Merge branch 'devel' into x-request-id

Add help message for expiration tokens (#15076 ) (#15077 )
Co-authored-by: Ирина Розет <irozet@astralinux.ru>
2026-02-05 11:34:43 -03:30 · 2024-04-24 15:04:13 -05:00 · 2024-04-24 19:58:09 +00:00 · 2024-04-24 14:48:02 -05:00 · 2024-04-24 15:47:03 -04:00 · 2024-04-24 15:44:31 -04:00
142 changed files with 3347 additions and 1253 deletions
--- a/.github/actions/run_awx_devel/action.yml
+++ b/.github/actions/run_awx_devel/action.yml
@@ -71,7 +71,7 @@ runs:
      id: data
      shell: bash
      run: |
-        AWX_IP=$(docker inspect -f '{{.NetworkSettings.Networks._sources_awx.IPAddress}}' tools_awx_1)
+        AWX_IP=$(docker inspect -f '{{.NetworkSettings.Networks.awx.IPAddress}}' tools_awx_1)
        ADMIN_TOKEN=$(docker exec -i tools_awx_1 awx-manage create_oauth2_token --user admin)
        echo "ip=$AWX_IP" >> $GITHUB_OUTPUT
        echo "admin_token=$ADMIN_TOKEN" >> $GITHUB_OUTPUT
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,6 +66,8 @@ jobs:
  awx-operator:
    runs-on: ubuntu-latest
    timeout-minutes: 60
+    env:
+      DEBUG_OUTPUT_DIR: /tmp/awx_operator_molecule_test
    steps:
      - name: Checkout awx
        uses: actions/checkout@v3
@@ -94,11 +96,11 @@ jobs:
      - name: Build AWX image
        working-directory: awx
        run: |
-          ansible-playbook -v tools/ansible/build.yml \
-            -e headless=yes \
-            -e awx_image=awx \
-            -e awx_image_tag=ci \
-            -e ansible_python_interpreter=$(which python3)
+          VERSION=`make version-for-buildyml` make awx-kube-build
+        env:
+          COMPOSE_TAG: ci
+          DEV_DOCKER_TAG_BASE: local
+          HEADLESS: yes

      - name: Run test deployment with awx-operator
        working-directory: awx-operator
@@ -109,8 +111,17 @@ jobs:
          make kustomize
          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule -v test -s kind -- --skip-tags=replicas
        env:
-          AWX_TEST_IMAGE: awx
+          AWX_TEST_IMAGE: local/awx
          AWX_TEST_VERSION: ci
+          AWX_EE_TEST_IMAGE: quay.io/ansible/awx-ee:latest
+          STORE_DEBUG_OUTPUT: true
+
+      - name: Upload debug output
+        if: failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: awx-operator-debug-output
+          path: ${{ env.DEBUG_OUTPUT_DIR }}

  collection-sanity:
    name: awx_collection sanity
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -7,7 +7,11 @@ env:
 on:
  release:
    types: [published]
-
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Name for the tag of the release.'
+        required: true
 permissions:
  contents: read # to fetch code (actions/checkout)

@@ -17,6 +21,16 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 90
    steps:
+      - name: Set GitHub Env vars for workflow_dispatch event
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
+
+      - name: Set GitHub Env vars if release event
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          echo "TAG_NAME=${{ env.TAG_NAME }}" >> $GITHUB_ENV
+
      - name: Checkout awx
        uses: actions/checkout@v3

@@ -43,16 +57,18 @@ jobs:
      - name: Build collection and publish to galaxy
        env:
          COLLECTION_NAMESPACE: ${{ env.collection_namespace }}
-          COLLECTION_VERSION: ${{ github.event.release.tag_name }}
+          COLLECTION_VERSION: ${{ env.TAG_NAME }}
          COLLECTION_TEMPLATE_VERSION: true
        run: |
          make build_collection
-          if [ "$(curl -L --head -sw '%{http_code}' https://galaxy.ansible.com/download/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz | tail -1)" == "302" ] ; then \
-              echo "Galaxy release already done"; \
-          else \
+          curl_with_redirects=$(curl --head -sLw '%{http_code}' https://galaxy.ansible.com/download/${{ env.collection_namespace }}-awx-${{ env.TAG_NAME }}.tar.gz | tail -1)
+          curl_without_redirects=$(curl --head -sw '%{http_code}' https://galaxy.ansible.com/download/${{ env.collection_namespace }}-awx-${{ env.TAG_NAME }}.tar.gz | tail -1)
+          if [[ "$curl_with_redirects" == "302" ]] || [[ "$curl_without_redirects" == "302" ]]; then
+              echo "Galaxy release already done";
+          else
              ansible-galaxy collection publish \
                --token=${{ secrets.GALAXY_TOKEN }} \
-                awx_collection_build/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz; \
+                awx_collection_build/${{ env.collection_namespace }}-awx-${{ env.TAG_NAME }}.tar.gz;
          fi

      - name: Set official pypi info
@@ -64,6 +80,8 @@ jobs:
        if: ${{ github.repository_owner != 'ansible' }}

      - name: Build awxkit and upload to pypi
+        env:
+          SETUPTOOLS_SCM_PRETEND_VERSION: ${{ env.TAG_NAME }}
        run: |
          git reset --hard
          cd awxkit && python3 setup.py sdist bdist_wheel
@@ -84,14 +102,14 @@ jobs:
      - name: Re-tag and promote awx image
        run: |
          docker buildx imagetools create \
-            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
-            --tag quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
+            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
+            --tag quay.io/${{ github.repository }}:${{ env.TAG_NAME }}
          docker buildx imagetools create \
-            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
+            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
            --tag quay.io/${{ github.repository }}:latest

      - name: Re-tag and promote awx-ee image
        run: |
          docker buildx imagetools create \
-            ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }} \
-            --tag quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
+            ghcr.io/${{ github.repository_owner }}/awx-ee:${{ env.TAG_NAME }} \
+            --tag quay.io/${{ github.repository_owner }}/awx-ee:${{ env.TAG_NAME }}
--- a/.github/workflows/stage.yml
+++ b/.github/workflows/stage.yml
@@ -49,13 +49,11 @@ jobs:
        with:
          path: awx

-      - name: Get python version from Makefile
-        run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
-
-      - name: Install python ${{ env.py_version }}
-        uses: actions/setup-python@v4
+      - name: Checkout awx-operator
+        uses: actions/checkout@v3
        with:
-          python-version: ${{ env.py_version }}
+          repository: ${{ github.repository_owner }}/awx-operator
+          path: awx-operator

      - name: Checkout awx-logos
        uses: actions/checkout@v3
@@ -63,57 +61,85 @@ jobs:
          repository: ansible/awx-logos
          path: awx-logos

-      - name: Checkout awx-operator
-        uses: actions/checkout@v3
+      - name: Get python version from Makefile
+        working-directory: awx
+        run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
+
+      - name: Install python ${{ env.py_version }}
+        uses: actions/setup-python@v4
        with:
-          repository: ${{ github.repository_owner }}/awx-operator
-          path: awx-operator
+          python-version: ${{ env.py_version }}

      - name: Install playbook dependencies
        run: |
          python3 -m pip install docker

-      - name: Build and stage AWX
-        working-directory: awx
-        run: |
-          ansible-playbook -v tools/ansible/build.yml \
-            -e registry=ghcr.io \
-            -e registry_username=${{ github.actor }} \
-            -e registry_password=${{ secrets.GITHUB_TOKEN }} \
-            -e awx_image=${{ github.repository }} \
-            -e awx_version=${{ github.event.inputs.version }} \
-            -e ansible_python_interpreter=$(which python3) \
-            -e push=yes \
-            -e awx_official=yes
-
      - name: Log into registry ghcr.io
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Log into registry quay.io
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+      - name: Copy logos for inclusion in sdist for official build
+        working-directory: awx
+        run: |
+          cp ../awx-logos/awx/ui/client/assets/* awx/ui/public/static/media/
+
+      - name: Setup node and npm
+        uses: actions/setup-node@v2
        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USER }}
-          password: ${{ secrets.QUAY_TOKEN }}
+          node-version: '16.13.1'
+
+      - name: Prebuild UI for awx image (to speed up build process)
+        working-directory: awx
+        run: |
+          sudo apt-get install gettext
+          make ui-release
+          make ui-next
+
+      - name: Set build env variables
+        run: |
+          echo "DEV_DOCKER_TAG_BASE=ghcr.io/${OWNER,,}" >> $GITHUB_ENV
+          echo "COMPOSE_TAG=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "AWX_TEST_VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "AWX_TEST_IMAGE=ghcr.io/${OWNER,,}/awx" >> $GITHUB_ENV
+          echo "AWX_EE_TEST_IMAGE=ghcr.io/${OWNER,,}/awx-ee:${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "AWX_OPERATOR_TEST_IMAGE=ghcr.io/${OWNER,,}/awx-operator:${{ github.event.inputs.operator_version }}" >> $GITHUB_ENV
+        env:
+          OWNER: ${{ github.repository_owner }}
+
+      - name: Build and stage AWX
+        working-directory: awx
+        env:
+          DOCKER_BUILDX_PUSH: true
+          HEADLESS: false
+          PLATFORMS: linux/amd64,linux/arm64
+        run: |
+          make awx-kube-buildx

      - name: tag awx-ee:latest with version input
        run: |
          docker buildx imagetools create \
            quay.io/ansible/awx-ee:latest \
-            --tag ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
+            --tag ${AWX_EE_TEST_IMAGE}

      - name: Stage awx-operator image
        working-directory: awx-operator
        run: |
          BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.version}} \
              --build-arg OPERATOR_VERSION=${{ github.event.inputs.operator_version }}" \
-          IMG=ghcr.io/${{ github.repository_owner }}/awx-operator:${{ github.event.inputs.operator_version }} \
+          IMG=${AWX_OPERATOR_TEST_IMAGE} \
          make docker-buildx

+      - name: Pulling images for test deployment with awx-operator
+        # awx operator molecue test expect to kind load image and buildx exports image to registry and not local
+        run: |
+          docker pull ${AWX_OPERATOR_TEST_IMAGE}
+          docker pull ${AWX_EE_TEST_IMAGE}
+          docker pull ${AWX_TEST_IMAGE}:${AWX_TEST_VERSION}
+
      - name: Run test deployment with awx-operator
        working-directory: awx-operator
        run: |
@@ -122,10 +148,6 @@ jobs:
          sudo rm -f $(which kustomize)
          make kustomize
          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
-        env:
-          AWX_TEST_IMAGE: ${{ github.repository }}
-          AWX_TEST_VERSION: ${{ github.event.inputs.version }}
-          AWX_EE_TEST_IMAGE: ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}

      - name: Create draft release for AWX
        working-directory: awx
--- a/ISSUES.md
+++ b/ISSUES.md
@@ -80,7 +80,7 @@ If any of those items are missing your pull request will still get the `needs_tr
 Currently you can expect awxbot to add common labels such as `state:needs_triage`, `type:bug`, `component:docs`, etc...
 These labels are determined by the template data. Please use the template and fill it out as accurately as possible.

-The `state:needs_triage` label will will remain on your pull request until a person has looked at it.
+The `state:needs_triage` label will remain on your pull request until a person has looked at it.

 You can also expect the bot to CC maintainers of specific areas of the code, this will notify them that there is a pull request by placing a comment on the pull request.
 The comment will look something like `CC @matburt @wwitzel3 ...`.
--- a/4
+++ b/4
@@ -2,7 +2,7 @@

 PYTHON := $(notdir $(shell for i in python3.11 python3; do command -v $$i; done|sed 1q))
 SHELL := bash
-DOCKER_COMPOSE ?= docker-compose
+DOCKER_COMPOSE ?= docker compose
 OFFICIAL ?= no
 NODE ?= node
 NPM_BIN ?= npm
@@ -616,7 +616,7 @@ docker-clean:
 	-$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)

 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
-	docker volume rm -f tools_var_lib_awx tools_awx_db tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(docker volume ls --filter name=tools_redis_socket_ -q)
+	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)

 docker-refresh: docker-clean docker-compose

--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -30,11 +30,15 @@ from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import StaticHTMLRenderer
 from rest_framework.negotiation import DefaultContentNegotiation

+# django-ansible-base
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.lib.utils.models import get_all_field_names
+from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
+from ansible_base.rbac.permission_registry import permission_registry

 # AWX
 from awx.main.models import UnifiedJob, UnifiedJobTemplate, User, Role, Credential, WorkflowJobTemplateNode, WorkflowApprovalTemplate
+from awx.main.models.rbac import give_creator_permissions
 from awx.main.access import optimize_queryset
 from awx.main.utils import camelcase_to_underscore, get_search_fields, getattrd, get_object_or_400, decrypt_field, get_awx_version
 from awx.main.utils.licensing import server_product_name
@@ -91,7 +95,9 @@ class LoggedLoginView(auth_views.LoginView):
        ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
        if request.user.is_authenticated:
            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
-            ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
+            ret.set_cookie(
+                'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
+            )
            ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))

            return ret
@@ -472,7 +478,11 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):

 class ListCreateAPIView(ListAPIView, generics.ListCreateAPIView):
    # Base class for a list view that allows creating new objects.
-    pass
+    def perform_create(self, serializer):
+        super().perform_create(serializer)
+        if serializer.Meta.model in permission_registry.all_registered_models:
+            if self.request and self.request.user:
+                give_creator_permissions(self.request.user, serializer.instance)


 class ParentMixin(object):
@@ -792,6 +802,7 @@ class RetrieveUpdateDestroyAPIView(RetrieveUpdateAPIView, DestroyAPIView):


 class ResourceAccessList(ParentMixin, ListAPIView):
+    deprecated = True
    serializer_class = ResourceAccessListElementSerializer
    ordering = ('username',)

@@ -799,6 +810,15 @@ class ResourceAccessList(ParentMixin, ListAPIView):
        obj = self.get_parent_object()

        content_type = ContentType.objects.get_for_model(obj)
+
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            ancestors = set(RoleEvaluation.objects.filter(content_type_id=content_type.id, object_id=obj.id).values_list('role_id', flat=True))
+            qs = User.objects.filter(has_roles__in=ancestors) | User.objects.filter(is_superuser=True)
+            auditor_role = RoleDefinition.objects.filter(name="System Auditor").first()
+            if auditor_role:
+                qs |= User.objects.filter(role_assignments__role_definition=auditor_role)
+            return qs.distinct()
+
        roles = set(Role.objects.filter(content_type=content_type, object_id=obj.id))

        ancestors = set()
@@ -958,7 +978,7 @@ class CopyAPIView(GenericAPIView):
            None, None, self.model, obj, request.user, create_kwargs=create_kwargs, copy_name=serializer.validated_data.get('name', '')
        )
        if hasattr(new_obj, 'admin_role') and request.user not in new_obj.admin_role.members.all():
-            new_obj.admin_role.members.add(request.user)
+            give_creator_permissions(request.user, new_obj)
        if sub_objs:
            permission_check_func = None
            if hasattr(type(self), 'deep_copy_permission_check_func'):
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -43,11 +43,14 @@ from rest_framework.utils.serializer_helpers import ReturnList
 # Django-Polymorphic
 from polymorphic.models import PolymorphicModel

+# django-ansible-base
 from ansible_base.lib.utils.models import get_type_for_model
+from ansible_base.rbac.models import RoleEvaluation, ObjectRole
+from ansible_base.rbac import permission_registry

 # AWX
 from awx.main.access import get_user_capabilities
-from awx.main.constants import ACTIVE_STATES, CENSOR_VALUE
+from awx.main.constants import ACTIVE_STATES, CENSOR_VALUE, org_role_to_permission
 from awx.main.models import (
    ActivityStream,
    AdHocCommand,
@@ -102,7 +105,7 @@ from awx.main.models import (
    CLOUD_INVENTORY_SOURCES,
 )
 from awx.main.models.base import VERBOSITY_CHOICES, NEW_JOB_TYPE_CHOICES
-from awx.main.models.rbac import role_summary_fields_generator, RoleAncestorEntry
+from awx.main.models.rbac import role_summary_fields_generator, give_creator_permissions, get_role_codenames, to_permissions, get_role_from_object_role
 from awx.main.fields import ImplicitRoleField
 from awx.main.utils import (
    get_model_for_type,
@@ -191,6 +194,7 @@ SUMMARIZABLE_FK_FIELDS = {
    'webhook_credential': DEFAULT_SUMMARY_FIELDS + ('kind', 'cloud', 'credential_type_id'),
    'approved_or_denied_by': ('id', 'username', 'first_name', 'last_name'),
    'credential_type': DEFAULT_SUMMARY_FIELDS,
+    'resource': ('ansible_id', 'resource_type'),
 }


@@ -2762,13 +2766,26 @@ class ResourceAccessListElementSerializer(UserSerializer):
        team_content_type = ContentType.objects.get_for_model(Team)
        content_type = ContentType.objects.get_for_model(obj)

