ class Metrics:
        Instance = apps.get_model('main', 'Instance')
        if instance_name:
            self.instance_name = instance_name
-        elif settings.IS_TESTING():
+        elif is_testing():
            self.instance_name = "awx_testing"
        else:
-            self.instance_name = Instance.objects.me().hostname
+            self.instance_name = Instance.objects.my_hostname()
        # metric name, help_text
        METRICSLIST = [
@@ -184,19 +186,29 @@ class Metrics:
            FloatM('subsystem_metrics_pipe_execute_seconds', 'Time spent saving metrics to redis'),
            IntM('subsystem_metrics_pipe_execute_calls', 'Number of calls to pipe_execute'),
            FloatM('subsystem_metrics_send_metrics_seconds', 'Time spent sending metrics to other nodes'),
-            SetFloatM('task_manager_get_tasks_seconds', 'Time spent in loading all tasks from db'),
+            SetFloatM('task_manager_get_tasks_seconds', 'Time spent in loading tasks from db'),
            SetFloatM('task_manager_start_task_seconds', 'Time spent starting task'),
            SetFloatM('task_manager_process_running_tasks_seconds', 'Time spent processing running tasks'),
            SetFloatM('task_manager_process_pending_tasks_seconds', 'Time spent processing pending tasks'),
            SetFloatM('task_manager_generate_dependencies_seconds', 'Time spent generating dependencies for pending tasks'),
            SetFloatM('task_manager_spawn_workflow_graph_jobs_seconds', 'Time spent spawning workflow jobs'),
            SetFloatM('task_manager__schedule_seconds', 'Time spent in running the entire _schedule'),
-            IntM('task_manager_schedule_calls', 'Number of calls to task manager schedule'),
+            IntM('task_manager__schedule_calls', 'Number of calls to _schedule, after lock is acquired'),
            SetFloatM('task_manager_recorded_timestamp', 'Unix timestamp when metrics were last recorded'),
            SetIntM('task_manager_tasks_started', 'Number of tasks started'),
            SetIntM('task_manager_running_processed', 'Number of running tasks processed'),
            SetIntM('task_manager_pending_processed', 'Number of pending tasks processed'),
            SetIntM('task_manager_tasks_blocked', 'Number of tasks blocked from running'),
            SetFloatM('task_manager_commit_seconds', 'Time spent in db transaction, including on_commit calls'),
            SetFloatM('dependency_manager_get_tasks_seconds', 'Time spent loading pending tasks from db'),
            SetFloatM('dependency_manager_generate_dependencies_seconds', 'Time spent generating dependencies for pending tasks'),
            SetFloatM('dependency_manager__schedule_seconds', 'Time spent in running the entire _schedule'),
            IntM('dependency_manager__schedule_calls', 'Number of calls to _schedule, after lock is acquired'),
            SetFloatM('dependency_manager_recorded_timestamp', 'Unix timestamp when metrics were last recorded'),
            SetIntM('dependency_manager_pending_processed', 'Number of pending tasks processed'),
            SetFloatM('workflow_manager__schedule_seconds', 'Time spent in running the entire _schedule'),
            IntM('workflow_manager__schedule_calls', 'Number of calls to _schedule, after lock is acquired'),
            SetFloatM('workflow_manager_recorded_timestamp', 'Unix timestamp when metrics were last recorded'),
            SetFloatM('workflow_manager_spawn_workflow_graph_jobs_seconds', 'Time spent spawning workflow tasks'),
            SetFloatM('workflow_manager_get_tasks_seconds', 'Time spent loading workflow tasks from db'),
        ]
        # turn metric list into dictionary with the metric name as a key
        self.METRICS = {}
@@ -303,7 +315,12 @@ class Metrics:
                self.previous_send_metrics.set(current_time)
                self.previous_send_metrics.store_value(self.conn)
        finally:
-            lock.release()
+            try:
                lock.release()
            except Exception as exc:
                # After system failures, we might throw redis.exceptions.LockNotOwnedError
                # this is to avoid print a Traceback, and importantly, avoid raising an exception into parent context
                logger.warning(f'Error releasing subsystem metrics redis lock, error: {str(exc)}')
    def load_other_metrics(self, request):
        # data received from other nodes are stored in their own keys
--- a/awx/main/apps.py
+++ b/awx/main/apps.py
@@ -3,6 +3,5 @@ from django.utils.translation import gettext_lazy as _
 class MainConfig(AppConfig):
    name = 'awx.main'
    verbose_name = _('Main')
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -446,7 +446,7 @@ register(
    label=_('Default Job Idle Timeout'),
    help_text=_(
        'If no output is detected from ansible in this number of seconds the execution will be terminated. '
-        'Use value of 0 to used default idle_timeout is 600s.'
+        'Use value of 0 to indicate that no idle timeout should be imposed.'
    ),
    category=_('Jobs'),
    category_slug='jobs',
@@ -569,7 +569,7 @@ register(
 register(
    'LOG_AGGREGATOR_LOGGERS',
    field_class=fields.StringListField,
-    default=['awx', 'activity_stream', 'job_events', 'system_tracking'],
+    default=['awx', 'activity_stream', 'job_events', 'system_tracking', 'broadcast_websocket'],
    label=_('Loggers Sending Data to Log Aggregator Form'),
    help_text=_(
        'List of loggers that will send HTTP logs to the collector, these can '
@@ -577,7 +577,8 @@ register(
        'awx - service logs\n'
        'activity_stream - activity stream records\n'
        'job_events - callback data from Ansible job events\n'
-        'system_tracking - facts gathered from scan jobs.'