-        def get_roles_on_resource(parent_role):
-            "Returns a string list of the roles a parent_role has for current obj."
-            return list(
-                RoleAncestorEntry.objects.filter(ancestor=parent_role, content_type_id=content_type.id, object_id=obj.id)
-                .values_list('role_field', flat=True)
-                .distinct()
-            )
+        reversed_org_map = {}
+        for k, v in org_role_to_permission.items():
+            reversed_org_map[v] = k
+        reversed_role_map = {}
+        for k, v in to_permissions.items():
+            reversed_role_map[v] = k
+
+        def get_roles_from_perms(perm_list):
+            """given a list of permission codenames return a list of role names"""
+            role_names = set()
+            for codename in perm_list:
+                action = codename.split('_', 1)[0]
+                if action in reversed_role_map:
+                    role_names.add(reversed_role_map[action])
+                elif codename in reversed_org_map:
+                    if isinstance(obj, Organization):
+                        role_names.add(reversed_org_map[codename])
+                        if 'view_organization' not in role_names:
+                            role_names.add('read_role')
+            return list(role_names)

        def format_role_perm(role):
            role_dict = {'id': role.id, 'name': role.name, 'description': role.description}
@@ -2785,13 +2802,21 @@ class ResourceAccessListElementSerializer(UserSerializer):
            else:
                # Singleton roles should not be managed from this view, as per copy/edit rework spec
                role_dict['user_capabilities'] = {'unattach': False}
-            return {'role': role_dict, 'descendant_roles': get_roles_on_resource(role)}
+
+            model_name = content_type.model
+            if isinstance(obj, Organization):
+                descendant_perms = [codename for codename in get_role_codenames(role) if codename.endswith(model_name) or codename.startswith('add_')]
+            else:
+                descendant_perms = [codename for codename in get_role_codenames(role) if codename.endswith(model_name)]
+
+            return {'role': role_dict, 'descendant_roles': get_roles_from_perms(descendant_perms)}

        def format_team_role_perm(naive_team_role, permissive_role_ids):
            ret = []
+            team = naive_team_role.content_object
            team_role = naive_team_role
            if naive_team_role.role_field == 'admin_role':
-                team_role = naive_team_role.content_object.member_role
+                team_role = team.member_role
            for role in team_role.children.filter(id__in=permissive_role_ids).all():
                role_dict = {
                    'id': role.id,
@@ -2811,10 +2836,87 @@ class ResourceAccessListElementSerializer(UserSerializer):
                else:
                    # Singleton roles should not be managed from this view, as per copy/edit rework spec
                    role_dict['user_capabilities'] = {'unattach': False}
-                ret.append({'role': role_dict, 'descendant_roles': get_roles_on_resource(team_role)})
+
+                descendant_perms = list(
+                    RoleEvaluation.objects.filter(role__in=team.has_roles.all(), object_id=obj.id, content_type_id=content_type.id)
+                    .values_list('codename', flat=True)
+                    .distinct()
+                )
+
+                ret.append({'role': role_dict, 'descendant_roles': get_roles_from_perms(descendant_perms)})
+            return ret
+
+        gfk_kwargs = dict(content_type_id=content_type.id, object_id=obj.id)
+        direct_permissive_role_ids = Role.objects.filter(**gfk_kwargs).values_list('id', flat=True)
+
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            ret['summary_fields']['direct_access'] = []
+            ret['summary_fields']['indirect_access'] = []
+
+            new_roles_seen = set()
+            all_team_roles = set()
+            all_permissive_role_ids = set()
+            for evaluation in RoleEvaluation.objects.filter(role__in=user.has_roles.all(), **gfk_kwargs).prefetch_related('role'):
+                new_role = evaluation.role
+                if new_role.id in new_roles_seen:
+                    continue
+                new_roles_seen.add(new_role.id)
+                old_role = get_role_from_object_role(new_role)
+                all_permissive_role_ids.add(old_role.id)
+
+                if int(new_role.object_id) == obj.id and new_role.content_type_id == content_type.id:
+                    ret['summary_fields']['direct_access'].append(format_role_perm(old_role))
+                elif new_role.content_type_id == team_content_type.id:
+                    all_team_roles.add(old_role)
+                else:
+                    ret['summary_fields']['indirect_access'].append(format_role_perm(old_role))
+
+            # Lazy role creation gives us a big problem, where some intermediate roles are not easy to find
+            # like when a team has indirect permission, so here we get all roles the users teams have
+            # these contribute to all potential permission-granting roles of the object
+            user_teams_qs = permission_registry.team_model.objects.filter(member_roles__in=ObjectRole.objects.filter(users=user))
+            team_obj_roles = ObjectRole.objects.filter(teams__in=user_teams_qs)
+            for evaluation in RoleEvaluation.objects.filter(role__in=team_obj_roles, **gfk_kwargs).prefetch_related('role'):
+                new_role = evaluation.role
+                if new_role.id in new_roles_seen:
+                    continue
+                new_roles_seen.add(new_role.id)
+                old_role = get_role_from_object_role(new_role)
+                all_permissive_role_ids.add(old_role.id)
+
+            # In DAB RBAC, superuser is strictly a user flag, and global roles are not in the RoleEvaluation table
+            if user.is_superuser:
+                ret['summary_fields'].setdefault('indirect_access', [])
+                all_role_names = [field.name for field in obj._meta.get_fields() if isinstance(field, ImplicitRoleField)]
+                ret['summary_fields']['indirect_access'].append(
+                    {
+                        "role": {
+                            "id": None,
+                            "name": _("System Administrator"),
+                            "description": _("Can manage all aspects of the system"),
+                            "user_capabilities": {"unattach": False},
+                        },
+                        "descendant_roles": all_role_names,
+                    }
+                )
+            elif user.is_system_auditor:
+                ret['summary_fields'].setdefault('indirect_access', [])
+                ret['summary_fields']['indirect_access'].append(
+                    {
+                        "role": {
+                            "id": None,
+                            "name": _("System Auditor"),
+                            "description": _("Can view all aspects of the system"),
+                            "user_capabilities": {"unattach": False},
+                        },
+                        "descendant_roles": ["read_role"],
+                    }
+                )
+
+            ret['summary_fields']['direct_access'].extend([y for x in (format_team_role_perm(r, all_permissive_role_ids) for r in all_team_roles) for y in x])
+
            return ret

-        direct_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('id', flat=True)
        all_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('ancestors__id', flat=True)

        direct_access_roles = user.roles.filter(id__in=direct_permissive_role_ids).all()
@@ -3083,7 +3185,7 @@ class CredentialSerializerCreate(CredentialSerializer):
        credential = super(CredentialSerializerCreate, self).create(validated_data)

        if user:
-            credential.admin_role.members.add(user)
+            give_creator_permissions(user, credential)
        if team:
            if not credential.organization or team.organization.id != credential.organization.id:
                raise serializers.ValidationError({"detail": _("Credential organization must be set and match before assigning to a team")})
--- a/awx/api/versioning.py
+++ b/awx/api/versioning.py
@@ -2,32 +2,21 @@
 # All Rights Reserved.

 from django.conf import settings
-from django.urls import NoReverseMatch

-from rest_framework.reverse import _reverse
+from rest_framework.reverse import reverse as drf_reverse
 from rest_framework.versioning import URLPathVersioning as BaseVersioning


-def drf_reverse(viewname, args=None, kwargs=None, request=None, format=None, **extra):
-    """
-    Copy and monkey-patch `rest_framework.reverse.reverse` to prevent adding unwarranted
-    query string parameters.
-    """
-    scheme = getattr(request, 'versioning_scheme', None)
-    if scheme is not None:
-        try:
-            url = scheme.reverse(viewname, args, kwargs, request, format, **extra)
-        except NoReverseMatch:
-            # In case the versioning scheme reversal fails, fallback to the
-            # default implementation
-            url = _reverse(viewname, args, kwargs, request, format, **extra)
-    else:
-        url = _reverse(viewname, args, kwargs, request, format, **extra)
-
+def is_optional_api_urlpattern_prefix_request(request):
    if settings.OPTIONAL_API_URLPATTERN_PREFIX and request:
        if request.path.startswith(f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}"):
-            url = url.replace('/api', f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}")
+            return True
+    return False

+
+def transform_optional_api_urlpattern_prefix_url(request, url):
+    if is_optional_api_urlpattern_prefix_request(request):
+        url = url.replace('/api', f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}")
    return url


--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -60,6 +60,9 @@ from oauth2_provider.models import get_access_token_model
 import pytz
 from wsgiref.util import FileWrapper

+# django-ansible-base
+from ansible_base.rbac.models import RoleEvaluation, ObjectRole
+
 # AWX
 from awx.main.tasks.system import send_notifications, update_inventory_computed_fields
 from awx.main.access import get_user_queryset
@@ -87,6 +90,7 @@ from awx.api.generics import (
 from awx.api.views.labels import LabelSubListCreateAttachDetachView
 from awx.api.versioning import reverse
 from awx.main import models
+from awx.main.models.rbac import get_role_definition
 from awx.main.utils import (
    camelcase_to_underscore,
    extract_ansible_vars,
@@ -536,6 +540,7 @@ class InstanceGroupAccessList(ResourceAccessList):


 class InstanceGroupObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.InstanceGroup
@@ -724,6 +729,7 @@ class TeamUsersList(BaseUsersList):


 class TeamRolesList(SubListAttachDetachAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializerWithParentAccess
    metadata_class = RoleMetadata
@@ -763,10 +769,12 @@ class TeamRolesList(SubListAttachDetachAPIView):


 class TeamObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.Team
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
@@ -784,8 +792,15 @@ class TeamProjectsList(SubListAPIView):
        self.check_parent_access(team)
        model_ct = ContentType.objects.get_for_model(self.model)
        parent_ct = ContentType.objects.get_for_model(self.parent_model)
-        proj_roles = models.Role.objects.filter(Q(ancestors__content_type=parent_ct) & Q(ancestors__object_id=team.pk), content_type=model_ct)
-        return self.model.accessible_objects(self.request.user, 'read_role').filter(pk__in=[t.content_object.pk for t in proj_roles])
+
+        rd = get_role_definition(team.member_role)
+        role = ObjectRole.objects.filter(object_id=team.id, content_type=parent_ct, role_definition=rd).first()
+        if role is None:
+            # Team has no permissions, therefore team has no projects
+            return self.model.objects.none()
+        else:
+            project_qs = self.model.accessible_objects(self.request.user, 'read_role')
+            return project_qs.filter(id__in=RoleEvaluation.objects.filter(content_type_id=model_ct.id, role=role).values_list('object_id'))


 class TeamActivityStreamList(SubListAPIView):
@@ -800,10 +815,23 @@ class TeamActivityStreamList(SubListAPIView):
        self.check_parent_access(parent)

        qs = self.request.user.get_queryset(self.model)
+
        return qs.filter(
            Q(team=parent)
-            | Q(project__in=models.Project.accessible_objects(parent.member_role, 'read_role'))
-            | Q(credential__in=models.Credential.accessible_objects(parent.member_role, 'read_role'))
+            | Q(
+                project__in=RoleEvaluation.objects.filter(
+                    role__in=parent.has_roles.all(), content_type_id=ContentType.objects.get_for_model(models.Project).id, codename='view_project'
+                )
+                .values_list('object_id')
+                .distinct()
+            )
+            | Q(
+                credential__in=RoleEvaluation.objects.filter(
+                    role__in=parent.has_roles.all(), content_type_id=ContentType.objects.get_for_model(models.Credential).id, codename='view_credential'
+                )
+                .values_list('object_id')
+                .distinct()
+            )
        )


@@ -1055,10 +1083,12 @@ class ProjectAccessList(ResourceAccessList):


 class ProjectObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.Project
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
@@ -1216,6 +1246,7 @@ class UserTeamsList(SubListAPIView):


 class UserRolesList(SubListAttachDetachAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializerWithParentAccess
    metadata_class = RoleMetadata
@@ -1490,10 +1521,12 @@ class CredentialAccessList(ResourceAccessList):


 class CredentialObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.Credential
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
@@ -2280,13 +2313,6 @@ class JobTemplateList(ListCreateAPIView):
    serializer_class = serializers.JobTemplateSerializer
    always_allow_superuser = False

-    def post(self, request, *args, **kwargs):
-        ret = super(JobTemplateList, self).post(request, *args, **kwargs)
-        if ret.status_code == 201:
-            job_template = models.JobTemplate.objects.get(id=ret.data['id'])
-            job_template.admin_role.members.add(request.user)
-        return ret
-

 class JobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
    model = models.JobTemplate
@@ -2832,10 +2858,12 @@ class JobTemplateAccessList(ResourceAccessList):


 class JobTemplateObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.JobTemplate
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
@@ -3218,10 +3246,12 @@ class WorkflowJobTemplateAccessList(ResourceAccessList):


 class WorkflowJobTemplateObjectRolesList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.WorkflowJobTemplate
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
@@ -4230,6 +4260,7 @@ class ActivityStreamDetail(RetrieveAPIView):


 class RoleList(ListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    permission_classes = (IsAuthenticated,)
@@ -4237,11 +4268,13 @@ class RoleList(ListAPIView):


 class RoleDetail(RetrieveAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer


 class RoleUsersList(SubListAttachDetachAPIView):
+    deprecated = True
    model = models.User
    serializer_class = serializers.UserSerializer
    parent_model = models.Role
@@ -4276,6 +4309,7 @@ class RoleUsersList(SubListAttachDetachAPIView):


 class RoleTeamsList(SubListAttachDetachAPIView):
+    deprecated = True
    model = models.Team
    serializer_class = serializers.TeamSerializer
    parent_model = models.Role
@@ -4320,10 +4354,12 @@ class RoleTeamsList(SubListAttachDetachAPIView):
            team.member_role.children.remove(role)
        else:
            team.member_role.children.add(role)
+
        return Response(status=status.HTTP_204_NO_CONTENT)


 class RoleParentsList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.Role
@@ -4337,6 +4373,7 @@ class RoleParentsList(SubListAPIView):


 class RoleChildrenList(SubListAPIView):
+    deprecated = True
    model = models.Role
    serializer_class = serializers.RoleSerializer
    parent_model = models.Role
--- a/awx/api/views/analytics.py
+++ b/awx/api/views/analytics.py
@@ -48,23 +48,23 @@ class AnalyticsRootView(APIView):

    def get(self, request, format=None):
        data = OrderedDict()
-        data['authorized'] = reverse('api:analytics_authorized')
-        data['reports'] = reverse('api:analytics_reports_list')
-        data['report_options'] = reverse('api:analytics_report_options_list')
-        data['adoption_rate'] = reverse('api:analytics_adoption_rate')
-        data['adoption_rate_options'] = reverse('api:analytics_adoption_rate_options')
-        data['event_explorer'] = reverse('api:analytics_event_explorer')
-        data['event_explorer_options'] = reverse('api:analytics_event_explorer_options')
-        data['host_explorer'] = reverse('api:analytics_host_explorer')
-        data['host_explorer_options'] = reverse('api:analytics_host_explorer_options')
-        data['job_explorer'] = reverse('api:analytics_job_explorer')
-        data['job_explorer_options'] = reverse('api:analytics_job_explorer_options')
-        data['probe_templates'] = reverse('api:analytics_probe_templates_explorer')
-        data['probe_templates_options'] = reverse('api:analytics_probe_templates_options')
-        data['probe_template_for_hosts'] = reverse('api:analytics_probe_template_for_hosts_explorer')
-        data['probe_template_for_hosts_options'] = reverse('api:analytics_probe_template_for_hosts_options')
-        data['roi_templates'] = reverse('api:analytics_roi_templates_explorer')
-        data['roi_templates_options'] = reverse('api:analytics_roi_templates_options')
+        data['authorized'] = reverse('api:analytics_authorized', request=request)
+        data['reports'] = reverse('api:analytics_reports_list', request=request)
+        data['report_options'] = reverse('api:analytics_report_options_list', request=request)
+        data['adoption_rate'] = reverse('api:analytics_adoption_rate', request=request)
+        data['adoption_rate_options'] = reverse('api:analytics_adoption_rate_options', request=request)
+        data['event_explorer'] = reverse('api:analytics_event_explorer', request=request)
+        data['event_explorer_options'] = reverse('api:analytics_event_explorer_options', request=request)
+        data['host_explorer'] = reverse('api:analytics_host_explorer', request=request)
+        data['host_explorer_options'] = reverse('api:analytics_host_explorer_options', request=request)
+        data['job_explorer'] = reverse('api:analytics_job_explorer', request=request)
+        data['job_explorer_options'] = reverse('api:analytics_job_explorer_options', request=request)
+        data['probe_templates'] = reverse('api:analytics_probe_templates_explorer', request=request)
+        data['probe_templates_options'] = reverse('api:analytics_probe_templates_options', request=request)
+        data['probe_template_for_hosts'] = reverse('api:analytics_probe_template_for_hosts_explorer', request=request)
+        data['probe_template_for_hosts_options'] = reverse('api:analytics_probe_template_for_hosts_options', request=request)
+        data['roi_templates'] = reverse('api:analytics_roi_templates_explorer', request=request)
+        data['roi_templates_options'] = reverse('api:analytics_roi_templates_options', request=request)
        return Response(data)


--- a/awx/api/views/inventory.py
+++ b/awx/api/views/inventory.py
@@ -152,6 +152,7 @@ class InventoryObjectRolesList(SubListAPIView):
    serializer_class = RoleSerializer
    parent_model = Inventory
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
--- a/awx/api/views/organization.py
+++ b/awx/api/views/organization.py
@@ -226,6 +226,7 @@ class OrganizationObjectRolesList(SubListAPIView):
    serializer_class = RoleSerializer
    parent_model = Organization
    search_fields = ('role_field', 'content_type__model')
+    deprecated = True

    def get_queryset(self):
        po = self.get_parent_object()
--- a/awx/api/views/root.py
+++ b/awx/api/views/root.py
@@ -13,6 +13,7 @@ from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import ensure_csrf_cookie
 from django.template.loader import render_to_string
 from django.utils.translation import gettext_lazy as _
+from django.urls import reverse as django_reverse

 from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.response import Response
@@ -27,7 +28,7 @@ from awx.main.analytics import all_collectors
 from awx.main.ha import is_ha_environment
 from awx.main.utils import get_awx_version, get_custom_venv_choices
 from awx.main.utils.licensing import validate_entitlement_manifest
-from awx.api.versioning import reverse, drf_reverse
+from awx.api.versioning import URLPathVersioning, is_optional_api_urlpattern_prefix_request, reverse, drf_reverse
 from awx.main.constants import PRIVILEGE_ESCALATION_METHODS
 from awx.main.models import Project, Organization, Instance, InstanceGroup, JobTemplate
 from awx.main.utils import set_environ
@@ -39,19 +40,19 @@ logger = logging.getLogger('awx.api.views.root')
 class ApiRootView(APIView):
    permission_classes = (AllowAny,)
    name = _('REST API')
-    versioning_class = None
+    versioning_class = URLPathVersioning
    swagger_topic = 'Versioning'

    @method_decorator(ensure_csrf_cookie)
    def get(self, request, format=None):
        '''List supported API versions'''
-
-        v2 = reverse('api:api_v2_root_view', kwargs={'version': 'v2'})
+        v2 = reverse('api:api_v2_root_view', request=request, kwargs={'version': 'v2'})
        data = OrderedDict()
        data['description'] = _('AWX REST API')
        data['current_version'] = v2
        data['available_versions'] = dict(v2=v2)
-        data['oauth2'] = drf_reverse('api:oauth_authorization_root_view')
+        if not is_optional_api_urlpattern_prefix_request(request):
+            data['oauth2'] = drf_reverse('api:oauth_authorization_root_view')
        data['custom_logo'] = settings.CUSTOM_LOGO
        data['custom_login_info'] = settings.CUSTOM_LOGIN_INFO
        data['login_redirect_override'] = settings.LOGIN_REDIRECT_OVERRIDE
@@ -130,6 +131,10 @@ class ApiVersionRootView(APIView):
        data['mesh_visualizer'] = reverse('api:mesh_visualizer_view', request=request)
        data['bulk'] = reverse('api:bulk', request=request)
        data['analytics'] = reverse('api:analytics_root_view', request=request)
+        data['service_index'] = django_reverse('service-index-root')
+        data['role_definitions'] = django_reverse('roledefinition-list')
+        data['role_user_assignments'] = django_reverse('roleuserassignment-list')
+        data['role_team_assignments'] = django_reverse('roleteamassignment-list')
        return Response(data)