+        'system_tracking - facts gathered from scan jobs\n'
        'broadcast_websocket - errors pertaining to websockets broadcast metrics\n'
    ),
    category=_('Logging'),
    category_slug='logging',
--- a/awx/main/credential_plugins/aim.py
+++ b/awx/main/credential_plugins/aim.py
@@ -9,10 +9,16 @@ aim_inputs = {
    'fields': [
        {
            'id': 'url',
-            'label': _('CyberArk AIM URL'),
+            'label': _('CyberArk CCP URL'),
            'type': 'string',
            'format': 'url',
        },
        {
            'id': 'webservice_id',
            'label': _('Web Service ID'),
            'type': 'string',
            'help_text': _('The CCP Web Service ID. Leave blank to default to AIMWebService.'),
        },
        {
            'id': 'app_id',
            'label': _('Application ID'),
@@ -64,10 +70,13 @@ def aim_backend(**kwargs):
    client_cert = kwargs.get('client_cert', None)
    client_key = kwargs.get('client_key', None)
    verify = kwargs['verify']
    webservice_id = kwargs['webservice_id']
    app_id = kwargs['app_id']
    object_query = kwargs['object_query']
    object_query_format = kwargs['object_query_format']
    reason = kwargs.get('reason', None)
    if webservice_id == '':
        webservice_id = 'AIMWebService'
    query_params = {
        'AppId': app_id,
@@ -78,7 +87,7 @@ def aim_backend(**kwargs):
        query_params['reason'] = reason
    request_qs = '?' + urlencode(query_params, quote_via=quote)
-    request_url = urljoin(url, '/'.join(['AIMWebService', 'api', 'Accounts']))
+    request_url = urljoin(url, '/'.join([webservice_id, 'api', 'Accounts']))
    with CertFiles(client_cert, client_key) as cert:
        res = requests.get(
@@ -92,4 +101,4 @@ def aim_backend(**kwargs):
    return res.json()['Content']
-aim_plugin = CredentialPlugin('CyberArk AIM Central Credential Provider Lookup', inputs=aim_inputs, backend=aim_backend)
+aim_plugin = CredentialPlugin('CyberArk Central Credential Provider Lookup', inputs=aim_inputs, backend=aim_backend)
--- a/awx/main/credential_plugins/conjur.py
+++ b/awx/main/credential_plugins/conjur.py
@@ -1,6 +1,5 @@
 from .plugin import CredentialPlugin, CertFiles, raise_for_status
 import base64
 from urllib.parse import urljoin, quote
 from django.utils.translation import gettext_lazy as _
@@ -61,7 +60,7 @@ def conjur_backend(**kwargs):
    cacert = kwargs.get('cacert', None)
    auth_kwargs = {
-        'headers': {'Content-Type': 'text/plain'},
+        'headers': {'Content-Type': 'text/plain', 'Accept-Encoding': 'base64'},
        'data': api_key,
        'allow_redirects': False,
    }
@@ -69,9 +68,13 @@ def conjur_backend(**kwargs):
    with CertFiles(cacert) as cert:
        # https://www.conjur.org/api.html#authentication-authenticate-post
        auth_kwargs['verify'] = cert
-        resp = requests.post(urljoin(url, '/'.join(['authn', account, username, 'authenticate'])), **auth_kwargs)
+        try:
            resp = requests.post(urljoin(url, '/'.join(['authn', account, username, 'authenticate'])), **auth_kwargs)
            resp.raise_for_status()
        except requests.exceptions.HTTPError:
            resp = requests.post(urljoin(url, '/'.join(['api', 'authn', account, username, 'authenticate'])), **auth_kwargs)
    raise_for_status(resp)
-    token = base64.b64encode(resp.content).decode('utf-8')
+    token = resp.content.decode('utf-8')
    lookup_kwargs = {
        'headers': {'Authorization': 'Token token="{}"'.format(token)},
@@ -80,14 +83,21 @@ def conjur_backend(**kwargs):
    # https://www.conjur.org/api.html#secrets-retrieve-a-secret-get
    path = urljoin(url, '/'.join(['secrets', account, 'variable', secret_path]))
    path_conjurcloud = urljoin(url, '/'.join(['api', 'secrets', account, 'variable', secret_path]))
    if version:
-        path = '?'.join([path, version])
+        ver = "version={}".format(version)
        path = '?'.join([path, ver])
        path_conjurcloud = '?'.join([path_conjurcloud, ver])
    with CertFiles(cacert) as cert:
        lookup_kwargs['verify'] = cert
-        resp = requests.get(path, timeout=30, **lookup_kwargs)
+        try:
            resp = requests.get(path, timeout=30, **lookup_kwargs)
            resp.raise_for_status()
        except requests.exceptions.HTTPError:
            resp = requests.get(path_conjurcloud, timeout=30, **lookup_kwargs)
    raise_for_status(resp)
    return resp.text
-conjur_plugin = CredentialPlugin('CyberArk Conjur Secret Lookup', inputs=conjur_inputs, backend=conjur_backend)
+conjur_plugin = CredentialPlugin('CyberArk Conjur Secrets Manager Lookup', inputs=conjur_inputs, backend=conjur_backend)
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -1,6 +1,7 @@
 import copy
 import os
 import pathlib
 import time
 from urllib.parse import urljoin
 from .plugin import CredentialPlugin, CertFiles, raise_for_status
@@ -247,7 +248,15 @@ def kv_backend(**kwargs):
    request_url = urljoin(url, '/'.join(['v1'] + path_segments)).rstrip('/')
    with CertFiles(cacert) as cert:
        request_kwargs['verify'] = cert
-        response = sess.get(request_url, **request_kwargs)
+        request_retries = 0
        while request_retries < 5:
            response = sess.get(request_url, **request_kwargs)
            # https://developer.hashicorp.com/vault/docs/enterprise/consistency
            if response.status_code == 412:
                request_retries += 1
                time.sleep(1)
            else:
                break
    raise_for_status(response)
    json = response.json()
@@ -289,8 +298,15 @@ def ssh_backend(**kwargs):
    with CertFiles(cacert) as cert:
        request_kwargs['verify'] = cert
-        resp = sess.post(request_url, **request_kwargs)
+        request_retries = 0
-
+        while request_retries < 5:
            resp = sess.post(request_url, **request_kwargs)
            # https://developer.hashicorp.com/vault/docs/enterprise/consistency
            if resp.status_code == 412:
                request_retries += 1
                time.sleep(1)
            else:
                break
    raise_for_status(resp)
    return resp.json()['data']['signed_key']
--- a/awx/main/dispatch/init.py
+++ b/awx/main/dispatch/init.py
@@ -4,6 +4,7 @@ import select
 from contextlib import contextmanager
 from django.conf import settings
 from django.db import connection as pg_connection
 NOT_READY = ([], [], [])
@@ -15,7 +16,6 @@ def get_local_queuename():
 class PubSub(object):
    def __init__(self, conn):
        assert conn.autocommit, "Connection must be in autocommit mode."
        self.conn = conn
    def listen(self, channel):
@@ -31,6 +31,9 @@ class PubSub(object):
            cur.execute('SELECT pg_notify(%s, %s);', (channel, payload))
    def events(self, select_timeout=5, yield_timeouts=False):
        if not self.conn.autocommit:
            raise RuntimeError('Listening for events can only be done in autocommit mode')
        while True:
            if select.select([self.conn], [], [], select_timeout) == NOT_READY:
                if yield_timeouts:
@@ -45,11 +48,32 @@ class PubSub(object):
@contextmanager
-def pg_bus_conn():
+def pg_bus_conn(new_connection=False):
-    conf = settings.DATABASES['default']
+    '''
-    conn = psycopg2.connect(dbname=conf['NAME'], host=conf['HOST'], user=conf['USER'], password=conf['PASSWORD'], port=conf['PORT'], **conf.get("OPTIONS", {}))
+    Any listeners probably want to establish a new database connection,
-    # Django connection.cursor().connection doesn't have autocommit=True on
+    separate from the Django connection used for queries, because that will prevent
-    conn.set_session(autocommit=True)
+    losing connection to the channel whenever a .close() happens.
    Any publishers probably want to use the existing connection
    so that messages follow postgres transaction rules
    https://www.postgresql.org/docs/current/sql-notify.html
    '''
    if new_connection:
        conf = settings.DATABASES['default']
        conn = psycopg2.connect(
            dbname=conf['NAME'], host=conf['HOST'], user=conf['USER'], password=conf['PASSWORD'], port=conf['PORT'], **conf.get("OPTIONS", {})
        )
        # Django connection.cursor().connection doesn't have autocommit=True on by default
        conn.set_session(autocommit=True)
    else:
        if pg_connection.connection is None:
            pg_connection.connect()
        if pg_connection.connection is None:
            raise RuntimeError('Unexpectedly could not connect to postgres for pg_notify actions')
        conn = pg_connection.connection
    pubsub = PubSub(conn)
    yield pubsub
-    conn.close()
+    if new_connection:
        conn.close()
--- a/awx/main/dispatch/control.py
+++ b/awx/main/dispatch/control.py
@@ -3,6 +3,7 @@ import uuid
 import json
 from django.conf import settings
 from django.db import connection
 import redis
 from awx.main.dispatch import get_local_queuename
@@ -13,7 +14,6 @@ logger = logging.getLogger('awx.main.dispatch')
 class Control(object):
    services = ('dispatcher', 'callback_receiver')
    result = None
@@ -37,18 +37,27 @@ class Control(object):
    def running(self, *args, **kwargs):
        return self.control_with_reply('running', *args, **kwargs)
    def cancel(self, task_ids, *args, **kwargs):
        return self.control_with_reply('cancel', *args, extra_data={'task_ids': task_ids}, **kwargs)
    @classmethod
    def generate_reply_queue_name(cls):
        return f"reply_to_{str(uuid.uuid4()).replace('-','_')}"
-    def control_with_reply(self, command, timeout=5):
+    def control_with_reply(self, command, timeout=5, extra_data=None):
        logger.warning('checking {} {} for {}'.format(self.service, command, self.queuename))
        reply_queue = Control.generate_reply_queue_name()
        self.result = None
        if not connection.get_autocommit():
            raise RuntimeError('Control-with-reply messages can only be done in autocommit mode')
        with pg_bus_conn() as conn:
            conn.listen(reply_queue)
-            conn.notify(self.queuename, json.dumps({'control': command, 'reply_to': reply_queue}))
+            send_data = {'control': command, 'reply_to': reply_queue}
            if extra_data:
                send_data.update(extra_data)
            conn.notify(self.queuename, json.dumps(send_data))
            for reply in conn.events(select_timeout=timeout, yield_timeouts=True):
                if reply is None:
--- a/awx/main/dispatch/pool.py
+++ b/awx/main/dispatch/pool.py
@@ -16,13 +16,14 @@ from queue import Full as QueueFull, Empty as QueueEmpty
 from django.conf import settings
 from django.db import connection as django_connection, connections
 from django.core.cache import cache as django_cache
 from django.utils.timezone import now as tz_now
 from django_guid import set_guid
 from jinja2 import Template
 import psutil
 from awx.main.models import UnifiedJob
 from awx.main.dispatch import reaper
-from awx.main.utils.common import convert_mem_str_to_bytes, get_mem_effective_capacity
+from awx.main.utils.common import convert_mem_str_to_bytes, get_mem_effective_capacity, log_excess_runtime
 if 'run_callback_receiver' in sys.argv:
    logger = logging.getLogger('awx.main.commands.run_callback_receiver')
@@ -191,7 +192,6 @@ class PoolWorker(object):
 class StatefulPoolWorker(PoolWorker):
    track_managed_tasks = True
@@ -328,12 +328,16 @@ class AutoscalePool(WorkerPool):
            # Get same number as max forks based on memory, this function takes memory as bytes
            self.max_workers = get_mem_effective_capacity(total_memory_gb * 2**30)
            # add magic prime number of extra workers to ensure
            # we have a few extra workers to run the heartbeat
            self.max_workers += 7
        # max workers can't be less than min_workers
        self.max_workers = max(self.min_workers, self.max_workers)
-    def debug(self, *args, **kwargs):
+        # the task manager enforces settings.TASK_MANAGER_TIMEOUT on its own
-        self.cleanup()
+        # but if the task takes longer than the time defined here, we will force it to stop here