--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -20,7 +20,10 @@ from rest_framework.exceptions import ParseError, PermissionDenied
 # Django OAuth Toolkit
 from awx.main.models.oauth import OAuth2Application, OAuth2AccessToken

+# django-ansible-base
 from ansible_base.lib.utils.validation import to_python_boolean
+from ansible_base.rbac.models import RoleEvaluation
+from ansible_base.rbac import permission_registry

 # AWX
 from awx.main.utils import (
@@ -72,8 +75,6 @@ from awx.main.models import (
    WorkflowJobTemplateNode,
    WorkflowApproval,
    WorkflowApprovalTemplate,
-    ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
-    ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
 from awx.main.models.mixins import ResourceMixin

@@ -264,7 +265,11 @@ class BaseAccess(object):
        return self.can_change(obj, data)

    def can_delete(self, obj):
-        return self.user.is_superuser
+        if self.user.is_superuser:
+            return True
+        if obj._meta.model_name in [cls._meta.model_name for cls in permission_registry.all_registered_models]:
+            return self.user.has_obj_perm(obj, 'delete')
+        return False

    def can_copy(self, obj):
        return self.can_add({'reference_obj': obj})
@@ -639,7 +644,10 @@ class UserAccess(BaseAccess):
    """

    model = User
-    prefetch_related = ('profile',)
+    prefetch_related = (
+        'profile',
+        'resource',
+    )

    def filtered_queryset(self):
        if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):
@@ -648,9 +656,7 @@ class UserAccess(BaseAccess):
            qs = (
                User.objects.filter(pk__in=Organization.accessible_objects(self.user, 'read_role').values('member_role__members'))
                | User.objects.filter(pk=self.user.id)
-                | User.objects.filter(
-                    pk__in=Role.objects.filter(singleton_name__in=[ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]).values('members')
-                )
+                | User.objects.filter(is_superuser=True)
            ).distinct()
        return qs

@@ -708,6 +714,15 @@ class UserAccess(BaseAccess):
            if not allow_orphans:
                # in these cases only superusers can modify orphan users
                return False
+            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+                # Permission granted if the user has all permissions that the target user has
+                target_perms = set(
+                    RoleEvaluation.objects.filter(role__in=obj.has_roles.all()).values_list('object_id', 'content_type_id', 'codename').distinct()
+                )
+                user_perms = set(
+                    RoleEvaluation.objects.filter(role__in=self.user.has_roles.all()).values_list('object_id', 'content_type_id', 'codename').distinct()
+                )
+                return not (target_perms - user_perms)
            return not obj.roles.all().exclude(ancestors__in=self.user.roles.all()).exists()
        else:
            return self.is_all_org_admin(obj)
@@ -835,6 +850,7 @@ class OrganizationAccess(NotificationAttachMixin, BaseAccess):
    prefetch_related = (
        'created_by',
        'modified_by',
+        'resource',  # dab_resource_registry
    )
    # organization admin_role is not a parent of organization auditor_role
    notification_attach_roles = ['admin_role', 'auditor_role']
@@ -945,9 +961,6 @@ class InventoryAccess(BaseAccess):
    def can_update(self, obj):
        return self.user in obj.update_role

-    def can_delete(self, obj):
-        return self.can_admin(obj, None)
-
    def can_run_ad_hoc_commands(self, obj):
        return self.user in obj.adhoc_role

@@ -1303,6 +1316,7 @@ class TeamAccess(BaseAccess):
        'created_by',
        'modified_by',
        'organization',
+        'resource',  # dab_resource_registry
    )

    def filtered_queryset(self):
@@ -1400,8 +1414,12 @@ class ExecutionEnvironmentAccess(BaseAccess):
    def can_change(self, obj, data):
        if obj and obj.organization_id is None:
            raise PermissionDenied
-        if self.user not in obj.organization.execution_environment_admin_role:
-            raise PermissionDenied
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            if not self.user.has_obj_perm(obj, 'change'):
+                raise PermissionDenied
+        else:
+            if self.user not in obj.organization.execution_environment_admin_role:
+                raise PermissionDenied
        if data and 'organization' in data:
            new_org = get_object_from_data('organization', Organization, data, obj=obj)
            if not new_org or self.user not in new_org.execution_environment_admin_role:
@@ -2587,6 +2605,8 @@ class ScheduleAccess(UnifiedCredentialsMixin, BaseAccess):
        if not JobLaunchConfigAccess(self.user).can_add(data):
            return False
        if not data:
+            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+                return self.user.has_roles.filter(permission_partials__codename__in=['execute_jobtemplate', 'update_project', 'update_inventory']).exists()
            return Role.objects.filter(role_field__in=['update_role', 'execute_role'], ancestors__in=self.user.roles.all()).exists()

        return self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role', mandatory=True)
@@ -2615,6 +2635,8 @@ class NotificationTemplateAccess(BaseAccess):
    prefetch_related = ('created_by', 'modified_by', 'organization')

    def filtered_queryset(self):
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            return self.model.access_qs(self.user, 'view')
        return self.model.objects.filter(
            Q(organization__in=Organization.accessible_objects(self.user, 'notification_admin_role')) | Q(organization__in=self.user.auditor_of_organizations)
        ).distinct()
@@ -2783,7 +2805,7 @@ class ActivityStreamAccess(BaseAccess):
                | Q(notification_template__organization__in=auditing_orgs)
                | Q(notification__notification_template__organization__in=auditing_orgs)
                | Q(label__organization__in=auditing_orgs)
-                | Q(role__in=Role.objects.filter(ancestors__in=self.user.roles.all()) if auditing_orgs else [])
+                | Q(role__in=Role.visible_roles(self.user) if auditing_orgs else [])
            )

        project_set = Project.accessible_pk_qs(self.user, 'read_role')
@@ -2840,13 +2862,10 @@ class RoleAccess(BaseAccess):

    def filtered_queryset(self):
        result = Role.visible_roles(self.user)
-        # Sanity check: is the requesting user an orphaned non-admin/auditor?
-        # if yes, make system admin/auditor mandatorily visible.
-        if not self.user.is_superuser and not self.user.is_system_auditor and not self.user.organizations.exists():
-            mandatories = ('system_administrator', 'system_auditor')
-            super_qs = Role.objects.filter(singleton_name__in=mandatories)
-            result = result | super_qs
-        return result
+        # Make system admin/auditor mandatorily visible.
+        mandatories = ('system_administrator', 'system_auditor')
+        super_qs = Role.objects.filter(singleton_name__in=mandatories)
+        return result | super_qs

    def can_add(self, obj, data):
        # Unsupported for now
--- a/awx/main/apps.py
+++ b/awx/main/apps.py
@@ -1,7 +1,40 @@
 from django.apps import AppConfig
 from django.utils.translation import gettext_lazy as _
+from awx.main.utils.named_url_graph import _customize_graph, generate_graph
+from awx.conf import register, fields


 class MainConfig(AppConfig):
    name = 'awx.main'
    verbose_name = _('Main')
+
+    def load_named_url_feature(self):
+        models = [m for m in self.get_models() if hasattr(m, 'get_absolute_url')]
+        generate_graph(models)
+        _customize_graph()
+        register(
+            'NAMED_URL_FORMATS',
+            field_class=fields.DictField,
+            read_only=True,
+            label=_('Formats of all available named urls'),
+            help_text=_('Read-only list of key-value pairs that shows the standard format of all available named URLs.'),
+            category=_('Named URL'),
+            category_slug='named-url',
+        )
+        register(
+            'NAMED_URL_GRAPH_NODES',
+            field_class=fields.DictField,
+            read_only=True,
+            label=_('List of all named url graph nodes.'),
+            help_text=_(
+                'Read-only list of key-value pairs that exposes named URL graph topology.'
+                ' Use this list to programmatically generate named URLs for resources'
+            ),
+            category=_('Named URL'),
+            category_slug='named-url',
+        )
+
+    def ready(self):
+        super().ready()
+
+        self.load_named_url_feature()
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -2,6 +2,7 @@
 import logging

 # Django
+from django.core.checks import Error
 from django.utils.translation import gettext_lazy as _

 # Django REST Framework
@@ -954,3 +955,27 @@ def logging_validate(serializer, attrs):


 register_validate('logging', logging_validate)
+
+
+def csrf_trusted_origins_validate(serializer, attrs):
+    if not serializer.instance or not hasattr(serializer.instance, 'CSRF_TRUSTED_ORIGINS'):
+        return attrs
+    if 'CSRF_TRUSTED_ORIGINS' not in attrs:
+        return attrs
+    errors = []
+    for origin in attrs['CSRF_TRUSTED_ORIGINS']:
+        if "://" not in origin:
+            errors.append(
+                Error(
+                    "As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS "
+                    "setting must start with a scheme (usually http:// or "
+                    "https://) but found %s. See the release notes for details." % origin,
+                )
+            )
+    if errors:
+        error_messages = [error.msg for error in errors]
+        raise serializers.ValidationError(_('\n'.join(error_messages)))
+    return attrs
+
+
+register_validate('system', csrf_trusted_origins_validate)
--- a/awx/main/constants.py
+++ b/awx/main/constants.py
@@ -114,3 +114,28 @@ SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS = 'unique_managed_hosts'

 # Shared prefetch to use for creating a queryset for the purpose of writing or saving facts
 HOST_FACTS_FIELDS = ('name', 'ansible_facts', 'ansible_facts_modified', 'modified', 'inventory_id')
+
+# Data for RBAC compatibility layer
+role_name_to_perm_mapping = {
+    'adhoc_role': ['adhoc_'],
+    'approval_role': ['approve_'],
+    'auditor_role': ['audit_'],
+    'admin_role': ['change_', 'add_', 'delete_'],
+    'execute_role': ['execute_'],
+    'read_role': ['view_'],
+    'update_role': ['update_'],
+    'member_role': ['member_'],
+    'use_role': ['use_'],
+}
+
+org_role_to_permission = {
+    'notification_admin_role': 'add_notificationtemplate',
+    'project_admin_role': 'add_project',
+    'execute_role': 'execute_jobtemplate',
+    'inventory_admin_role': 'add_inventory',
+    'credential_admin_role': 'add_credential',
+    'workflow_admin_role': 'add_workflowjobtemplate',
+    'job_template_admin_role': 'change_jobtemplate',  # TODO: this doesnt really work, solution not clear
+    'execution_environment_admin_role': 'add_executionenvironment',
+    'auditor_role': 'view_project',  # TODO: also doesnt really work
+}
--- a/awx/main/dispatch/init.py
+++ b/awx/main/dispatch/init.py
@@ -1,6 +1,7 @@
 import os
 import psycopg
 import select
+from copy import deepcopy

 from contextlib import contextmanager

@@ -94,8 +95,8 @@ class PubSub(object):


 def create_listener_connection():
-    conf = settings.DATABASES['default'].copy()
-    conf['OPTIONS'] = conf.get('OPTIONS', {}).copy()
+    conf = deepcopy(settings.DATABASES['default'])
+    conf['OPTIONS'] = deepcopy(conf.get('OPTIONS', {}))
    # Modify the application name to distinguish from other connections the process might use
    conf['OPTIONS']['application_name'] = get_application_name(settings.CLUSTER_HOST_ID, function='listener')

--- a/awx/main/management/commands/dump_auth_config.py
+++ b/awx/main/management/commands/dump_auth_config.py
@@ -2,10 +2,11 @@ import json
 import os
 import sys
 import re
-
 from typing import Any
+
 from django.core.management.base import BaseCommand
 from django.conf import settings
+
 from awx.conf import settings_registry


@@ -40,6 +41,15 @@ class Command(BaseCommand):
        "USER_SEARCH": False,
    }

+    def is_enabled(self, settings, keys):
+        missing_fields = []
+        for key, required in keys.items():
+            if required and not settings.get(key):
+                missing_fields.append(key)
+        if missing_fields:
+            return False, missing_fields
+        return True, None
+
    def get_awx_ldap_settings(self) -> dict[str, dict[str, Any]]:
        awx_ldap_settings = {}

@@ -64,15 +74,17 @@ class Command(BaseCommand):

            if new_key == "SERVER_URI" and value:
                value = value.split(", ")
+                grouped_settings[index][new_key] = value
+
+            if type(value).__name__ == "LDAPSearch":
+                data = []
+                data.append(value.base_dn)
+                data.append("SCOPE_SUBTREE")
+                data.append(value.filterstr)
+                grouped_settings[index][new_key] = data

        return grouped_settings

-    def is_enabled(self, settings, keys):
-        for key, required in keys.items():
-            if required and not settings.get(key):
-                return False
-        return True
-
    def get_awx_saml_settings(self) -> dict[str, Any]:
        awx_saml_settings = {}
        for awx_saml_setting in settings_registry.get_registered_settings(category_slug='saml'):
@@ -82,7 +94,7 @@ class Command(BaseCommand):

    def format_config_data(self, enabled, awx_settings, type, keys, name):
        config = {
-            "type": f"awx.authentication.authenticator_plugins.{type}",
+            "type": f"ansible_base.authentication.authenticator_plugins.{type}",
            "name": name,
            "enabled": enabled,
            "create_objects": True,
@@ -130,7 +142,7 @@ class Command(BaseCommand):

            # dump SAML settings
            awx_saml_settings = self.get_awx_saml_settings()
-            awx_saml_enabled = self.is_enabled(awx_saml_settings, self.DAB_SAML_AUTHENTICATOR_KEYS)
+            awx_saml_enabled, saml_missing_fields = self.is_enabled(awx_saml_settings, self.DAB_SAML_AUTHENTICATOR_KEYS)
            if awx_saml_enabled:
                awx_saml_name = awx_saml_settings["ENABLED_IDPS"]
                data.append(
@@ -142,21 +154,25 @@ class Command(BaseCommand):
                        awx_saml_name,
                    )
                )
+            else:
+                data.append({"SAML_missing_fields": saml_missing_fields})

            # dump LDAP settings
            awx_ldap_group_settings = self.get_awx_ldap_settings()
-            for awx_ldap_name, awx_ldap_settings in enumerate(awx_ldap_group_settings.values()):
-                enabled = self.is_enabled(awx_ldap_settings, self.DAB_LDAP_AUTHENTICATOR_KEYS)
-                if enabled:
+            for awx_ldap_name, awx_ldap_settings in awx_ldap_group_settings.items():
+                awx_ldap_enabled, ldap_missing_fields = self.is_enabled(awx_ldap_settings, self.DAB_LDAP_AUTHENTICATOR_KEYS)
+                if awx_ldap_enabled:
                    data.append(
                        self.format_config_data(
-                            enabled,
+                            awx_ldap_enabled,
                            awx_ldap_settings,
                            "ldap",
                            self.DAB_LDAP_AUTHENTICATOR_KEYS,
-                            str(awx_ldap_name),
+                            f"LDAP_{awx_ldap_name}",
                        )
                    )
+                else:
+                    data.append({f"LDAP_{awx_ldap_name}_missing_fields": ldap_missing_fields})

            # write to file if requested
            if options["output_file"]:
--- a/awx/main/management/commands/run_wsrelay.py
+++ b/awx/main/management/commands/run_wsrelay.py
@@ -165,11 +165,10 @@ class Command(BaseCommand):
            return

        WebsocketsMetricsServer().start()
-        websocket_relay_manager = WebSocketRelayManager()

        while True:
            try:
-                asyncio.run(websocket_relay_manager.run())
+                asyncio.run(WebSocketRelayManager().run())
            except KeyboardInterrupt:
                logger.info('Shutting down Websocket Relayer')
                break
--- a/awx/main/middleware.py
+++ b/awx/main/middleware.py
@@ -1,6 +1,7 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.

+import functools
 import logging
 import threading
 import time
@@ -9,20 +10,16 @@ from pathlib import Path

 from django.conf import settings
 from django.contrib.auth import logout
-from django.contrib.auth.models import User
 from django.db.migrations.recorder import MigrationRecorder
 from django.db import connection
 from django.shortcuts import redirect
-from django.apps import apps
 from django.utils.deprecation import MiddlewareMixin
-from django.utils.translation import gettext_lazy as _
 from django.urls import reverse, resolve

 from awx.main import migrations
-from awx.main.utils.named_url_graph import generate_graph, GraphNode
-from awx.conf import fields, register
 from awx.main.utils.profiling import AWXProfiler
 from awx.main.utils.common import memoize
+from awx.urls import get_urlpatterns


 logger = logging.getLogger('awx.main.middleware')
@@ -61,7 +58,7 @@ class TimingMiddleware(threading.local, MiddlewareMixin):
            response['X-API-Profile-File'] = self.prof.stop()
        perf_logger.debug(
            f'request: {request}, response_time: {response["X-API-Total-Time"]}',
-            extra=dict(python_objects=dict(request=request, response=response, X_API_TOTAL_TIME=response["X-API-Total-Time"])),
+            extra=dict(python_objects=dict(request=request, response=response, X_API_TOTAL_TIME=response["X-API-Total-Time"], x_request_id=request.get('x-request-id', 'not-set'))),
        )
        return response

@@ -100,49 +97,7 @@ class DisableLocalAuthMiddleware(MiddlewareMixin):
                logout(request)


-def _customize_graph():
-    from awx.main.models import Instance, Schedule, UnifiedJobTemplate
-
-    for model in [Schedule, UnifiedJobTemplate]:
-        if model in settings.NAMED_URL_GRAPH:
-            settings.NAMED_URL_GRAPH[model].remove_bindings()
-            settings.NAMED_URL_GRAPH.pop(model)
-    if User not in settings.NAMED_URL_GRAPH:
-        settings.NAMED_URL_GRAPH[User] = GraphNode(User, ['username'], [])
-        settings.NAMED_URL_GRAPH[User].add_bindings()
-    if Instance not in settings.NAMED_URL_GRAPH:
-        settings.NAMED_URL_GRAPH[Instance] = GraphNode(Instance, ['hostname'], [])
-        settings.NAMED_URL_GRAPH[Instance].add_bindings()
-
-
 class URLModificationMiddleware(MiddlewareMixin):
-    def __init__(self, get_response):
-        models = [m for m in apps.get_app_config('main').get_models() if hasattr(m, 'get_absolute_url')]
-        generate_graph(models)
-        _customize_graph()
-        register(
-            'NAMED_URL_FORMATS',
-            field_class=fields.DictField,
-            read_only=True,
-            label=_('Formats of all available named urls'),
-            help_text=_('Read-only list of key-value pairs that shows the standard format of all available named URLs.'),
-            category=_('Named URL'),
-            category_slug='named-url',
-        )
-        register(
-            'NAMED_URL_GRAPH_NODES',
-            field_class=fields.DictField,
-            read_only=True,
-            label=_('List of all named url graph nodes.'),
-            help_text=_(
-                'Read-only list of key-value pairs that exposes named URL graph topology.'
-                ' Use this list to programmatically generate named URLs for resources'
-            ),
-            category=_('Named URL'),
-            category_slug='named-url',
-        )
-        super().__init__(get_response)
-
    @staticmethod
    def _hijack_for_old_jt_name(node, kwargs, named_url):
        try:
@@ -220,3 +175,27 @@ class MigrationRanCheckMiddleware(MiddlewareMixin):
    def process_request(self, request):
        if is_migrating() and getattr(resolve(request.path), 'url_name', '') != 'migrations_notran':
            return redirect(reverse("ui:migrations_notran"))
+
+
+class OptionalURLPrefixPath(MiddlewareMixin):
+    @functools.lru_cache
+    def _url_optional(self, prefix):
+        # Relavant Django code path https://github.com/django/django/blob/stable/4.2.x/django/core/handlers/base.py#L300
+        #
+        # resolve_request(request)
+        #   get_resolver(request.urlconf)
+        #     _get_cached_resolver(request.urlconf) <-- cached via @functools.cache
+        #
+        # Django will attempt to cache the value(s) of request.urlconf
+        # Being hashable is a prerequisit for being cachable.
+        # tuple() is hashable list() is not.
+        # Hence the tuple(list()) wrap.
+        return tuple(get_urlpatterns(prefix=prefix))
+
+    def process_request(self, request):
+        prefix = settings.OPTIONAL_API_URLPATTERN_PREFIX
+
+        if request.path.startswith(f"/api/{prefix}"):
+            request.urlconf = self._url_optional(prefix)
+        else:
+            request.urlconf = 'awx.urls'
--- a/awx/main/migrations/0190_alter_inventorysource_source_and_more.py
+++ b/awx/main/migrations/0190_alter_inventorysource_source_and_more.py
@@ -4,7 +4,6 @@ from django.db import migrations, models


 class Migration(migrations.Migration):
-
    dependencies = [
        ('main', '0189_inbound_hop_nodes'),
    ]
--- a/awx/main/migrations/0191_add_django_permissions.py
+++ b/awx/main/migrations/0191_add_django_permissions.py
@@ -0,0 +1,85 @@
+# Generated by Django 4.2.6 on 2023-11-13 20:10
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('main', '0190_alter_inventorysource_source_and_more'),
+        ('dab_rbac', '__first__'),
+    ]
+
+    operations = [
+        # Add custom permissions for all special actions, like update, use, adhoc, and so on
+        migrations.AlterModelOptions(
+            name='credential',
+            options={'ordering': ('name',), 'permissions': [('use_credential', 'Can use credential in a job or related resource')]},
+        ),
+        migrations.AlterModelOptions(
+            name='instancegroup',
+            options={'permissions': [('use_instancegroup', 'Can use instance group in a preference list of a resource')]},
+        ),
+        migrations.AlterModelOptions(
+            name='inventory',
+            options={
+                'ordering': ('name',),
+                'permissions': [
+                    ('use_inventory', 'Can use inventory in a job template'),
+                    ('adhoc_inventory', 'Can run ad hoc commands'),
+                    ('update_inventory', 'Can update inventory sources in inventory'),
+                ],
+                'verbose_name_plural': 'inventories',
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='jobtemplate',
+            options={'ordering': ('name',), 'permissions': [('execute_jobtemplate', 'Can run this job template')]},
+        ),
+        migrations.AlterModelOptions(
+            name='project',
+            options={
+                'ordering': ('id',),
+                'permissions': [('update_project', 'Can run a project update'), ('use_project', 'Can use project in a job template')],
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='workflowjobtemplate',
+            options={
+                'permissions': [
+                    ('execute_workflowjobtemplate', 'Can run this workflow job template'),
+                    ('approve_workflowjobtemplate', 'Can approve steps in this workflow job template'),
+                ]
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='organization',
+            options={
+                'default_permissions': ('change', 'delete', 'view'),
+                'ordering': ('name',),
+                'permissions': [
+                    ('member_organization', 'Basic participation permissions for organization'),
+                    ('audit_organization', 'Audit everything inside the organization'),
+                ],
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='team',
+            options={'ordering': ('organization__name', 'name'), 'permissions': [('member_team', 'Inherit all roles assigned to this team')]},
+        ),
+        # Remove add default permission for a few models
+        migrations.AlterModelOptions(
+            name='jobtemplate',
+            options={
+                'default_permissions': ('change', 'delete', 'view'),
+                'ordering': ('name',),
+                'permissions': [('execute_jobtemplate', 'Can run this job template')],
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='instancegroup',
+            options={
+                'default_permissions': ('change', 'delete', 'view'),
+                'permissions': [('use_instancegroup', 'Can use instance group in a preference list of a resource')],
+            },
+        ),
+    ]
--- a/awx/main/migrations/0192_custom_roles.py
+++ b/awx/main/migrations/0192_custom_roles.py
@@ -0,0 +1,20 @@
+# Generated by Django 4.2.6 on 2023-11-21 02:06
+
+from django.db import migrations
+
+from awx.main.migrations._dab_rbac import migrate_to_new_rbac, create_permissions_as_operation, setup_managed_role_definitions
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('main', '0191_add_django_permissions'),
+        ('dab_rbac', '__first__'),
+    ]
+
+    operations = [
+        # make sure permissions and content types have been created by now
+        # these normally run in a post_migrate signal but we need them for our logic
+        migrations.RunPython(create_permissions_as_operation, migrations.RunPython.noop),
+        migrations.RunPython(setup_managed_role_definitions, migrations.RunPython.noop),
+        migrations.RunPython(migrate_to_new_rbac, migrations.RunPython.noop),
+    ]
--- a/awx/main/migrations/_dab_rbac.py
+++ b/awx/main/migrations/_dab_rbac.py
@@ -0,0 +1,354 @@
+import json
+import logging
+
+from django.apps import apps as global_apps
+from django.db.models import ForeignKey
+from django.conf import settings
+from ansible_base.rbac.migrations._utils import give_permissions
+from ansible_base.rbac.management import create_dab_permissions
+
+from awx.main.fields import ImplicitRoleField
+from awx.main.constants import role_name_to_perm_mapping
+
+from ansible_base.rbac.permission_registry import permission_registry
+
+
+logger = logging.getLogger('awx.main.migrations._dab_rbac')
+
+
+def create_permissions_as_operation(apps, schema_editor):
+    create_dab_permissions(global_apps.get_app_config("main"), apps=apps)
+
+
+"""
+Data structures and methods for the migration of old Role model to ObjectRole
+"""
+
+system_admin = ImplicitRoleField(name='system_administrator')
+system_auditor = ImplicitRoleField(name='system_auditor')
+system_admin.model = None
+system_auditor.model = None
+
+
+def resolve_parent_role(f, role_path):
+    """
+    Given a field and a path declared in parent_role from the field definition, like
+        execute_role = ImplicitRoleField(parent_role='admin_role')
+    This expects to be passed in (execute_role object, "admin_role")
+    It hould return the admin_role from that object
+    """
+    if role_path == 'singleton:system_administrator':
+        return system_admin
+    elif role_path == 'singleton:system_auditor':
+        return system_auditor
+    else:
+        related_field = f
+        current_model = f.model
+        for related_field_name in role_path.split('.'):
+            related_field = current_model._meta.get_field(related_field_name)
+            if isinstance(related_field, ForeignKey) and not isinstance(related_field, ImplicitRoleField):
+                current_model = related_field.related_model
+        return related_field
+
+
+def build_role_map(apps):
+    """
+    For the old Role model, this builds and returns dictionaries (children, parents)
+    which give a global mapping of the ImplicitRoleField instances according to the graph
+    """
+    models = set(apps.get_app_config('main').get_models())
+
+    all_fields = set()
+    parents = {}
+    children = {}
+
+    all_fields.add(system_admin)
+    all_fields.add(system_auditor)
+
+    for cls in models:
+        for f in cls._meta.get_fields():
+            if isinstance(f, ImplicitRoleField):
+                all_fields.add(f)
+
+    for f in all_fields:
+        if f.parent_role is not None:
+            if isinstance(f.parent_role, str):
+                parent_roles = [f.parent_role]
+            else:
+                parent_roles = f.parent_role
+
+            # SPECIAL CASE: organization auditor_role is not a child of admin_role
+            # this makes no practical sense and conflicts with expected managed role
+            # so we put it in as a hack here
+            if f.name == 'auditor_role' and f.model._meta.model_name == 'organization':
+                parent_roles.append('admin_role')
+
+            parent_list = []
+            for rel_name in parent_roles:
+                parent_list.append(resolve_parent_role(f, rel_name))
+
+            parents[f] = parent_list
+
+    # build children lookup from parents lookup
+    for child_field, parent_list in parents.items():
+        for parent_field in parent_list:
+            children.setdefault(parent_field, [])
+            children[parent_field].append(child_field)
+
+    return (parents, children)
+
+
+def get_descendents(f, children_map):
+    """
+    Given ImplicitRoleField F and the children mapping, returns all descendents
+    of that field, as a set of other fields, including itself
+    """
+    ret = {f}
+    if f in children_map:
+        for child_field in children_map[f]:
+            ret.update(get_descendents(child_field, children_map))
+    return ret
+
+
+def get_permissions_for_role(role_field, children_map, apps):
+    Permission = apps.get_model('dab_rbac', 'DABPermission')
+    ContentType = apps.get_model('contenttypes', 'ContentType')
+
+    perm_list = []
+    for child_field in get_descendents(role_field, children_map):
+        if child_field.name in role_name_to_perm_mapping:
+            for perm_name in role_name_to_perm_mapping[child_field.name]:
+                if perm_name == 'add_' and role_field.model._meta.model_name != 'organization':
+                    continue  # only organizations can contain add permissions
+                perm = Permission.objects.filter(content_type=ContentType.objects.get_for_model(child_field.model), codename__startswith=perm_name).first()
+                if perm is not None and perm not in perm_list:
+                    perm_list.append(perm)
+
+    # special case for two models that have object roles but no organization roles in old system
+    if role_field.name == 'notification_admin_role' or (role_field.name == 'admin_role' and role_field.model._meta.model_name == 'organization'):
+        ct = ContentType.objects.get_for_model(apps.get_model('main', 'NotificationTemplate'))
+        perm_list.extend(list(Permission.objects.filter(content_type=ct)))
+    if role_field.name == 'execution_environment_admin_role' or (role_field.name == 'admin_role' and role_field.model._meta.model_name == 'organization'):
+        ct = ContentType.objects.get_for_model(apps.get_model('main', 'ExecutionEnvironment'))
+        perm_list.extend(list(Permission.objects.filter(content_type=ct)))
+
+    # more special cases for those same above special org-level roles
+    if role_field.name == 'auditor_role':
+        for codename in ('view_notificationtemplate', 'view_executionenvironment'):
+            perm_list.append(Permission.objects.get(codename=codename))
+
+    return perm_list
+
+
+def model_class(ct, apps):
+    """
+    You can not use model methods in migrations, so this duplicates
+    what ContentType.model_class does, using current apps
+    """
+    try:
+        return apps.get_model(ct.app_label, ct.model)
+    except LookupError:
+        return None
+
+
+def migrate_to_new_rbac(apps, schema_editor):
+    """
+    This method moves the assigned permissions from the old rbac.py models
+    to the new RoleDefinition and ObjectRole models
+    """
+    Role = apps.get_model('main', 'Role')
+    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
+    RoleUserAssignment = apps.get_model('dab_rbac', 'RoleUserAssignment')
+    Permission = apps.get_model('dab_rbac', 'DABPermission')
+
+    # remove add premissions that are not valid for migrations from old versions
+    for perm_str in ('add_organization', 'add_jobtemplate'):
+        perm = Permission.objects.filter(codename=perm_str).first()
+        if perm:
+            perm.delete()
+
+    managed_definitions = dict()
+    for role_definition in RoleDefinition.objects.filter(managed=True):
+        permissions = frozenset(role_definition.permissions.values_list('id', flat=True))
+        managed_definitions[permissions] = role_definition
+
+    # Build map of old role model
+    parents, children = build_role_map(apps)
+
+    # NOTE: this import is expected to break at some point, and then just move the data here
+    from awx.main.models.rbac import role_descriptions
+
+    for role in Role.objects.prefetch_related('members', 'parents').iterator():
+        if role.singleton_name:
+            continue  # only bothering to migrate object roles
+
+        team_roles = []
+        for parent in role.parents.all():
+            if parent.id not in json.loads(role.implicit_parents):
+                team_roles.append(parent)
+
+        # we will not create any roles that do not have any users or teams
+        if not (role.members.all() or team_roles):
+            logger.debug(f'Skipping role {role.role_field} for {role.content_type.model}-{role.object_id} due to no members')
+            continue
+
+        # get a list of permissions that the old role would grant
+        object_cls = apps.get_model(f'main.{role.content_type.model}')
+        object = object_cls.objects.get(pk=role.object_id)  # WORKAROUND, role.content_object does not work in migrations
+        f = object._meta.get_field(role.role_field)  # should be ImplicitRoleField
+        perm_list = get_permissions_for_role(f, children, apps)
+
+        permissions = frozenset(perm.id for perm in perm_list)
+
+        # With the needed permissions established, obtain the RoleDefinition this will need, priorities:
+        # 1. If it exists as a managed RoleDefinition then obviously use that
+        # 2. If we already created this for a prior role, use that
+        # 3. Create a new RoleDefinition that lists those permissions
+        if permissions in managed_definitions:
+            role_definition = managed_definitions[permissions]
+        else:
+            action = role.role_field.rsplit('_', 1)[0]  # remove the _field ending of the name
+            role_definition_name = f'{model_class(role.content_type, apps).__name__} {action.title()}'
+
+            description = role_descriptions[role.role_field]
+            if type(description) == dict:
+                if role.content_type.model in description:
+                    description = description.get(role.content_type.model)
+                else:
+                    description = description.get('default')
+            if '%s' in description:
+                description = description % role.content_type.model
+
+            role_definition, created = RoleDefinition.objects.get_or_create(
+                name=role_definition_name,
+                defaults={'description': description, 'content_type_id': role.content_type_id},
+            )
+
+            if created:
+                logger.info(f'Created custom Role Definition {role_definition_name}, pk={role_definition.pk}')
+                role_definition.permissions.set(perm_list)
+
+        # Create the object role and add users to it
+        give_permissions(
+            apps,
+            role_definition,
+            users=role.members.all(),
+            teams=[tr.object_id for tr in team_roles],
+            object_id=role.object_id,
+            content_type_id=role.content_type_id,
+        )
+
+    # Create new replacement system auditor role
+    new_system_auditor, created = RoleDefinition.objects.get_or_create(
+        name='System Auditor',
+        defaults={'description': 'Migrated singleton role giving read permission to everything', 'managed': True},
+    )
+    new_system_auditor.permissions.add(*list(Permission.objects.filter(codename__startswith='view')))
+
+    # migrate is_system_auditor flag, because it is no longer handled by a system role
+    old_system_auditor = Role.objects.filter(singleton_name='system_auditor').first()
+    if old_system_auditor:
+        # if the system auditor role is not present, this is a new install and no users should exist
+        ct = 0
+        for user in role.members.all():
+            RoleUserAssignment.objects.create(user=user, role_definition=new_system_auditor)
+            ct += 1
+        if ct:
+            logger.info(f'Migrated {ct} users to new system auditor flag')
+
+
+def get_or_create_managed(name, description, ct, permissions, RoleDefinition):
+    role_definition, created = RoleDefinition.objects.get_or_create(name=name, defaults={'managed': True, 'description': description, 'content_type': ct})
+    role_definition.permissions.set(list(permissions))
+
+    if not role_definition.managed:
+        role_definition.managed = True
+        role_definition.save(update_fields=['managed'])
+
+    if created:
+        logger.info(f'Created RoleDefinition {role_definition.name} pk={role_definition} with {len(permissions)} permissions')
+
+    return role_definition
+
+
+def setup_managed_role_definitions(apps, schema_editor):
+    """
+    Idepotent method to create or sync the managed role definitions
+    """
+    to_create = settings.ANSIBLE_BASE_ROLE_PRECREATE
+
+    ContentType = apps.get_model('contenttypes', 'ContentType')
+    Permission = apps.get_model('dab_rbac', 'DABPermission')
+    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
+    Organization = apps.get_model(settings.ANSIBLE_BASE_ORGANIZATION_MODEL)
+    org_ct = ContentType.objects.get_for_model(Organization)
+    managed_role_definitions = []
+
+    org_perms = set()
+    for cls in permission_registry._registry:
+        ct = ContentType.objects.get_for_model(cls)
+        object_perms = set(Permission.objects.filter(content_type=ct))
+        # Special case for InstanceGroup which has an organiation field, but is not an organization child object
+        if cls._meta.model_name != 'instancegroup':
+            org_perms.update(object_perms)
+
+        if 'object_admin' in to_create and cls != Organization:
+            indiv_perms = object_perms.copy()
+            add_perms = [perm for perm in indiv_perms if perm.codename.startswith('add_')]
+            if add_perms:
+                for perm in add_perms:
+                    indiv_perms.remove(perm)
+
+            managed_role_definitions.append(
+                get_or_create_managed(
+                    to_create['object_admin'].format(cls=cls), f'Has all permissions to a single {cls._meta.verbose_name}', ct, indiv_perms, RoleDefinition
+                )
+            )
+
+        if 'org_children' in to_create and cls != Organization:
+            org_child_perms = object_perms.copy()
+            org_child_perms.add(Permission.objects.get(codename='view_organization'))
+
+            managed_role_definitions.append(
+                get_or_create_managed(
+                    to_create['org_children'].format(cls=cls),
+                    f'Has all permissions to {cls._meta.verbose_name_plural} within an organization',
+                    org_ct,
+                    org_child_perms,
+                    RoleDefinition,
+                )
+            )
+
+        if 'special' in to_create:
+            special_perms = []
+            for perm in object_perms:
+                if perm.codename.split('_')[0] not in ('add', 'change', 'update', 'delete', 'view'):
+                    special_perms.append(perm)
+            for perm in special_perms:
+                action = perm.codename.split('_')[0]
+                view_perm = Permission.objects.get(content_type=ct, codename__startswith='view_')
+                managed_role_definitions.append(
+                    get_or_create_managed(
+                        to_create['special'].format(cls=cls, action=action.title()),
+                        f'Has {action} permissions to a single {cls._meta.verbose_name}',
+                        ct,
+                        [perm, view_perm],
+                        RoleDefinition,
+                    )
+                )
+
+    if 'org_admin' in to_create:
+        managed_role_definitions.append(
+            get_or_create_managed(
+                to_create['org_admin'].format(cls=Organization),
+                'Has all permissions to a single organization and all objects inside of it',
+                org_ct,
+                org_perms,
+                RoleDefinition,
+            )
+        )
+
+    unexpected_role_definitions = RoleDefinition.objects.filter(managed=True).exclude(pk__in=[rd.pk for rd in managed_role_definitions])
+    for role_definition in unexpected_role_definitions:
+        logger.info(f'Deleting old managed role definition {role_definition.name}, pk={role_definition.pk}')
+        role_definition.delete()
--- a/awx/main/models/init.py
+++ b/awx/main/models/init.py
@@ -1,12 +1,19 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.