-        return super(AutoscalePool, self).debug(*args, **kwargs)
+        self.task_manager_timeout = settings.TASK_MANAGER_TIMEOUT + settings.TASK_MANAGER_TIMEOUT_GRACE_PERIOD
    @property
    def should_grow(self):
@@ -351,6 +355,7 @@ class AutoscalePool(WorkerPool):
    def debug_meta(self):
        return 'min={} max={}'.format(self.min_workers, self.max_workers)
    @log_excess_runtime(logger)
    def cleanup(self):
        """
        Perform some internal account and cleanup.  This is run on
@@ -359,8 +364,6 @@ class AutoscalePool(WorkerPool):
        1.  Discover worker processes that exited, and recover messages they
            were handling.
        2.  Clean up unnecessary, idle workers.
        3.  Check to see if the database says this node is running any tasks
            that aren't actually running.  If so, reap them.
        IMPORTANT: this function is one of the few places in the dispatcher
        (aside from setting lookups) where we talk to the database.  As such,
@@ -383,6 +386,8 @@ class AutoscalePool(WorkerPool):
                                reaper.reap_job(j, 'failed')
                        except Exception:
                            logger.exception('failed to reap job UUID {}'.format(w.current_task['uuid']))
                    else:
                        logger.warning(f'Worker was told to quit but has not, pid={w.pid}')
                orphaned.extend(w.orphaned_tasks)
                self.workers.remove(w)
            elif w.idle and len(self.workers) > self.min_workers:
@@ -401,13 +406,15 @@ class AutoscalePool(WorkerPool):
                # the task manager to never do more work
                current_task = w.current_task
                if current_task and isinstance(current_task, dict):
-                    if current_task.get('task', '').endswith('tasks.run_task_manager'):
+                    endings = ['tasks.task_manager', 'tasks.dependency_manager', 'tasks.workflow_manager']
                    current_task_name = current_task.get('task', '')
                    if any(current_task_name.endswith(e) for e in endings):
                        if 'started' not in current_task:
                            w.managed_tasks[current_task['uuid']]['started'] = time.time()
                        age = time.time() - current_task['started']
                        w.managed_tasks[current_task['uuid']]['age'] = age
-                        if age > (60 * 5):
+                        if age > self.task_manager_timeout:
-                            logger.error(f'run_task_manager has held the advisory lock for >5m, sending SIGTERM to {w.pid}')  # noqa
+                            logger.error(f'{current_task_name} has held the advisory lock for {age}, sending SIGTERM to {w.pid}')
                            os.kill(w.pid, signal.SIGTERM)
        for m in orphaned:
@@ -417,13 +424,17 @@ class AutoscalePool(WorkerPool):
            idx = random.choice(range(len(self.workers)))
            self.write(idx, m)
-        # if the database says a job is running on this node, but it's *not*,
+    def add_bind_kwargs(self, body):
-        # then reap it
+        bind_kwargs = body.pop('bind_kwargs', [])
-        running_uuids = []
+        body.setdefault('kwargs', {})
-        for worker in self.workers:
+        if 'dispatch_time' in bind_kwargs:
-            worker.calculate_managed_tasks()
+            body['kwargs']['dispatch_time'] = tz_now().isoformat()
-            running_uuids.extend(list(worker.managed_tasks.keys()))
+        if 'worker_tasks' in bind_kwargs:
-        reaper.reap(excluded_uuids=running_uuids)
+            worker_tasks = {}
            for worker in self.workers:
                worker.calculate_managed_tasks()
                worker_tasks[worker.pid] = list(worker.managed_tasks.keys())
            body['kwargs']['worker_tasks'] = worker_tasks
    def up(self):
        if self.full:
@@ -438,9 +449,8 @@ class AutoscalePool(WorkerPool):
        if 'guid' in body:
            set_guid(body['guid'])
        try:
-            # when the cluster heartbeat occurs, clean up internally
+            if isinstance(body, dict) and body.get('bind_kwargs'):
-            if isinstance(body, dict) and 'cluster_node_heartbeat' in body['task']:
+                self.add_bind_kwargs(body)
                self.cleanup()
            if self.should_grow:
                self.up()
            # we don't care about "preferred queue" round robin distribution, just
@@ -452,6 +462,10 @@ class AutoscalePool(WorkerPool):
                    w.put(body)
                    break
            else:
                task_name = 'unknown'
                if isinstance(body, dict):
                    task_name = body.get('task')
                logger.warning(f'Workers maxed, queuing {task_name}, load: {sum(len(w.managed_tasks) for w in self.workers)} / {len(self.workers)}')
                return super(AutoscalePool, self).write(preferred_queue, body)
        except Exception:
            for conn in connections.all():
--- a/awx/main/dispatch/publish.py
+++ b/awx/main/dispatch/publish.py
@@ -1,13 +1,13 @@
 import inspect
 import logging
 import sys
 import json
 import time
 from uuid import uuid4
 from django.conf import settings
 from django_guid import get_guid
 from . import pg_bus_conn
 from awx.main.utils import is_testing
 logger = logging.getLogger('awx.main.dispatch')
@@ -49,16 +49,23 @@ class task:
    @task(queue='tower_broadcast')
    def announce():
        print("Run this everywhere!")
    # The special parameter bind_kwargs tells the main dispatcher process to add certain kwargs
    @task(bind_kwargs=['dispatch_time'])
    def print_time(dispatch_time=None):
        print(f"Time I was dispatched: {dispatch_time}")
    """
-    def __init__(self, queue=None):
+    def __init__(self, queue=None, bind_kwargs=None):
        self.queue = queue
        self.bind_kwargs = bind_kwargs
    def __call__(self, fn=None):
        queue = self.queue
        bind_kwargs = self.bind_kwargs
        class PublisherMixin(object):
            queue = None
            @classmethod
@@ -75,14 +82,16 @@ class task:
                    msg = f'{cls.name}: Queue value required and may not be None'
                    logger.error(msg)
                    raise ValueError(msg)
-                obj = {'uuid': task_id, 'args': args, 'kwargs': kwargs, 'task': cls.name}
+                obj = {'uuid': task_id, 'args': args, 'kwargs': kwargs, 'task': cls.name, 'time_pub': time.time()}
                guid = get_guid()
                if guid:
                    obj['guid'] = guid
                if bind_kwargs:
                    obj['bind_kwargs'] = bind_kwargs
                obj.update(**kw)
                if callable(queue):
                    queue = queue()
-                if not settings.IS_TESTING(sys.argv):
+                if not is_testing():
                    with pg_bus_conn() as conn:
                        conn.notify(queue, json.dumps(obj))
                return (obj, queue)
--- a/awx/main/dispatch/reaper.py
+++ b/awx/main/dispatch/reaper.py
@@ -2,6 +2,7 @@ from datetime import timedelta
 import logging
 from django.db.models import Q
 from django.conf import settings
 from django.utils.timezone import now as tz_now
 from django.contrib.contenttypes.models import ContentType
@@ -15,58 +16,73 @@ def startup_reaping():
    If this particular instance is starting, then we know that any running jobs are invalid
    so we will reap those jobs as a special action here
    """
-    me = Instance.objects.me()
+    jobs = UnifiedJob.objects.filter(status='running', controller_node=Instance.objects.my_hostname())
    jobs = UnifiedJob.objects.filter(status='running', controller_node=me.hostname)
    job_ids = []
    for j in jobs:
        job_ids.append(j.id)
-        j.status = 'failed'
+        reap_job(
-        j.start_args = ''
+            j,
-        j.job_explanation += 'Task was marked as running at system start up. The system must have not shut down properly, so it has been marked as failed.'
+            'failed',
-        j.save(update_fields=['status', 'start_args', 'job_explanation'])
+            job_explanation='Task was marked as running at system start up. The system must have not shut down properly, so it has been marked as failed.',
-        if hasattr(j, 'send_notification_templates'):
+        )
            j.send_notification_templates('failed')
        j.websocket_emit_status('failed')
    if job_ids:
        logger.error(f'Unified jobs {job_ids} were reaped on dispatch startup')
-def reap_job(j, status):
+def reap_job(j, status, job_explanation=None):
-    if UnifiedJob.objects.get(id=j.id).status not in ('running', 'waiting'):
+    j.refresh_from_db(fields=['status', 'job_explanation'])
    status_before = j.status
    if status_before not in ('running', 'waiting'):
        # just in case, don't reap jobs that aren't running
        return
    j.status = status
    j.start_args = ''  # blank field to remove encrypted passwords
-    j.job_explanation += ' '.join(
+    if j.job_explanation:
-        (
+        j.job_explanation += ' '  # Separate messages for readability
-            'Task was marked as running but was not present in',
+    if job_explanation is None:
-            'the job queue, so it has been marked as failed.',
+        j.job_explanation += 'Task was marked as running but was not present in the job queue, so it has been marked as failed.'
-        )
+    else:
-    )
+        j.job_explanation += job_explanation
    j.save(update_fields=['status', 'start_args', 'job_explanation'])
    if hasattr(j, 'send_notification_templates'):
        j.send_notification_templates('failed')
    j.websocket_emit_status(status)
-    logger.error('{} is no longer running; reaping'.format(j.log_format))
+    logger.error(f'{j.log_format} is no longer {status_before}; reaping')
-def reap(instance=None, status='failed', excluded_uuids=[]):
+def reap_waiting(instance=None, status='failed', job_explanation=None, grace_period=None, excluded_uuids=None, ref_time=None):
    """
-    Reap all jobs in waiting|running for this instance.
+    Reap all jobs in waiting for this instance.