+import json
+
 # Django
 from django.conf import settings  # noqa
 from django.db import connection
 from django.db.models.signals import pre_delete  # noqa

+# django-ansible-base
+from ansible_base.resource_registry.fields import AnsibleResourceField
+from ansible_base.rbac import permission_registry
+from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
 from ansible_base.lib.utils.models import prevent_search
+from ansible_base.lib.utils.models import user_summary_fields

 # AWX
 from awx.main.models.base import BaseModel, PrimordialModel, accepts_json, CLOUD_INVENTORY_SOURCES, VERBOSITY_CHOICES  # noqa
@@ -99,6 +106,8 @@ from awx.main.access import get_user_queryset, check_user_access, check_user_acc
 User.add_to_class('get_queryset', get_user_queryset)
 User.add_to_class('can_access', check_user_access)
 User.add_to_class('can_access_with_errors', check_user_access_with_errors)
+User.add_to_class('resource', AnsibleResourceField(primary_key_field="id"))
+User.add_to_class('summary_fields', user_summary_fields)


 def convert_jsonfields():
@@ -191,11 +200,21 @@ User.add_to_class('auditor_of_organizations', user_get_auditor_of_organizations)
 User.add_to_class('created', created)


+def get_system_auditor_role():
+    rd, created = RoleDefinition.objects.get_or_create(
+        name='System Auditor', defaults={'description': 'Migrated singleton role giving read permission to everything'}
+    )
+    if created:
+        rd.permissions.add(*list(permission_registry.permission_qs.filter(codename__startswith='view')))
+    return rd
+
+
@property
 def user_is_system_auditor(user):
    if not hasattr(user, '_is_system_auditor'):
        if user.pk:
-            user._is_system_auditor = user.roles.filter(singleton_name='system_auditor', role_field='system_auditor').exists()
+            rd = get_system_auditor_role()
+            user._is_system_auditor = RoleUserAssignment.objects.filter(user=user, role_definition=rd).exists()
        else:
            # Odd case where user is unsaved, this should never be relied on
            return False
@@ -209,17 +228,17 @@ def user_is_system_auditor(user, tf):
        # time they've logged in, and we've just created the new User in this
        # request), we need one to set up the system auditor role
        user.save()
-    if tf:
-        role = Role.singleton('system_auditor')
-        # must check if member to not duplicate activity stream
-        if user not in role.members.all():
-            role.members.add(user)
-        user._is_system_auditor = True
-    else:
-        role = Role.singleton('system_auditor')
-        if user in role.members.all():
-            role.members.remove(user)
-        user._is_system_auditor = False
+    rd = get_system_auditor_role()
+    assignment = RoleUserAssignment.objects.filter(user=user, role_definition=rd).first()
+    prior_value = bool(assignment)
+    if prior_value != bool(tf):
+        if assignment:
+            assignment.delete()
+        else:
+            rd.give_global_permission(user)
+        user._is_system_auditor = bool(tf)
+        entry = ActivityStream.objects.create(changes=json.dumps({"is_system_auditor": [prior_value, bool(tf)]}), object1='user', operation='update')
+        entry.user.add(user)


 User.add_to_class('is_system_auditor', user_is_system_auditor)
@@ -287,6 +306,10 @@ activity_stream_registrar.connect(WorkflowApprovalTemplate)
 activity_stream_registrar.connect(OAuth2Application)
 activity_stream_registrar.connect(OAuth2AccessToken)

+# Register models
+permission_registry.register(Project, Team, WorkflowJobTemplate, JobTemplate, Inventory, Organization, Credential, NotificationTemplate, ExecutionEnvironment)
+permission_registry.register(InstanceGroup, parent_field_name=None)  # Not part of an organization
+
 # prevent API filtering on certain Django-supplied sensitive fields
 prevent_search(User._meta.get_field('password'))
 prevent_search(OAuth2AccessToken._meta.get_field('token'))
--- a/awx/main/models/base.py
+++ b/awx/main/models/base.py
@@ -7,6 +7,9 @@ from django.core.exceptions import ValidationError, ObjectDoesNotExist
 from django.utils.translation import gettext_lazy as _
 from django.utils.timezone import now

+# django-ansible-base
+from ansible_base.lib.utils.models import get_type_for_model
+
 # Django-CRUM
 from crum import get_current_user

@@ -139,6 +142,23 @@ class BaseModel(models.Model):
            self.save(update_fields=update_fields)
        return update_fields

+    def summary_fields(self):
+        """
+        This exists for use by django-ansible-base,
+        which has standard patterns that differ from AWX, but we enable views from DAB
+        for those views to list summary_fields for AWX models, those models need to provide this
+        """
+        from awx.api.serializers import SUMMARIZABLE_FK_FIELDS
+
+        model_name = get_type_for_model(self)
+        related_fields = SUMMARIZABLE_FK_FIELDS.get(model_name, {})
+        summary_data = {}
+        for field_name in related_fields:
+            fval = getattr(self, field_name, None)
+            if fval is not None:
+                summary_data[field_name] = fval
+        return summary_data
+

 class CreatedModifiedModel(BaseModel):
    """
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@@ -83,6 +83,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        app_label = 'main'
        ordering = ('name',)
        unique_together = ('organization', 'name', 'credential_type')
+        permissions = [('use_credential', 'Can use credential in a job or related resource')]

    PASSWORD_FIELDS = ['inputs']
    FIELDS_TO_PRESERVE_AT_COPY = ['input_sources']
@@ -1231,6 +1232,14 @@ ManagedCredentialType(
                'multiline': True,
                'help_text': gettext_noop('Terraform backend config as Hashicorp configuration language.'),
            },
+            {
+                'id': 'gce_credentials',
+                'label': gettext_noop('Google Cloud Platform account credentials'),
+                'type': 'string',
+                'secret': True,
+                'multiline': True,
+                'help_text': gettext_noop('Google Cloud Platform account credentials in JSON format.'),
+            },
        ],
        'required': ['configuration'],
    },
--- a/awx/main/models/credential/injectors.py
+++ b/awx/main/models/credential/injectors.py
@@ -130,3 +130,10 @@ def terraform(cred, env, private_data_dir):
        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
        f.write(cred.get_input('configuration'))
    env['TF_BACKEND_CONFIG_FILE'] = to_container_path(path, private_data_dir)
+    # Handle env variables for GCP account credentials
+    if 'gce_credentials' in cred.inputs:
+        handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
+        with os.fdopen(handle, 'w') as f:
+            os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
+            f.write(cred.get_input('gce_credentials'))
+        env['GOOGLE_BACKEND_CREDENTIALS'] = to_container_path(path, private_data_dir)
--- a/awx/main/models/ha.py
+++ b/awx/main/models/ha.py
@@ -485,6 +485,9 @@ class InstanceGroup(HasPolicyEditsMixin, BaseModel, RelatedJobsMixin, ResourceMi

    class Meta:
        app_label = 'main'
+        permissions = [('use_instancegroup', 'Can use instance group in a preference list of a resource')]
+        # Since this has no direct organization field only superuser can add, so remove add permission
+        default_permissions = ('change', 'delete', 'view')

    def set_default_policy_fields(self):
        self.policy_instance_list = []
--- a/awx/main/models/inventory.py
+++ b/awx/main/models/inventory.py
@@ -11,6 +11,8 @@ import os.path
 from urllib.parse import urljoin

 import yaml
+import tempfile
+import stat

 # Django
 from django.conf import settings
@@ -89,6 +91,11 @@ class Inventory(CommonModelNameNotUnique, ResourceMixin, RelatedJobsMixin):
        verbose_name_plural = _('inventories')
        unique_together = [('name', 'organization')]
        ordering = ('name',)
+        permissions = [
+            ('use_inventory', 'Can use inventory in a job template'),
+            ('adhoc_inventory', 'Can run ad hoc commands'),
+            ('update_inventory', 'Can update inventory sources in inventory'),
+        ]

    organization = models.ForeignKey(
        'Organization',
@@ -1400,7 +1407,7 @@ class InventoryUpdate(UnifiedJob, InventorySourceOptions, JobNotificationMixin,
        return selected_groups


-class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):
+class CustomInventoryScript(CommonModelNameNotUnique):
    class Meta:
        app_label = 'main'
        ordering = ('name',)
@@ -1633,17 +1640,39 @@ class satellite6(PluginFileInjector):

 class terraform(PluginFileInjector):
    plugin_name = 'terraform_state'
-    base_injector = 'managed'
    namespace = 'cloud'
    collection = 'terraform'
    use_fqcn = True

    def inventory_as_dict(self, inventory_update, private_data_dir):
-        env = super(terraform, self).get_plugin_env(inventory_update, private_data_dir, None)
        ret = super().inventory_as_dict(inventory_update, private_data_dir)
-        ret['backend_config_files'] = env["TF_BACKEND_CONFIG_FILE"]
+        credential = inventory_update.get_cloud_credential()
+        config_cred = credential.get_input('configuration')
+        if config_cred:
+            handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
+            with os.fdopen(handle, 'w') as f:
+                os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
+                f.write(config_cred)
+            ret['backend_config_files'] = to_container_path(path, private_data_dir)
        return ret

+    def build_plugin_private_data(self, inventory_update, private_data_dir):
+        credential = inventory_update.get_cloud_credential()
+
+        private_data = {'credentials': {}}
+        gce_cred = credential.get_input('gce_credentials')
+        if gce_cred:
+            private_data['credentials'][credential] = gce_cred
+        return private_data
+
+    def get_plugin_env(self, inventory_update, private_data_dir, private_data_files):
+        env = super(terraform, self).get_plugin_env(inventory_update, private_data_dir, private_data_files)
+        credential = inventory_update.get_cloud_credential()
+        cred_data = private_data_files['credentials']
+        if cred_data[credential]:
+            env['GOOGLE_BACKEND_CREDENTIALS'] = to_container_path(cred_data[credential], private_data_dir)
+        return env
+

 class controller(PluginFileInjector):
    plugin_name = 'tower'  # TODO: relying on routing for now, update after EEs pick up revised collection
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -205,6 +205,9 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
    class Meta:
        app_label = 'main'
        ordering = ('name',)
+        permissions = [('execute_jobtemplate', 'Can run this job template')]
+        # Remove add permission, ability to add comes from use permission for inventory, project, credentials
+        default_permissions = ('change', 'delete', 'view')

    job_type = models.CharField(
        max_length=64,
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -19,13 +19,14 @@ from django.utils.translation import gettext_lazy as _
 from ansible_base.lib.utils.models import prevent_search

 # AWX
-from awx.main.models.rbac import Role, RoleAncestorEntry
+
+from awx.main.models.rbac import Role, RoleAncestorEntry, to_permissions
 from awx.main.utils import parse_yaml_or_json, get_custom_venv_choices, get_licenser, polymorphic
 from awx.main.utils.execution_environments import get_default_execution_environment
 from awx.main.utils.encryption import decrypt_value, get_encryption_key, is_encrypted
 from awx.main.utils.polymorphic import build_polymorphic_ctypes_map
 from awx.main.fields import AskForField
-from awx.main.constants import ACTIVE_STATES
+from awx.main.constants import ACTIVE_STATES, org_role_to_permission


 logger = logging.getLogger('awx.main.models.mixins')
@@ -64,6 +65,18 @@ class ResourceMixin(models.Model):

    @staticmethod
    def _accessible_pk_qs(cls, accessor, role_field, content_types=None):
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            if cls._meta.model_name == 'organization' and role_field in org_role_to_permission:
+                # Organization roles can not use the DAB RBAC shortcuts
+                # like Organization.access_qs(user, 'change_jobtemplate') is needed
+                # not just Organization.access_qs(user, 'change') is needed
+                if accessor.is_superuser:
+                    return cls.objects.values_list('id')
+
+                codename = org_role_to_permission[role_field]
+
+                return cls.access_ids_qs(accessor, codename, content_types=content_types)
+            return cls.access_ids_qs(accessor, to_permissions[role_field], content_types=content_types)
        if accessor._meta.model_name == 'user':
            ancestor_roles = accessor.roles.all()
        elif type(accessor) == Role:
--- a/awx/main/models/notifications.py
+++ b/awx/main/models/notifications.py
@@ -498,7 +498,7 @@ class JobNotificationMixin(object):
        # Body should have at least 2 CRLF, some clients will interpret
        # the email incorrectly with blank body.  So we will check that

-        if len(body.strip().splitlines()) <= 2:
+        if len(body.strip().splitlines()) < 1:
            # blank body
            body = '\r\n'.join(
                [
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -10,6 +10,8 @@ from django.contrib.sessions.models import Session
 from django.utils.timezone import now as tz_now
 from django.utils.translation import gettext_lazy as _

+# django-ansible-base
+from ansible_base.resource_registry.fields import AnsibleResourceField

 # AWX
 from awx.api.versioning import reverse
@@ -33,6 +35,12 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
    class Meta:
        app_label = 'main'
        ordering = ('name',)
+        permissions = [
+            ('member_organization', 'Basic participation permissions for organization'),
+            ('audit_organization', 'Audit everything inside the organization'),
+        ]
+        # Remove add permission, only superuser can add
+        default_permissions = ('change', 'delete', 'view')

    instance_groups = OrderedManyToManyField('InstanceGroup', blank=True, through='OrganizationInstanceGroupMembership')
    galaxy_credentials = OrderedManyToManyField(
@@ -103,6 +111,7 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
    approval_role = ImplicitRoleField(
        parent_role='admin_role',
    )
+    resource = AnsibleResourceField(primary_key_field="id")

    def get_absolute_url(self, request=None):
        return reverse('api:organization_detail', kwargs={'pk': self.pk}, request=request)
@@ -134,6 +143,7 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
        app_label = 'main'
        unique_together = [('organization', 'name')]
        ordering = ('organization__name', 'name')
+        permissions = [('member_team', 'Inherit all roles assigned to this team')]

    organization = models.ForeignKey(
        'Organization',
@@ -151,6 +161,7 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
    read_role = ImplicitRoleField(
        parent_role=['organization.auditor_role', 'member_role'],
    )
+    resource = AnsibleResourceField(primary_key_field="id")

    def get_absolute_url(self, request=None):
        return reverse('api:team_detail', kwargs={'pk': self.pk}, request=request)
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@@ -259,6 +259,7 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin, CustomVirtualEn
    class Meta:
        app_label = 'main'
        ordering = ('id',)
+        permissions = [('update_project', 'Can run a project update'), ('use_project', 'Can use project in a job template')]

    default_environment = models.ForeignKey(
        'ExecutionEnvironment',
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -7,14 +7,27 @@ import threading
 import contextlib
 import re

+# django-rest-framework
+from rest_framework.serializers import ValidationError
+
 # Django
 from django.db import models, transaction, connection
+from django.db.models.signals import m2m_changed
+from django.contrib.auth import get_user_model
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
 from django.utils.translation import gettext_lazy as _
+from django.apps import apps
+from django.conf import settings
+
+# Ansible_base app
+from ansible_base.rbac.models import RoleDefinition
+from ansible_base.lib.utils.models import get_type_for_model

 # AWX
 from awx.api.versioning import reverse
+from awx.main.migrations._dab_rbac import build_role_map, get_permissions_for_role
+from awx.main.constants import role_name_to_perm_mapping, org_role_to_permission

 __all__ = [
    'Role',
@@ -75,6 +88,11 @@ role_descriptions = {
 }


+to_permissions = {}
+for k, v in role_name_to_perm_mapping.items():
+    to_permissions[k] = v[0].strip('_')
+
+
 tls = threading.local()  # thread local storage


@@ -86,10 +104,8 @@ def check_singleton(func):
    """

    def wrapper(*args, **kwargs):
-        sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
-        sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
        user = args[0]
-        if user in sys_admin or user in sys_audit:
+        if user.is_superuser or user.is_system_auditor:
            if len(args) == 2:
                return args[1]
            return Role.objects.all()
@@ -169,6 +185,24 @@ class Role(models.Model):

    def __contains__(self, accessor):
        if accessor._meta.model_name == 'user':
+            if accessor.is_superuser:
+                return True
+            if self.role_field == 'system_administrator':
+                return accessor.is_superuser
+            elif self.role_field == 'system_auditor':
+                return accessor.is_system_auditor
+            elif self.role_field in ('read_role', 'auditor_role') and accessor.is_system_auditor:
+                return True
+
+            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+                if self.content_object and self.content_object._meta.model_name == 'organization' and self.role_field in org_role_to_permission:
+                    codename = org_role_to_permission[self.role_field]
+
+                    return accessor.has_obj_perm(self.content_object, codename)
+
+                if self.role_field not in to_permissions:
+                    raise Exception(f'{self.role_field} evaluated but not a translatable permission')
+                return accessor.has_obj_perm(self.content_object, to_permissions[self.role_field])
            return self.ancestors.filter(members=accessor).exists()
        else:
            raise RuntimeError(f'Role evaluations only valid for users, received {accessor}')
@@ -280,6 +314,9 @@ class Role(models.Model):
        #
        #

+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            return
+
        if len(additions) == 0 and len(removals) == 0:
            return

@@ -412,6 +449,12 @@ class Role(models.Model):
        in their organization, but some of those roles descend from
        organization admin_role, but not auditor_role.
        """
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            from ansible_base.rbac.models import RoleEvaluation
+
+            q = RoleEvaluation.objects.filter(role__in=user.has_roles.all()).values_list('object_id', 'content_type_id').query
+            return roles_qs.extra(where=[f'(object_id,content_type_id) in ({q})'])
+
        return roles_qs.filter(
            id__in=RoleAncestorEntry.objects.filter(
                descendent__in=RoleAncestorEntry.objects.filter(ancestor_id__in=list(user.roles.values_list('id', flat=True))).values_list(
@@ -434,6 +477,13 @@ class Role(models.Model):
        return self.singleton_name in [ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]


+class AncestorManager(models.Manager):
+    def get_queryset(self):
+        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+            raise RuntimeError('The old RBAC system has been disabled, this should never be called')
+        return super(AncestorManager, self).get_queryset()
+
+
 class RoleAncestorEntry(models.Model):
    class Meta:
        app_label = 'main'
@@ -451,6 +501,8 @@ class RoleAncestorEntry(models.Model):
    content_type_id = models.PositiveIntegerField(null=False)
    object_id = models.PositiveIntegerField(null=False)

+    objects = AncestorManager()
+

 def role_summary_fields_generator(content_object, role_field):
    global role_descriptions
@@ -479,3 +531,168 @@ def role_summary_fields_generator(content_object, role_field):
    summary['name'] = role_names[role_field]
    summary['id'] = getattr(content_object, '{}_id'.format(role_field))
    return summary
+
+
+# ----------------- Custom Role Compatibility -------------------------
+# The following are methods to connect this (old) RBAC system to the new
+# system which allows custom roles
+# this follows the ORM interface layer documented in docs/rbac.md
+def get_role_codenames(role):
+    obj = role.content_object
+    if obj is None:
+        return
+    f = obj._meta.get_field(role.role_field)
+    parents, children = build_role_map(apps)
+    return [perm.codename for perm in get_permissions_for_role(f, children, apps)]
+
+
+def get_role_definition(role):
+    """Given a old-style role, this gives a role definition in the new RBAC system for it"""
+    obj = role.content_object
+    if obj is None:
+        return
+    f = obj._meta.get_field(role.role_field)
+    action_name = f.name.rsplit("_", 1)[0]
+    rd_name = f'{type(obj).__name__} {action_name.title()} Compat'
+    perm_list = get_role_codenames(role)
+    defaults = {'content_type_id': role.content_type_id}
+    try:
+        rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
+    except ValidationError:
+        # This is a tricky case - practically speaking, users should not be allowed to create team roles
+        # or roles that include the team member permission.
+        # If we need to create this for compatibility purposes then we will create it as a managed non-editable role
+        defaults['managed'] = True
+        rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
+    return rd
+
+
+def get_role_from_object_role(object_role):
+    """
+    Given an object role from the new system, return the corresponding role from the old system
+    reverses naming from get_role_definition, and the ANSIBLE_BASE_ROLE_PRECREATE setting.
+    """
+    rd = object_role.role_definition
+    if rd.name.endswith(' Compat'):
+        model_name, role_name, _ = rd.name.split()
+        role_name = role_name.lower()
+        role_name += '_role'
+    elif rd.name.endswith(' Admin') and rd.name.count(' ') == 2:
+        # cases like "Organization Project Admin"
+        model_name, target_model_name, role_name = rd.name.split()
+        role_name = role_name.lower()
+        model_cls = apps.get_model('main', target_model_name)
+        target_model_name = get_type_for_model(model_cls)
+        if target_model_name == 'notification_template':
+            target_model_name = 'notification'  # total exception
+        role_name = f'{target_model_name}_admin_role'
+    elif rd.name.endswith(' Admin'):
+        # cases like "project-admin"
+        role_name = 'admin_role'
+    else:
+        print(rd.name)
+        model_name, role_name = rd.name.split()
+        role_name = role_name.lower()
+        role_name += '_role'
+    return getattr(object_role.content_object, role_name)
+
+
+def give_or_remove_permission(role, actor, giving=True):
+    obj = role.content_object
+    if obj is None:
+        return
+    rd = get_role_definition(role)
+    rd.give_or_remove_permission(actor, obj, giving=giving)
+
+
+class SyncEnabled(threading.local):
+    def __init__(self):
+        self.enabled = True
+
+
+rbac_sync_enabled = SyncEnabled()
+
+
+@contextlib.contextmanager
+def disable_rbac_sync():
+    try:
+        previous_value = rbac_sync_enabled.enabled
+        rbac_sync_enabled.enabled = False
+        yield
+    finally:
+        rbac_sync_enabled.enabled = previous_value
+
+
+def give_creator_permissions(user, obj):
+    assignment = RoleDefinition.objects.give_creator_permissions(user, obj)
+    if assignment:
+        with disable_rbac_sync():
+            old_role = get_role_from_object_role(assignment.object_role)
+            old_role.members.add(user)
+
+
+def sync_members_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs):
+    if action.startswith('pre_'):
+        return
+    if not rbac_sync_enabled.enabled:
+        return
+
+    if action == 'post_add':
+        is_giving = True
+    elif action == 'post_remove':
+        is_giving = False
+    elif action == 'post_clear':
+        raise RuntimeError('Clearing of role members not supported')
+
+    if reverse:
+        user = instance
+    else:
+        role = instance
+
+    for user_or_role_id in pk_set:
+        if reverse:
+            role = Role.objects.get(pk=user_or_role_id)
+        else:
+            user = get_user_model().objects.get(pk=user_or_role_id)
+        give_or_remove_permission(role, user, giving=is_giving)
+
+
+def sync_parents_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs):
+    if action.startswith('pre_'):
+        return
+
+    if action == 'post_add':
+        is_giving = True
+    elif action == 'post_remove':
+        is_giving = False
+    elif action == 'post_clear':
+        raise RuntimeError('Clearing of role members not supported')
+
+    if reverse:
+        parent_role = instance
+    else:
+        child_role = instance
+
+    for role_id in pk_set:
+        if reverse:
+            child_role = Role.objects.get(id=role_id)
+        else:
+            parent_role = Role.objects.get(id=role_id)
+
+        # To a fault, we want to avoid running this if triggered from implicit_parents management
+        # we only want to do anything if we know for sure this is a non-implicit team role
+        if parent_role.role_field == 'member_role' and parent_role.content_type.model == 'team':
+            # Team internal parents are member_role->read_role and admin_role->member_role
+            # for the same object, this parenting will also be implicit_parents management
+            # do nothing for internal parents, but OTHER teams may still be assigned permissions to a team
+            if (child_role.content_type_id == parent_role.content_type_id) and (child_role.object_id == parent_role.object_id):
+                return
+
+            from awx.main.models.organization import Team
+
+            team = Team.objects.get(pk=parent_role.object_id)
+            give_or_remove_permission(child_role, team, giving=is_giving)
+
+
+m2m_changed.connect(sync_members_to_new_rbac, Role.members.through)
+m2m_changed.connect(sync_parents_to_new_rbac, Role.parents.through)
--- a/awx/main/models/unified_jobs.py
+++ b/awx/main/models/unified_jobs.py
@@ -37,7 +37,8 @@ from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel,
 from awx.main.dispatch import get_task_queuename
 from awx.main.dispatch.control import Control as ControlDispatcher
 from awx.main.registrar import activity_stream_registrar
-from awx.main.models.mixins import ResourceMixin, TaskManagerUnifiedJobMixin, ExecutionEnvironmentMixin
+from awx.main.models.mixins import TaskManagerUnifiedJobMixin, ExecutionEnvironmentMixin
+from awx.main.models.rbac import to_permissions
 from awx.main.utils.common import (
    camelcase_to_underscore,
    get_model_for_type,
@@ -210,7 +211,15 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
        # do not use this if in a subclass
        if cls != UnifiedJobTemplate:
            return super(UnifiedJobTemplate, cls).accessible_pk_qs(accessor, role_field)
-        return ResourceMixin._accessible_pk_qs(cls, accessor, role_field, content_types=cls._submodels_with_roles())
+        from ansible_base.rbac.models import RoleEvaluation
+
+        action = to_permissions[role_field]
+
+        return (
+            RoleEvaluation.objects.filter(role__in=accessor.has_roles.all(), codename__startswith=action, content_type_id__in=cls._submodels_with_roles())
+            .values_list('object_id')
+            .distinct()
+        )

    def _perform_unique_checks(self, unique_checks):
        # Handle the list of unique fields returned above. Replace with an
@@ -1599,7 +1608,8 @@ class UnifiedJob(
            extra["controller_node"] = self.controller_node or "NOT_SET"
        elif state == "execution_node_chosen":
            extra["execution_node"] = self.execution_node or "NOT_SET"
-        logger_job_lifecycle.info(msg, extra=extra)
+
+        logger_job_lifecycle.info(f"{msg} {json.dumps(extra)}")

    @property
    def launched_by(self):
--- a/awx/main/models/workflow.py
+++ b/awx/main/models/workflow.py
@@ -467,6 +467,10 @@ class WorkflowJobTemplate(UnifiedJobTemplate, WorkflowJobOptions, SurveyJobTempl

    class Meta:
        app_label = 'main'
+        permissions = [
+            ('execute_workflowjobtemplate', 'Can run this workflow job template'),
+            ('approve_workflowjobtemplate', 'Can approve steps in this workflow job template'),
+        ]

    notification_templates_approvals = models.ManyToManyField(
        "NotificationTemplate",
--- a/awx/main/signals.py
+++ b/awx/main/signals.py
@@ -126,6 +126,8 @@ def rebuild_role_ancestor_list(reverse, model, instance, pk_set, action, **kwarg

 def sync_superuser_status_to_rbac(instance, **kwargs):
    'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role'
+    if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+        return
    update_fields = kwargs.get('update_fields', None)
    if update_fields and 'is_superuser' not in update_fields:
        return
@@ -137,6 +139,8 @@ def sync_superuser_status_to_rbac(instance, **kwargs):

 def sync_rbac_to_superuser_status(instance, sender, **kwargs):
    'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that'
+    if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
+        return
    if kwargs['action'] in ['post_add', 'post_remove', 'post_clear']:
        new_status_value = bool(kwargs['action'] == 'post_add')
        if hasattr(instance, 'singleton_name'):  # duck typing, role.members.add() vs user.roles.add()
--- a/awx/main/tasks/receptor.py
+++ b/awx/main/tasks/receptor.py
@@ -49,6 +49,70 @@ class ReceptorConnectionType(Enum):
    STREAMTLS = 2


+"""
+Translate receptorctl messages that come in over stdout into
+structured messages. Currently, these are error messages.
+"""
+
+
+class ReceptorErrorBase:
+    _MESSAGE = 'Receptor Error'
+
+    def __init__(self, node: str = 'N/A', state_name: str = 'N/A'):
+        self.node = node
+        self.state_name = state_name
+
+    def __str__(self):
+        return f"{self.__class__.__name__} '{self._MESSAGE}' on node '{self.node}' with state '{self.state_name}'"
+
+
+class WorkUnitError(ReceptorErrorBase):
+    _MESSAGE = 'unknown work unit '
+
+    def __init__(self, work_unit_id: str, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.work_unit_id = work_unit_id
+
+    def __str__(self):
+        return f"{super().__str__()} work unit id '{self.work_unit_id}'"
+
+
+class WorkUnitCancelError(WorkUnitError):
+    _MESSAGE = 'error cancelling remote unit:  unknown work unit '
+
+
+class WorkUnitResultsError(WorkUnitError):
+    _MESSAGE = 'Failed to get results: unknown work unit '
+
+
+class UnknownError(ReceptorErrorBase):
+    _MESSAGE = 'Unknown receptor ctl error'
+
+    def __init__(self, msg, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._MESSAGE = msg
+
+
+class FuzzyError:
+    def __new__(self, e: RuntimeError, node: str, state_name: str):
+        """
+        At the time of writing this comment all of the sub-classes detection
+        is centralized in this parent class. It's like a Router().
+        Someone may find it better to push down the error detection logic into
+        each sub-class.
+        """
+        msg = e.args[0]
+
+        common_startswith = (WorkUnitCancelError, WorkUnitResultsError, WorkUnitError)
+
+        for klass in common_startswith:
+            if msg.startswith(klass._MESSAGE):
+                work_unit_id = msg[len(klass._MESSAGE) :]
+                return klass(work_unit_id, node=node, state_name=state_name)
+
+        return UnknownError(msg, node=node, state_name=state_name)
+
+
 def read_receptor_config():
    # for K8S deployments, getting a lock is necessary as another process
    # may be re-writing the config at this time
@@ -185,6 +249,7 @@ def run_until_complete(node, timing_data=None, **kwargs):
        timing_data['transmit_timing'] = run_start - transmit_start
    run_timing = 0.0
    stdout = ''
+    state_name = 'local var never set'

    try:
        resultfile = receptor_ctl.get_work_results(unit_id)
@@ -205,13 +270,33 @@ def run_until_complete(node, timing_data=None, **kwargs):
        stdout = resultfile.read()
        stdout = str(stdout, encoding='utf-8')

+    except RuntimeError as e:
+        receptor_e = FuzzyError(e, node, state_name)
+        if type(receptor_e) in (
+            WorkUnitError,
+            WorkUnitResultsError,
+        ):
+            logger.warning(f'While consuming job results: {receptor_e}')
+        else:
+            raise
    finally:
        if settings.RECEPTOR_RELEASE_WORK:
-            res = receptor_ctl.simple_command(f"work release {unit_id}")
-            if res != {'released': unit_id}:
-                logger.warning(f'Could not confirm release of receptor work unit id {unit_id} from {node}, data: {res}')
+            try:
+                res = receptor_ctl.simple_command(f"work release {unit_id}")

-        receptor_ctl.close()
+                if res != {'released': unit_id}:
+                    logger.warning(f'Could not confirm release of receptor work unit id {unit_id} from {node}, data: {res}')
+
+                receptor_ctl.close()
+            except RuntimeError as e:
+                receptor_e = FuzzyError(e, node, state_name)
+                if type(receptor_e) in (
+                    WorkUnitError,
+                    WorkUnitCancelError,
+                ):
+                    logger.warning(f"While releasing work: {receptor_e}")
+                else:
+                    logger.error(f"While releasing work: {receptor_e}")

    if state_name.lower() == 'failed':
        work_detail = status.get('Detail', '')
@@ -275,7 +360,7 @@ def _convert_args_to_cli(vargs):
    args = ['cleanup']
    for option in ('exclude_strings', 'remove_images'):
        if vargs.get(option):
-            args.append('--{}={}'.format(option.replace('_', '-'), ' '.join(vargs.get(option))))
+            args.append('--{}="{}"'.format(option.replace('_', '-'), ' '.join(vargs.get(option))))
    for option in ('file_pattern', 'image_prune', 'process_isolation_executable', 'grace_period'):
        if vargs.get(option) is True:
            args.append('--{}'.format(option.replace('_', '-')))
--- a/awx/main/tests/data/ansible_utils/playbooks/valid/hello_world.yml
+++ b/awx/main/tests/data/ansible_utils/playbooks/valid/hello_world.yml
@@ -3,5 +3,5 @@
  hosts: all
  tasks:
    - name: Hello Message
-      debug:
+      ansible.builtin.debug:
        msg: "Hello World!"
--- a/awx/main/tests/data/inventory/plugins/terraform/env.json
+++ b/awx/main/tests/data/inventory/plugins/terraform/env.json
@@ -1,3 +1,3 @@
 {
-    "TF_BACKEND_CONFIG_FILE": "{{ file_reference }}"
+    "GOOGLE_BACKEND_CREDENTIALS": "{{ file_reference }}"
 }
--- a/awx/main/tests/docs/test_swagger_generation.py
+++ b/awx/main/tests/docs/test_swagger_generation.py
@@ -99,7 +99,7 @@ class TestSwaggerGeneration:
        # The number of API endpoints changes over time, but let's just check
        # for a reasonable number here; if this test starts failing, raise/lower the bounds
        paths = JSON['paths']
-        assert 250 < len(paths) < 375
+        assert 250 < len(paths) < 400
        assert set(list(paths['/api/'].keys())) == set(['get', 'parameters'])
        assert set(list(paths['/api/v2/'].keys())) == set(['get', 'parameters'])
        assert set(list(sorted(paths['/api/v2/credentials/'].keys()))) == set(['get', 'post', 'parameters'])
--- a/awx/main/tests/functional/analytics/test_metrics.py
+++ b/awx/main/tests/functional/analytics/test_metrics.py
@@ -4,7 +4,6 @@ from prometheus_client.parser import text_string_to_metric_families
 from awx.main import models
 from awx.main.analytics.metrics import metrics
 from awx.api.versioning import reverse
-from awx.main.models.rbac import Role

 EXPECTED_VALUES = {
    'awx_system_info': 1.0,
@@ -66,7 +65,6 @@ def test_metrics_permissions(get, admin, org_admin, alice, bob, organization):
    organization.auditor_role.members.add(bob)
    assert get(get_metrics_view_db_only(), user=bob).status_code == 403

-    Role.singleton('system_auditor').members.add(bob)
    bob.is_system_auditor = True
    assert get(get_metrics_view_db_only(), user=bob).status_code == 200

--- a/awx/main/tests/functional/api/test_auth.py
+++ b/awx/main/tests/functional/api/test_auth.py
@@ -6,7 +6,7 @@ from django.test import Client
 from rest_framework.test import APIRequestFactory

 from awx.api.generics import LoggedLoginView
-from awx.api.versioning import drf_reverse
+from rest_framework.reverse import reverse as drf_reverse


@pytest.mark.django_db
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -385,10 +385,9 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
@pytest.mark.django_db
 def test_list_cannot_order_by_encrypted_field(post, get, organization, org_admin, credentialtype_ssh, order_by):
    for i, password in enumerate(('abc', 'def', 'xyz')):
-        response = post(reverse('api:credential_list'), {'organization': organization.id, 'name': 'C%d' % i, 'password': password}, org_admin)
+        post(reverse('api:credential_list'), {'organization': organization.id, 'name': 'C%d' % i, 'password': password}, org_admin, expect=400)

-    response = get(reverse('api:credential_list'), org_admin, QUERY_STRING='order_by=%s' % order_by, status=400)
-    assert response.status_code == 400
+    get(reverse('api:credential_list'), org_admin, QUERY_STRING='order_by=%s' % order_by, expect=400)


@pytest.mark.django_db
@@ -399,8 +398,7 @@ def test_inputs_cannot_contain_extra_fields(get, post, organization, admin, cred
        'credential_type': credentialtype_ssh.pk,
        'inputs': {'invalid_field': 'foo'},
    }
-    response = post(reverse('api:credential_list'), params, admin)
-    assert response.status_code == 400
+    response = post(reverse('api:credential_list'), params, admin, expect=400)
    assert "'invalid_field' was unexpected" in response.data['inputs'][0]


--- a/awx/main/tests/functional/api/test_oauth.py
+++ b/awx/main/tests/functional/api/test_oauth.py
@@ -8,8 +8,10 @@ from django.db import connection
 from django.test.utils import override_settings
 from django.utils.encoding import smart_str, smart_bytes