    """
-    me = instance
+    if grace_period is None:
-    if me is None:
+        grace_period = settings.JOB_WAITING_GRACE_PERIOD + settings.TASK_MANAGER_TIMEOUT
-        try:
+
-            me = Instance.objects.me()
+    if instance is None:
-        except RuntimeError as e:
+        hostname = Instance.objects.my_hostname()
-            logger.warning(f'Local instance is not registered, not running reaper: {e}')
+    else:
-            return
+        hostname = instance.hostname
-    now = tz_now()
+    if ref_time is None:
        ref_time = tz_now()
    jobs = UnifiedJob.objects.filter(status='waiting', modified__lte=ref_time - timedelta(seconds=grace_period), controller_node=hostname)
    if excluded_uuids:
        jobs = jobs.exclude(celery_task_id__in=excluded_uuids)
    for j in jobs:
        reap_job(j, status, job_explanation=job_explanation)
 def reap(instance=None, status='failed', job_explanation=None, excluded_uuids=None):
    """
    Reap all jobs in running for this instance.
    """
    if instance is None:
        hostname = Instance.objects.my_hostname()
    else:
        hostname = instance.hostname
    workflow_ctype_id = ContentType.objects.get_for_model(WorkflowJob).id
    jobs = UnifiedJob.objects.filter(
-        (Q(status='running') | Q(status='waiting', modified__lte=now - timedelta(seconds=60)))
+        Q(status='running') & (Q(execution_node=hostname) | Q(controller_node=hostname)) & ~Q(polymorphic_ctype_id=workflow_ctype_id)
-        & (Q(execution_node=me.hostname) | Q(controller_node=me.hostname))
+    )
-        & ~Q(polymorphic_ctype_id=workflow_ctype_id)
+    if excluded_uuids:
-    ).exclude(celery_task_id__in=excluded_uuids)
+        jobs = jobs.exclude(celery_task_id__in=excluded_uuids)
    for j in jobs:
-        reap_job(j, status)
+        reap_job(j, status, job_explanation=job_explanation)
--- a/awx/main/dispatch/worker/base.py
+++ b/awx/main/dispatch/worker/base.py
@@ -17,6 +17,7 @@ from django.conf import settings
 from awx.main.dispatch.pool import WorkerPool
 from awx.main.dispatch import pg_bus_conn
 from awx.main.utils.common import log_excess_runtime
 if 'run_callback_receiver' in sys.argv:
    logger = logging.getLogger('awx.main.commands.run_callback_receiver')
@@ -39,7 +40,6 @@ class WorkerSignalHandler:
 class AWXConsumerBase(object):
    last_stats = time.time()
    def __init__(self, name, worker, queues=[], pool=None):
@@ -62,7 +62,7 @@ class AWXConsumerBase(object):
    def control(self, body):
        logger.warning(f'Received control signal:\n{body}')
        control = body.get('control')
-        if control in ('status', 'running'):
+        if control in ('status', 'running', 'cancel'):
            reply_queue = body['reply_to']
            if control == 'status':
                msg = '\n'.join([self.listening_on, self.pool.debug()])
@@ -71,6 +71,17 @@ class AWXConsumerBase(object):
                for worker in self.pool.workers:
                    worker.calculate_managed_tasks()
                    msg.extend(worker.managed_tasks.keys())
            elif control == 'cancel':
                msg = []
                task_ids = set(body['task_ids'])
                for worker in self.pool.workers:
                    task = worker.current_task
                    if task and task['uuid'] in task_ids:
                        logger.warn(f'Sending SIGTERM to task id={task["uuid"]}, task={task.get("task")}, args={task.get("args")}')
                        os.kill(worker.pid, signal.SIGTERM)
                        msg.append(task['uuid'])
                if task_ids and not msg:
                    logger.info(f'Could not locate running tasks to cancel with ids={task_ids}')
            with pg_bus_conn() as conn:
                conn.notify(reply_queue, json.dumps(msg))
@@ -81,6 +92,9 @@ class AWXConsumerBase(object):
            logger.error('unrecognized control message: {}'.format(control))
    def process_task(self, body):
        if isinstance(body, dict):
            body['time_ack'] = time.time()
        if 'control' in body:
            try:
                return self.control(body)
@@ -99,8 +113,8 @@ class AWXConsumerBase(object):
            queue = 0
        self.pool.write(queue, body)
        self.total_messages += 1
        self.record_statistics()
    @log_excess_runtime(logger)
    def record_statistics(self):
        if time.time() - self.last_stats > 1:  # buffer stat recording to once per second
            try:
@@ -140,6 +154,16 @@ class AWXConsumerPG(AWXConsumerBase):
        # if no successful loops have ran since startup, then we should fail right away
        self.pg_is_down = True  # set so that we fail if we get database errors on startup
        self.pg_down_time = time.time() - self.pg_max_wait  # allow no grace period
        self.last_cleanup = time.time()
    def run_periodic_tasks(self):
        self.record_statistics()  # maintains time buffer in method
        if time.time() - self.last_cleanup > 60:  # same as cluster_node_heartbeat
            # NOTE: if we run out of database connections, it is important to still run cleanup
            # so that we scale down workers and free up connections
            self.pool.cleanup()
            self.last_cleanup = time.time()
    def run(self, *args, **kwargs):
        super(AWXConsumerPG, self).run(*args, **kwargs)
@@ -149,14 +173,16 @@ class AWXConsumerPG(AWXConsumerBase):
        while True:
            try:
-                with pg_bus_conn() as conn:
+                with pg_bus_conn(new_connection=True) as conn:
                    for queue in self.queues:
                        conn.listen(queue)
                    if init is False:
                        self.worker.on_start()
                        init = True
-                    for e in conn.events():
+                    for e in conn.events(yield_timeouts=True):
-                        self.process_task(json.loads(e.payload))