+from rest_framework.reverse import reverse as drf_reverse
+
 from awx.main.utils.encryption import decrypt_value, get_encryption_key
-from awx.api.versioning import reverse, drf_reverse
+from awx.api.versioning import reverse
 from awx.main.models.oauth import OAuth2Application as Application, OAuth2AccessToken as AccessToken
 from awx.main.tests.functional import immediate_on_commit
 from awx.sso.models import UserEnterpriseAuth
--- a/awx/main/tests/functional/api/test_role.py
+++ b/awx/main/tests/functional/api/test_role.py
@@ -3,17 +3,6 @@ import pytest
 from awx.api.versioning import reverse


-@pytest.mark.django_db
-def test_admin_visible_to_orphaned_users(get, alice):
-    names = set()
-
-    response = get(reverse('api:role_list'), user=alice)
-    for item in response.data['results']:
-        names.add(item['name'])
-    assert 'System Auditor' in names
-    assert 'System Administrator' in names
-
-
@pytest.mark.django_db
@pytest.mark.parametrize('role,code', [('member_role', 400), ('admin_role', 400), ('inventory_admin_role', 204)])
@pytest.mark.parametrize('reversed', [True, False])
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -32,7 +32,6 @@ from awx.main.models.organization import (
    Organization,
    Team,
 )
-from awx.main.models.rbac import Role
 from awx.main.models.notifications import NotificationTemplate, Notification
 from awx.main.models.events import (
    JobEvent,
@@ -434,7 +433,7 @@ def admin(user):
@pytest.fixture
 def system_auditor(user):
    u = user('an-auditor', False)
-    Role.singleton('system_auditor').members.add(u)
+    u.is_system_auditor = True
    return u


--- a/awx/main/tests/functional/dab_rbac/conftest.py
+++ b/awx/main/tests/functional/dab_rbac/conftest.py
@@ -0,0 +1,10 @@
+import pytest
+from django.apps import apps
+
+from awx.main.migrations._dab_rbac import setup_managed_role_definitions
+
+
+@pytest.fixture
+def managed_roles():
+    "Run the migration script to pre-create managed role definitions"
+    setup_managed_role_definitions(apps, None)
--- a/awx/main/tests/functional/dab_rbac/test_access_list.py
+++ b/awx/main/tests/functional/dab_rbac/test_access_list.py
@@ -0,0 +1,111 @@
+import pytest
+
+from awx.main.models import User
+from awx.api.versioning import reverse
+
+
+@pytest.mark.django_db
+def test_access_list_superuser(get, admin_user, inventory):
+    url = reverse('api:inventory_access_list', kwargs={'pk': inventory.id})
+
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'admin' in by_username
+
+    assert len(by_username['admin']['summary_fields']['indirect_access']) == 1
+    assert len(by_username['admin']['summary_fields']['direct_access']) == 0
+    access_entry = by_username['admin']['summary_fields']['indirect_access'][0]
+    assert sorted(access_entry['descendant_roles']) == sorted(['adhoc_role', 'use_role', 'update_role', 'read_role', 'admin_role'])
+
+
+@pytest.mark.django_db
+def test_access_list_system_auditor(get, admin_user, inventory):
+    sys_auditor = User.objects.create(username='sys-aud')
+    sys_auditor.is_system_auditor = True
+    assert sys_auditor.is_system_auditor
+    url = reverse('api:inventory_access_list', kwargs={'pk': inventory.id})
+
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'sys-aud' in by_username
+
+    assert len(by_username['sys-aud']['summary_fields']['indirect_access']) == 1
+    assert len(by_username['sys-aud']['summary_fields']['direct_access']) == 0
+    access_entry = by_username['sys-aud']['summary_fields']['indirect_access'][0]
+    assert access_entry['descendant_roles'] == ['read_role']
+
+
+@pytest.mark.django_db
+def test_access_list_direct_access(get, admin_user, inventory):
+    u1 = User.objects.create(username='u1')
+
+    inventory.admin_role.members.add(u1)
+
+    url = reverse('api:inventory_access_list', kwargs={'pk': inventory.id})
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'u1' in by_username
+
+    assert len(by_username['u1']['summary_fields']['direct_access']) == 1
+    assert len(by_username['u1']['summary_fields']['indirect_access']) == 0
+    access_entry = by_username['u1']['summary_fields']['direct_access'][0]
+    assert sorted(access_entry['descendant_roles']) == sorted(['adhoc_role', 'use_role', 'update_role', 'read_role', 'admin_role'])
+
+
+@pytest.mark.django_db
+def test_access_list_organization_access(get, admin_user, inventory):
+    u2 = User.objects.create(username='u2')
+
+    inventory.organization.inventory_admin_role.members.add(u2)
+
+    # User has indirect access to the inventory
+    url = reverse('api:inventory_access_list', kwargs={'pk': inventory.id})
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'u2' in by_username
+
+    assert len(by_username['u2']['summary_fields']['indirect_access']) == 1
+    assert len(by_username['u2']['summary_fields']['direct_access']) == 0
+    access_entry = by_username['u2']['summary_fields']['indirect_access'][0]
+    assert sorted(access_entry['descendant_roles']) == sorted(['adhoc_role', 'use_role', 'update_role', 'read_role', 'admin_role'])
+
+    # Test that user shows up in the organization access list with direct access of expected roles
+    url = reverse('api:organization_access_list', kwargs={'pk': inventory.organization_id})
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'u2' in by_username
+
+    assert len(by_username['u2']['summary_fields']['direct_access']) == 1
+    assert len(by_username['u2']['summary_fields']['indirect_access']) == 0
+    access_entry = by_username['u2']['summary_fields']['direct_access'][0]
+    assert sorted(access_entry['descendant_roles']) == sorted(['inventory_admin_role', 'read_role'])
+
+
+@pytest.mark.django_db
+def test_team_indirect_access(get, team, admin_user, inventory):
+    u1 = User.objects.create(username='u1')
+    team.member_role.members.add(u1)
+
+    inventory.organization.inventory_admin_role.parents.add(team.member_role)
+
+    url = reverse('api:inventory_access_list', kwargs={'pk': inventory.id})
+    response = get(url, user=admin_user, expect=200)
+    by_username = {}
+    for entry in response.data['results']:
+        by_username[entry['username']] = entry
+    assert 'u1' in by_username
+
+    assert len(by_username['u1']['summary_fields']['direct_access']) == 1
+    assert len(by_username['u1']['summary_fields']['indirect_access']) == 0
+    access_entry = by_username['u1']['summary_fields']['direct_access'][0]
+    assert sorted(access_entry['descendant_roles']) == sorted(['adhoc_role', 'use_role', 'update_role', 'read_role', 'admin_role'])
--- a/awx/main/tests/functional/dab_rbac/test_dab_migration.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_migration.py
@@ -0,0 +1,45 @@
+import pytest
+from django.apps import apps
+from django.test.utils import override_settings
+
+from awx.main.migrations._dab_rbac import setup_managed_role_definitions
+
+from ansible_base.rbac.models import RoleDefinition
+
+INVENTORY_OBJ_PERMISSIONS = ['view_inventory', 'adhoc_inventory', 'use_inventory', 'change_inventory', 'delete_inventory', 'update_inventory']
+
+
+@pytest.mark.django_db
+def test_managed_definitions_precreate():
+    with override_settings(
+        ANSIBLE_BASE_ROLE_PRECREATE={
+            'object_admin': '{cls._meta.model_name}-admin',
+            'org_admin': 'organization-admin',
+            'org_children': 'organization-{cls._meta.model_name}-admin',
+            'special': '{cls._meta.model_name}-{action}',
+        }
+    ):
+        setup_managed_role_definitions(apps, None)
+    rd = RoleDefinition.objects.get(name='inventory-admin')
+    assert rd.managed is True
+    # add permissions do not go in the object-level admin
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)
+
+    # test org-level object admin permissions
+    rd = RoleDefinition.objects.get(name='organization-inventory-admin')
+    assert rd.managed is True
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(['add_inventory', 'view_organization'] + INVENTORY_OBJ_PERMISSIONS)
+
+
+@pytest.mark.django_db
+def test_managed_definitions_custom_obj_admin_name():
+    with override_settings(
+        ANSIBLE_BASE_ROLE_PRECREATE={
+            'object_admin': 'foo-{cls._meta.model_name}-foo',
+        }
+    ):
+        setup_managed_role_definitions(apps, None)
+    rd = RoleDefinition.objects.get(name='foo-inventory-foo')
+    assert rd.managed is True
+    # add permissions do not go in the object-level admin
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@@ -0,0 +1,90 @@
+import pytest
+
+from django.contrib.contenttypes.models import ContentType
+from django.urls import reverse as django_reverse
+
+from awx.api.versioning import reverse
+from awx.main.models import JobTemplate, Inventory, Organization
+
+from ansible_base.rbac.models import RoleDefinition
+
+
+@pytest.mark.django_db
+def test_managed_roles_created(managed_roles):
+    "Managed RoleDefinitions are created in post_migration signal, we expect to see them here"
+    for cls in (JobTemplate, Inventory):
+        ct = ContentType.objects.get_for_model(cls)
+        rds = list(RoleDefinition.objects.filter(content_type=ct))
+        assert len(rds) > 1
+        assert f'{cls.__name__} Admin' in [rd.name for rd in rds]
+        for rd in rds:
+            assert rd.managed is True
+
+
+@pytest.mark.django_db
+def test_custom_read_role(admin_user, post, managed_roles):
+    rd_url = django_reverse('roledefinition-list')
+    resp = post(
+        url=rd_url, data={"name": "read role made for test", "content_type": "awx.inventory", "permissions": ['view_inventory']}, user=admin_user, expect=201
+    )
+    rd_id = resp.data['id']
+    rd = RoleDefinition.objects.get(id=rd_id)
+    assert rd.content_type == ContentType.objects.get_for_model(Inventory)
+
+
+@pytest.mark.django_db
+def test_custom_system_roles_prohibited(admin_user, post):
+    rd_url = django_reverse('roledefinition-list')
+    resp = post(url=rd_url, data={"name": "read role made for test", "content_type": None, "permissions": ['view_inventory']}, user=admin_user, expect=400)
+    assert 'System-wide roles are not enabled' in str(resp.data)
+
+
+@pytest.mark.django_db
+def test_assignment_to_invisible_user(admin_user, alice, rando, inventory, post, managed_roles):
+    "Alice can not see rando, and so can not give them a role assignment"
+    rd = RoleDefinition.objects.get(name='Inventory Admin')
+    rd.give_permission(alice, inventory)
+    url = django_reverse('roleuserassignment-list')
+    r = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": inventory.id}, user=alice, expect=400)
+    assert 'does not exist' in str(r.data)
+    assert not rando.has_obj_perm(inventory, 'change')
+
+
+@pytest.mark.django_db
+def test_assign_managed_role(admin_user, alice, rando, inventory, post, managed_roles, organization):
+    rd = RoleDefinition.objects.get(name='Inventory Admin')
+    rd.give_permission(alice, inventory)
+    # When alice and rando are members of the same org, they can see each other
+    member_rd = RoleDefinition.objects.get(name='Organization Member')
+    for u in (alice, rando):
+        member_rd.give_permission(u, organization)
+    # Now that alice has full permissions to the inventory, and can see rando, she will give rando permission
+    url = django_reverse('roleuserassignment-list')
+    post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": inventory.id}, user=alice, expect=201)
+    assert rando.has_obj_perm(inventory, 'change') is True
+
+
+@pytest.mark.django_db
+def test_assign_custom_delete_role(admin_user, rando, inventory, delete, patch):
+    rd, _ = RoleDefinition.objects.get_or_create(
+        name='inventory-delete', permissions=['delete_inventory', 'view_inventory'], content_type=ContentType.objects.get_for_model(Inventory)
+    )
+    rd.give_permission(rando, inventory)
+    inv_id = inventory.pk
+    inv_url = reverse('api:inventory_detail', kwargs={'pk': inv_id})
+    patch(url=inv_url, data={"description": "new"}, user=rando, expect=403)
+    delete(url=inv_url, user=rando, expect=202)
+    assert Inventory.objects.get(id=inv_id).pending_deletion
+
+
+@pytest.mark.django_db
+def test_assign_custom_add_role(admin_user, rando, organization, post, managed_roles):
+    rd, _ = RoleDefinition.objects.get_or_create(
+        name='inventory-add', permissions=['add_inventory', 'view_organization'], content_type=ContentType.objects.get_for_model(Organization)
+    )
+    rd.give_permission(rando, organization)
+    url = reverse('api:inventory_list')
+    r = post(url=url, data={'name': 'abc', 'organization': organization.id}, user=rando, expect=201)
+    inv_id = r.data['id']
+    inventory = Inventory.objects.get(id=inv_id)
+    assert rando.has_obj_perm(inventory, 'change')
--- a/awx/main/tests/functional/dab_rbac/test_translation_layer.py
+++ b/awx/main/tests/functional/dab_rbac/test_translation_layer.py
@@ -0,0 +1,107 @@
+from unittest import mock
+
+import pytest
+
+from awx.main.models.rbac import get_role_from_object_role, give_creator_permissions
+from awx.main.models import User, Organization, WorkflowJobTemplate, WorkflowJobTemplateNode, Team
+from awx.api.versioning import reverse
+
+from ansible_base.rbac.models import RoleUserAssignment
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    'role_name',
+    ['execution_environment_admin_role', 'project_admin_role', 'admin_role', 'auditor_role', 'read_role', 'execute_role', 'notification_admin_role'],
+)
+def test_round_trip_roles(organization, rando, role_name, managed_roles):
+    """
+    Make an assignment with the old-style role,
+    get the equivelent new role
+    get the old role again
+    """
+    getattr(organization, role_name).members.add(rando)
+    assignment = RoleUserAssignment.objects.get(user=rando)
+    print(assignment.role_definition.name)
+    old_role = get_role_from_object_role(assignment.object_role)
+    assert old_role.id == getattr(organization, role_name).id
+
+
+@pytest.mark.django_db
+def test_organization_level_permissions(organization, inventory, managed_roles):
+    u1 = User.objects.create(username='alice')
+    u2 = User.objects.create(username='bob')
+
+    organization.inventory_admin_role.members.add(u1)
+    organization.workflow_admin_role.members.add(u2)
+
+    assert u1 in inventory.admin_role
+    assert u1 in organization.inventory_admin_role
+    assert u2 in organization.workflow_admin_role
+
+    assert u2 not in organization.inventory_admin_role
+    assert u1 not in organization.workflow_admin_role
+    assert not (set(u1.has_roles.all()) & set(u2.has_roles.all()))  # user have no roles in common
+
+    # Old style
+    assert set(Organization.accessible_objects(u1, 'inventory_admin_role')) == set([organization])
+    assert set(Organization.accessible_objects(u2, 'inventory_admin_role')) == set()
+    assert set(Organization.accessible_objects(u1, 'workflow_admin_role')) == set()
+    assert set(Organization.accessible_objects(u2, 'workflow_admin_role')) == set([organization])
+
+    # New style
+    assert set(Organization.access_qs(u1, 'add_inventory')) == set([organization])
+    assert set(Organization.access_qs(u1, 'change_inventory')) == set([organization])
+    assert set(Organization.access_qs(u2, 'add_inventory')) == set()
+    assert set(Organization.access_qs(u1, 'add_workflowjobtemplate')) == set()
+    assert set(Organization.access_qs(u2, 'add_workflowjobtemplate')) == set([organization])
+
+
+@pytest.mark.django_db
+def test_organization_execute_role(organization, rando, managed_roles):
+    organization.execute_role.members.add(rando)
+    assert rando in organization.execute_role
+    assert set(Organization.accessible_objects(rando, 'execute_role')) == set([organization])
+
+
+@pytest.mark.django_db
+def test_workflow_approval_list(get, post, admin_user, managed_roles):
+    workflow_job_template = WorkflowJobTemplate.objects.create()
+    approval_node = WorkflowJobTemplateNode.objects.create(workflow_job_template=workflow_job_template)
+    url = reverse('api:workflow_job_template_node_create_approval', kwargs={'pk': approval_node.pk, 'version': 'v2'})
+    post(url, {'name': 'URL Test', 'description': 'An approval', 'timeout': 0}, user=admin_user)
+    approval_node.refresh_from_db()
+    approval_jt = approval_node.unified_job_template
+    approval_jt.create_unified_job()
+
+    r = get(url=reverse('api:workflow_approval_list'), user=admin_user, expect=200)
+    assert r.data['count'] >= 1
+
+
+@pytest.mark.django_db
+def test_creator_permission(rando, admin_user, inventory, managed_roles):
+    give_creator_permissions(rando, inventory)
+    assert rando in inventory.admin_role
+    assert rando in inventory.admin_role.members.all()
+
+
+@pytest.mark.django_db
+def test_team_team_read_role(rando, team, admin_user, post, managed_roles):
+    orgs = [Organization.objects.create(name=f'foo-{i}') for i in range(2)]
+    teams = [Team.objects.create(name=f'foo-{i}', organization=orgs[i]) for i in range(2)]
+    teams[1].member_role.members.add(rando)
+
+    # give second team read permission to first team through the API for regression testing
+    url = reverse('api:role_teams_list', kwargs={'pk': teams[0].read_role.pk, 'version': 'v2'})
+    post(url, {'id': teams[1].id}, user=admin_user)
+
+    # user should be able to view the first team
+    assert rando in teams[0].read_role
+
+
+@pytest.mark.django_db
+def test_implicit_parents_no_assignments(organization):
+    """Through the normal course of creating models, we should not be changing DAB RBAC permissions"""
+    with mock.patch('awx.main.models.rbac.give_or_remove_permission') as mck:
+        Team.objects.create(name='random team', organization=organization)
+    mck.assert_not_called()
--- a/awx/main/tests/functional/dab_resource_registry/test_ansible_id_display.py
+++ b/awx/main/tests/functional/dab_resource_registry/test_ansible_id_display.py
@@ -0,0 +1,39 @@
+import pytest
+
+from ansible_base.resource_registry.models import Resource
+
+from awx.api.versioning import reverse
+
+
+def assert_has_resource(list_response, obj=None):
+    data = list_response.data
+    assert 'resource' in data['results'][0]['summary_fields']
+    resource_data = data['results'][0]['summary_fields']['resource']
+    assert resource_data['ansible_id']
+    resource = Resource.objects.filter(ansible_id=resource_data['ansible_id']).first()
+    assert resource
+    assert resource.content_object
+    if obj:
+        objects = [Resource.objects.get(ansible_id=entry['summary_fields']['resource']['ansible_id']).content_object for entry in data['results']]
+        assert obj in objects
+
+
+@pytest.mark.django_db
+def test_organization_ansible_id(organization, admin_user, get):
+    url = reverse('api:organization_list')
+    response = get(url=url, user=admin_user, expect=200)
+    assert_has_resource(response, obj=organization)
+
+
+@pytest.mark.django_db
+def test_team_ansible_id(team, admin_user, get):
+    url = reverse('api:team_list')
+    response = get(url=url, user=admin_user, expect=200)
+    assert_has_resource(response, obj=team)
+
+
+@pytest.mark.django_db
+def test_user_ansible_id(rando, admin_user, get):
+    url = reverse('api:user_list')
+    response = get(url=url, user=admin_user, expect=200)
+    assert_has_resource(response, obj=rando)
--- a/awx/main/tests/functional/models/test_activity_stream.py
+++ b/awx/main/tests/functional/models/test_activity_stream.py
@@ -104,11 +104,13 @@ class TestRolesAssociationEntries:
        else:
            assert len(entry_qs) == 1
        # unfortunate, the original creation does _not_ set a real is_auditor field
-        assert 'is_system_auditor' not in json.loads(entry_qs[0].changes)
+        assert 'is_system_auditor' not in json.loads(entry_qs[0].changes)  # NOTE: if this fails, see special note
+        # special note - if system auditor flag is moved to user model then we expect this assertion to be changed
+        # make sure that an extra entry is not created, expectation for count would change to 1
        if value:
-            auditor_changes = json.loads(entry_qs[1].changes)
-            assert auditor_changes['object2'] == 'user'
-            assert auditor_changes['object2_pk'] == u.pk
+            entry = entry_qs[1]
+            assert json.loads(entry.changes) == {'is_system_auditor': [False, True]}
+            assert entry.object1 == 'user'

    def test_user_no_op_api(self, system_auditor):
        as_ct = ActivityStream.objects.count()
--- a/awx/main/tests/functional/models/test_context_managers.py
+++ b/awx/main/tests/functional/models/test_context_managers.py
@@ -1,7 +1,6 @@
 import pytest