+                        if e is not None:
                            self.process_task(json.loads(e.payload))
                        self.run_periodic_tasks()
                        self.pg_is_down = False
                    if self.should_stop:
                        return
@@ -213,6 +239,8 @@ class BaseWorker(object):
                    # so we can establish a new connection
                    conn.close_if_unusable_or_obsolete()
                self.perform_work(body, *args)
            except Exception:
                logger.exception(f'Unhandled exception in perform_work in worker pid={os.getpid()}')
            finally:
                if 'uuid' in body:
                    uuid = body['uuid']
--- a/awx/main/dispatch/worker/callback.py
+++ b/awx/main/dispatch/worker/callback.py
@@ -3,14 +3,12 @@ import logging
 import os
 import signal
 import time
 import traceback
 import datetime
 from django.conf import settings
 from django.utils.functional import cached_property
 from django.utils.timezone import now as tz_now
-from django.db import DatabaseError, OperationalError, transaction, connection as django_connection
+from django.db import transaction, connection as django_connection
 from django.db.utils import InterfaceError, InternalError
 from django_guid import set_guid
 import psutil
@@ -64,6 +62,7 @@ class CallbackBrokerWorker(BaseWorker):
    """
    MAX_RETRIES = 2
    INDIVIDUAL_EVENT_RETRIES = 3
    last_stats = time.time()
    last_flush = time.time()
    total = 0
@@ -155,6 +154,8 @@ class CallbackBrokerWorker(BaseWorker):
            metrics_events_missing_created = 0
            metrics_total_job_event_processing_seconds = datetime.timedelta(seconds=0)
            for cls, events in self.buff.items():
                if not events:
                    continue
                logger.debug(f'{cls.__name__}.objects.bulk_create({len(events)})')
                for e in events:
                    e.modified = now  # this can be set before created because now is set above on line 149
@@ -164,28 +165,48 @@ class CallbackBrokerWorker(BaseWorker):
                    else:  # only calculate the seconds if the created time already has been set
                        metrics_total_job_event_processing_seconds += e.modified - e.created
                metrics_duration_to_save = time.perf_counter()
                saved_events = []
                try:
                    cls.objects.bulk_create(events)
                    metrics_bulk_events_saved += len(events)
-                except Exception:
+                    saved_events = events
                    self.buff[cls] = []
                except Exception as exc:
                    # If the database is flaking, let ensure_connection throw a general exception
                    # will be caught by the outer loop, which goes into a proper sleep and retry loop
                    django_connection.ensure_connection()
                    logger.warning(f'Error in events bulk_create, will try indiviually, error: {str(exc)}')
                    # if an exception occurs, we should re-attempt to save the
                    # events one-by-one, because something in the list is
                    # broken/stale
                    metrics_events_batch_save_errors += 1
-                    for e in events:
+                    for e in events.copy():
                        try:
                            e.save()
                            metrics_singular_events_saved += 1
-                        except Exception:
+                            events.remove(e)
-                            logger.exception('Database Error Saving Job Event')
+                            saved_events.append(e)  # Importantly, remove successfully saved events from the buffer
                        except Exception as exc_indv:
                            retry_count = getattr(e, '_retry_count', 0) + 1
                            e._retry_count = retry_count
                            # special sanitization logic for postgres treatment of NUL 0x00 char
                            if (retry_count == 1) and isinstance(exc_indv, ValueError) and ("\x00" in e.stdout):
                                e.stdout = e.stdout.replace("\x00", "")
                            if retry_count >= self.INDIVIDUAL_EVENT_RETRIES:
                                logger.error(f'Hit max retries ({retry_count}) saving individual Event error: {str(exc_indv)}\ndata:\n{e.__dict__}')
                                events.remove(e)
                            else:
                                logger.info(f'Database Error Saving individual Event uuid={e.uuid} try={retry_count}, error: {str(exc_indv)}')
                metrics_duration_to_save = time.perf_counter() - metrics_duration_to_save
-                for e in events:
+                for e in saved_events:
                    if not getattr(e, '_skip_websocket_message', False):
                        metrics_events_broadcast += 1
                        emit_event_detail(e)
                    if getattr(e, '_notification_trigger_event', False):
                        job_stats_wrapup(getattr(e, e.JOB_REFERENCE), event=e)
            self.buff = {}
            self.last_flush = time.time()
            # only update metrics if we saved events
            if (metrics_bulk_events_saved + metrics_singular_events_saved) > 0:
@@ -257,19 +278,16 @@ class CallbackBrokerWorker(BaseWorker):
                try:
                    self.flush(force=flush)
                    break
-                except (OperationalError, InterfaceError, InternalError):
+                except Exception as exc:
                    # Aside form bugs, exceptions here are assumed to be due to database flake
                    if retries >= self.MAX_RETRIES:
                        logger.exception('Worker could not re-establish database connectivity, giving up on one or more events.')
                        self.buff = {}
                        return
                    delay = 60 * retries
-                    logger.exception('Database Error Saving Job Event, retry #{i} in {delay} seconds:'.format(i=retries + 1, delay=delay))
+                    logger.warning(f'Database Error Flushing Job Events, retry #{retries + 1} in {delay} seconds: {str(exc)}')
                    django_connection.close()
                    time.sleep(delay)
                    retries += 1
-                except DatabaseError:
+        except Exception:
-                    logger.exception('Database Error Saving Job Event')
+            logger.exception(f'Callback Task Processor Raised Unexpected Exception processing event data:\n{body}')
                    break
        except Exception as exc:
            tb = traceback.format_exc()
            logger.error('Callback Task Processor Raised Exception: %r', exc)
            logger.error('Detail: {}'.format(tb))
--- a/awx/main/dispatch/worker/task.py
+++ b/awx/main/dispatch/worker/task.py
@@ -3,6 +3,7 @@ import logging
 import importlib
 import sys
 import traceback
 import time
 from kubernetes.config import kube_config
@@ -60,8 +61,19 @@ class TaskWorker(BaseWorker):
            # the callable is a class, e.g., RunJob; instantiate and
            # return its `run()` method
            _call = _call().run
        log_extra = ''
        logger_method = logger.debug
        if ('time_ack' in body) and ('time_pub' in body):
            time_publish = body['time_ack'] - body['time_pub']
            time_waiting = time.time() - body['time_ack']
            if time_waiting > 5.0 or time_publish > 5.0:
                # If task too a very long time to process, add this information to the log
                log_extra = f' took {time_publish:.4f} to ack, {time_waiting:.4f} in local dispatcher'
                logger_method = logger.info
        # don't print kwargs, they often contain launch-time secrets
-        logger.debug('task {} starting {}(*{})'.format(uuid, task, args))
+        logger_method(f'task {uuid} starting {task}(*{args}){log_extra}')
        return _call(*args, **kwargs)
    def perform_work(self, body):
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -232,7 +232,6 @@ class ImplicitRoleField(models.ForeignKey):
            field_names = [field_names]
        for field_name in field_names:
            if field_name.startswith('singleton:'):
                continue
@@ -244,7 +243,6 @@ class ImplicitRoleField(models.ForeignKey):
            field = getattr(cls, field_name, None)
            if field and type(field) is ReverseManyToOneDescriptor or type(field) is ManyToManyDescriptor:
                if '.' in field_attr:
                    raise Exception('Referencing deep roles through ManyToMany fields is unsupported.')
@@ -629,7 +627,6 @@ class CredentialInputField(JSONSchemaField):
        # `ssh_key_unlock` requirements are very specific and can't be
        # represented without complicated JSON schema
        if model_instance.credential_type.managed is True and 'ssh_key_unlock' in defined_fields:
            # in order to properly test the necessity of `ssh_key_unlock`, we
            # need to know the real value of `ssh_key_data`; for a payload like:
            # {
@@ -791,7 +788,8 @@ class CredentialTypeInjectorField(JSONSchemaField):
                    'type': 'object',
                    'patternProperties': {
                        # http://docs.ansible.com/ansible/playbooks_variables.html#what-makes-a-valid-variable-name
-                        '^[a-zA-Z_]+[a-zA-Z0-9_]*$': {'type': 'string'},
+                        # plus, add ability to template
                        r'^[a-zA-Z_\{\}]+[a-zA-Z0-9_\{\}]*$': {"anyOf": [{'type': 'string'}, {'type': 'array'}, {'$ref': '#/properties/extra_vars'}]}
                    },
                    'additionalProperties': False,
                },
@@ -858,27 +856,44 @@ class CredentialTypeInjectorField(JSONSchemaField):
                template_name = template_name.split('.')[1]
                setattr(valid_namespace['tower'].filename, template_name, 'EXAMPLE_FILENAME')
        def validate_template_string(type_, key, tmpl):
            try:
                sandbox.ImmutableSandboxedEnvironment(undefined=StrictUndefined).from_string(tmpl).render(valid_namespace)
            except UndefinedError as e:
                raise django_exceptions.ValidationError(
                    _('{sub_key} uses an undefined field ({error_msg})').format(sub_key=key, error_msg=e),
                    code='invalid',
                    params={'value': value},
                )
            except SecurityError as e:
                raise django_exceptions.ValidationError(_('Encountered unsafe code execution: {}').format(e))
            except TemplateSyntaxError as e:
                raise django_exceptions.ValidationError(
                    _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(sub_key=key, type=type_, error_msg=e),
                    code='invalid',
                    params={'value': value},
                )
        def validate_extra_vars(key, node):
            if isinstance(node, dict):
                for k, v in node.items():
                    validate_template_string("extra_vars", 'a key' if key is None else key, k)
                    validate_extra_vars(k if key is None else "{key}.{k}".format(key=key, k=k), v)
            elif isinstance(node, list):
                for i, x in enumerate(node):
                    validate_extra_vars("{key}[{i}]".format(key=key, i=i), x)
            else:
                validate_template_string("extra_vars", key, node)
        for type_, injector in value.items():
            if type_ == 'env':
                for key in injector.keys():
                    self.validate_env_var_allowed(key)
-            for key, tmpl in injector.items():
+            if type_ == 'extra_vars':
-                try:
+                validate_extra_vars(None, injector)
-                    sandbox.ImmutableSandboxedEnvironment(undefined=StrictUndefined).from_string(tmpl).render(valid_namespace)
+            else:
-                except UndefinedError as e:
+                for key, tmpl in injector.items():
-                    raise django_exceptions.ValidationError(
+                    validate_template_string(type_, key, tmpl)
                        _('{sub_key} uses an undefined field ({error_msg})').format(sub_key=key, error_msg=e),
                        code='invalid',
                        params={'value': value},
                    )
                except SecurityError as e:
                    raise django_exceptions.ValidationError(_('Encountered unsafe code execution: {}').format(e))
                except TemplateSyntaxError as e:
                    raise django_exceptions.ValidationError(
                        _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(sub_key=key, type=type_, error_msg=e),
                        code='invalid',
                        params={'value': value},
                    )
 class AskForField(models.BooleanField):
--- a/Show More
+++ b/Show More