 # AWX context managers for testing
-from awx.main.models.rbac import batch_role_ancestor_rebuilding
 from awx.main.signals import disable_activity_stream, disable_computed_fields, update_inventory_computed_fields

 # AWX models
@@ -10,15 +9,6 @@ from awx.main.models import ActivityStream, Job
 from awx.main.tests.functional import immediate_on_commit


-@pytest.mark.django_db
-def test_rbac_batch_rebuilding(rando, organization):
-    with batch_role_ancestor_rebuilding():
-        organization.admin_role.members.add(rando)
-        inventory = organization.inventories.create(name='test-inventory')
-        assert rando not in inventory.admin_role
-    assert rando in inventory.admin_role
-
-
@pytest.mark.django_db
 def test_disable_activity_stream():
    with disable_activity_stream():
--- a/awx/main/tests/functional/test_fixture_factories.py
+++ b/awx/main/tests/functional/test_fixture_factories.py
@@ -50,13 +50,13 @@ def test_org_factory_roles(organization_factory):
        teams=['team1', 'team2'],
        users=['team1:foo', 'bar'],
        projects=['baz', 'bang'],
-        roles=['team2.member_role:foo', 'team1.admin_role:bar', 'team1.admin_role:team2.admin_role', 'baz.admin_role:foo'],
+        roles=['team2.member_role:foo', 'team1.admin_role:bar', 'team1.member_role:team2.admin_role', 'baz.admin_role:foo'],
    )

    assert objects.users.bar in objects.teams.team2.admin_role
    assert objects.users.foo in objects.projects.baz.admin_role
    assert objects.users.foo in objects.teams.team1.member_role
-    assert objects.teams.team2.admin_role in objects.teams.team1.admin_role.children.all()
+    assert objects.teams.team2.admin_role in objects.teams.team1.member_role.children.all()


@pytest.mark.django_db
--- a/awx/main/tests/functional/test_migrations.py
+++ b/awx/main/tests/functional/test_migrations.py
@@ -1,6 +1,7 @@
 import pytest

 from django_test_migrations.plan import all_migrations, nodes_to_tuples
+from django.utils.timezone import now

 """
 Most tests that live in here can probably be deleted at some point. They are mainly
@@ -68,3 +69,19 @@ class TestMigrationSmoke:
        bar_peers = bar.peers.all()
        assert len(bar_peers) == 1
        assert fooaddr in bar_peers
+
+    def test_migrate_DAB_RBAC(self, migrator):
+        old_state = migrator.apply_initial_migration(('main', '0190_alter_inventorysource_source_and_more'))
+        Organization = old_state.apps.get_model('main', 'Organization')
+        User = old_state.apps.get_model('auth', 'User')
+
+        org = Organization.objects.create(name='arbitrary-org', created=now(), modified=now())
+        user = User.objects.create(username='random-user')
+        org.read_role.members.add(user)
+
+        new_state = migrator.apply_tested_migration(
+            ('main', '0192_custom_roles'),
+        )
+
+        RoleUserAssignment = new_state.apps.get_model('dab_rbac', 'RoleUserAssignment')
+        assert RoleUserAssignment.objects.filter(user=user.id, object_id=org.id).exists()
--- a/awx/main/tests/functional/test_named_url.py
+++ b/awx/main/tests/functional/test_named_url.py
@@ -1,9 +1,6 @@
 # -*- coding: utf-8 -*-
-from unittest import mock
-
 import pytest

-from django.core.exceptions import ImproperlyConfigured
 from django.conf import settings

 from awx.api.versioning import reverse
@@ -23,25 +20,6 @@ from awx.main.models import (  # noqa
    User,
    WorkflowJobTemplate,
 )
-from awx.conf import settings_registry
-
-
-def setup_module(module):
-    # In real-world scenario, named url graph structure is populated by __init__
-    # of URLModificationMiddleware. The way Django bootstraps ensures the initialization
-    # will happen *once and only once*, while the number of initialization is uncontrollable
-    # in unit test environment. So it is wrapped by try-except block to mute any
-    # unwanted exceptions.
-    try:
-        URLModificationMiddleware(mock.Mock())
-    except ImproperlyConfigured:
-        pass
-
-
-def teardown_module(module):
-    # settings_registry will be persistent states unless we explicitly clean them up.
-    settings_registry.unregister('NAMED_URL_FORMATS')
-    settings_registry.unregister('NAMED_URL_GRAPH_NODES')


@pytest.mark.django_db
--- a/awx/main/tests/functional/test_rbac_api.py
+++ b/awx/main/tests/functional/test_rbac_api.py
@@ -3,7 +3,9 @@ import pytest

 from django.db import transaction
 from awx.api.versioning import reverse
-from awx.main.models.rbac import Role, ROLE_SINGLETON_SYSTEM_ADMINISTRATOR
+from awx.main.models.rbac import Role
+
+from django.test.utils import override_settings


@pytest.fixture
@@ -31,8 +33,6 @@ def test_get_roles_list_user(organization, inventory, team, get, user):
    'Users can see all roles they have access to, but not all roles'
    this_user = user('user-test_get_roles_list_user')
    organization.member_role.members.add(this_user)
-    custom_role = Role.objects.create(role_field='custom_role-test_get_roles_list_user')
-    organization.member_role.children.add(custom_role)

    url = reverse('api:role_list')
    response = get(url, this_user)
@@ -46,10 +46,8 @@ def test_get_roles_list_user(organization, inventory, team, get, user):
    for r in roles['results']:
        role_hash[r['id']] = r

-    assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id in role_hash
    assert organization.admin_role.id in role_hash
    assert organization.member_role.id in role_hash
-    assert custom_role.id in role_hash

    assert inventory.admin_role.id not in role_hash
    assert team.member_role.id not in role_hash
@@ -57,7 +55,8 @@ def test_get_roles_list_user(organization, inventory, team, get, user):

@pytest.mark.django_db
 def test_roles_visibility(get, organization, project, admin, alice, bob):
-    Role.singleton('system_auditor').members.add(alice)
+    alice.is_system_auditor = True
+    alice.save()
    assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=admin).data['count'] == 1
    assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=alice).data['count'] == 1
    assert get(reverse('api:role_list') + '?id=%d' % project.update_role.id, user=bob).data['count'] == 0
@@ -67,7 +66,8 @@ def test_roles_visibility(get, organization, project, admin, alice, bob):

@pytest.mark.django_db
 def test_roles_filter_visibility(get, organization, project, admin, alice, bob):
-    Role.singleton('system_auditor').members.add(alice)
+    alice.is_system_auditor = True
+    alice.save()
    project.update_role.members.add(admin)

    assert get(reverse('api:user_roles_list', kwargs={'pk': admin.id}) + '?id=%d' % project.update_role.id, user=admin).data['count'] == 1
@@ -105,15 +105,6 @@ def test_cant_delete_role(delete, admin, inventory):
 #


-@pytest.mark.django_db
-def test_get_user_roles_list(get, admin):
-    url = reverse('api:user_roles_list', kwargs={'pk': admin.id})
-    response = get(url, admin)
-    assert response.status_code == 200
-    roles = response.data
-    assert roles['count'] > 0  # 'system_administrator' role if nothing else
-
-
@pytest.mark.django_db
 def test_user_view_other_user_roles(organization, inventory, team, get, alice, bob):
    'Users can see roles for other users, but only the roles that that user has access to see as well'
@@ -141,7 +132,6 @@ def test_user_view_other_user_roles(organization, inventory, team, get, alice, b

    assert organization.admin_role.id in role_hash
    assert custom_role.id not in role_hash  # doesn't show up in the user roles list, not an explicit grant
-    assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id not in role_hash
    assert inventory.admin_role.id not in role_hash
    assert team.member_role.id not in role_hash  # alice can't see this

@@ -197,6 +187,7 @@ def test_remove_role_from_user(role, post, admin):


@pytest.mark.django_db
+@override_settings(ANSIBLE_BASE_ALLOW_TEAM_ORG_ADMIN=True)
 def test_get_teams_roles_list(get, team, organization, admin):
    team.member_role.children.add(organization.admin_role)
    url = reverse('api:team_roles_list', kwargs={'pk': team.id})
--- a/awx/main/tests/functional/test_rbac_core.py
+++ b/awx/main/tests/functional/test_rbac_core.py
@@ -1,213 +0,0 @@
-import pytest
-
-from awx.main.models import (
-    Role,
-    Organization,
-    Project,
-)
-from awx.main.fields import update_role_parentage_for_instance
-
-
-@pytest.mark.django_db
-def test_auto_inheritance_by_children(organization, alice):
-    A = Role.objects.create()
-    B = Role.objects.create()
-    A.members.add(alice)
-
-    assert alice not in organization.admin_role
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 0
-    A.children.add(B)
-    assert alice not in organization.admin_role
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 0
-    A.children.add(organization.admin_role)
-    assert alice in organization.admin_role
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 1
-    A.children.remove(organization.admin_role)
-    assert alice not in organization.admin_role
-    B.children.add(organization.admin_role)
-    assert alice in organization.admin_role
-    B.children.remove(organization.admin_role)
-    assert alice not in organization.admin_role
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 0
-
-    # We've had the case where our pre/post save init handlers in our field descriptors
-    # end up creating a ton of role objects because of various not-so-obvious issues
-    assert Role.objects.count() < 50
-
-
-@pytest.mark.django_db
-def test_auto_inheritance_by_parents(organization, alice):
-    A = Role.objects.create()
-    B = Role.objects.create()
-    A.members.add(alice)
-
-    assert alice not in organization.admin_role
-    B.parents.add(A)
-    assert alice not in organization.admin_role
-    organization.admin_role.parents.add(A)
-    assert alice in organization.admin_role
-    organization.admin_role.parents.remove(A)
-    assert alice not in organization.admin_role
-    organization.admin_role.parents.add(B)
-    assert alice in organization.admin_role
-    organization.admin_role.parents.remove(B)
-    assert alice not in organization.admin_role
-
-
-@pytest.mark.django_db
-def test_accessible_objects(organization, alice, bob):
-    A = Role.objects.create()
-    A.members.add(alice)
-    B = Role.objects.create()
-    B.members.add(alice)
-    B.members.add(bob)
-
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 0
-    assert Organization.accessible_objects(bob, 'admin_role').count() == 0
-    A.children.add(organization.admin_role)
-    assert Organization.accessible_objects(alice, 'admin_role').count() == 1
-    assert Organization.accessible_objects(bob, 'admin_role').count() == 0
-
-
-@pytest.mark.django_db
-def test_team_symantics(organization, team, alice):
-    assert alice not in organization.auditor_role
-    team.member_role.children.add(organization.auditor_role)
-    assert alice not in organization.auditor_role
-    team.member_role.members.add(alice)
-    assert alice in organization.auditor_role
-    team.member_role.members.remove(alice)
-    assert alice not in organization.auditor_role
-
-
-@pytest.mark.django_db
-def test_auto_field_adjustments(organization, inventory, team, alice):
-    'Ensures the auto role reparenting is working correctly through non m2m fields'
-    org2 = Organization.objects.create(name='Org 2', description='org 2')
-    org2.admin_role.members.add(alice)
-    assert alice not in inventory.admin_role
-    inventory.organization = org2
-    inventory.save()
-    assert alice in inventory.admin_role
-    inventory.organization = organization
-    inventory.save()
-    assert alice not in inventory.admin_role
-    # assert False
-
-
-@pytest.mark.django_db
-def test_implicit_deletes(alice):
-    'Ensures implicit resources and roles delete themselves'
-    delorg = Organization.objects.create(name='test-org')
-    child = Role.objects.create()
-    child.parents.add(delorg.admin_role)
-    delorg.admin_role.members.add(alice)
-
-    admin_role_id = delorg.admin_role.id
-    auditor_role_id = delorg.auditor_role.id
-
-    assert child.ancestors.count() > 1
-    assert Role.objects.filter(id=admin_role_id).count() == 1
-    assert Role.objects.filter(id=auditor_role_id).count() == 1
-    n_alice_roles = alice.roles.count()
-    n_system_admin_children = Role.singleton('system_administrator').children.count()
-
-    delorg.delete()
-
-    assert Role.objects.filter(id=admin_role_id).count() == 0
-    assert Role.objects.filter(id=auditor_role_id).count() == 0
-    assert alice.roles.count() == (n_alice_roles - 1)
-    assert Role.singleton('system_administrator').children.count() == (n_system_admin_children - 1)
-    assert child.ancestors.count() == 1
-    assert child.ancestors.all()[0] == child
-
-
-@pytest.mark.django_db
-def test_content_object(user):
-    'Ensure our content_object stuf seems to be working'
-
-    org = Organization.objects.create(name='test-org')
-    assert org.admin_role.content_object.id == org.id
-
-
-@pytest.mark.django_db
-def test_hierarchy_rebuilding_multi_path():
-    'Tests a subdtle cases around role hierarchy rebuilding when you have multiple paths to the same role of different length'
-
-    X = Role.objects.create()
-    A = Role.objects.create()
-    B = Role.objects.create()
-    C = Role.objects.create()
-    D = Role.objects.create()
-
-    A.children.add(B)
-    A.children.add(D)
-    B.children.add(C)
-    C.children.add(D)
-
-    assert A.is_ancestor_of(D)
-    assert X.is_ancestor_of(D) is False
-
-    X.children.add(A)
-
-    assert X.is_ancestor_of(D) is True
-
-    X.children.remove(A)
-
-    # This can be the stickler, the rebuilder needs to ensure that D's role
-    # hierarchy is built after both A and C are updated.
-    assert X.is_ancestor_of(D) is False
-
-
-@pytest.mark.django_db
-def test_auto_parenting():
-    org1 = Organization.objects.create(name='org1')
-    org2 = Organization.objects.create(name='org2')
-
-    prj1 = Project.objects.create(name='prj1')
-    prj2 = Project.objects.create(name='prj2')
-
-    assert org1.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj2.admin_role) is False
-
-    prj1.organization = org1
-    prj1.save()
-
-    assert org1.admin_role.is_ancestor_of(prj1.admin_role)
-    assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj2.admin_role) is False
-
-    prj2.organization = org1
-    prj2.save()
-
-    assert org1.admin_role.is_ancestor_of(prj1.admin_role)
-    assert org1.admin_role.is_ancestor_of(prj2.admin_role)
-    assert org2.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj2.admin_role) is False
-
-    prj1.organization = org2
-    prj1.save()
-
-    assert org1.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org1.admin_role.is_ancestor_of(prj2.admin_role)
-    assert org2.admin_role.is_ancestor_of(prj1.admin_role)
-    assert org2.admin_role.is_ancestor_of(prj2.admin_role) is False
-
-    prj2.organization = org2
-    prj2.save()
-
-    assert org1.admin_role.is_ancestor_of(prj1.admin_role) is False
-    assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False
-    assert org2.admin_role.is_ancestor_of(prj1.admin_role)
-    assert org2.admin_role.is_ancestor_of(prj2.admin_role)
-
-
-@pytest.mark.django_db
-def test_update_parents_keeps_teams(team, project):
-    project.update_role.parents.add(team.member_role)
-    assert list(Project.accessible_objects(team.member_role, 'update_role')) == [project]  # test prep sanity check
-    update_role_parentage_for_instance(project)
-    assert list(Project.accessible_objects(team.member_role, 'update_role')) == [project]  # actual assertion
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -4,7 +4,7 @@ import pytest
 from awx.api.versioning import reverse
 from awx.main.access import BaseAccess, JobTemplateAccess, ScheduleAccess
 from awx.main.models.jobs import JobTemplate
-from awx.main.models import Project, Organization, Inventory, Schedule, User
+from awx.main.models import Project, Organization, Schedule


@mock.patch.object(BaseAccess, 'check_license', return_value=None)
@@ -177,7 +177,7 @@ def test_job_template_creator_access(project, organization, rando, post):
    jt_pk = response.data['id']
    jt_obj = JobTemplate.objects.get(pk=jt_pk)
    # Creating a JT should place the creator in the admin role
-    assert rando in jt_obj.admin_role.members.all()
+    assert rando in jt_obj.admin_role


@pytest.mark.django_db
@@ -283,48 +283,3 @@ class TestProjectOrganization:
        assert org_admin not in jt.admin_role
        patch(url=jt.get_absolute_url(), data={'project': project.id}, user=admin_user, expect=200)
        assert org_admin in jt.admin_role
-
-    def test_inventory_read_transfer_direct(self, patch):
-        orgs = []
-        invs = []
-        admins = []
-        for i in range(2):
-            org = Organization.objects.create(name='org{}'.format(i))
-            org_admin = User.objects.create(username='user{}'.format(i))
-            inv = Inventory.objects.create(organization=org, name='inv{}'.format(i))
-            org.auditor_role.members.add(org_admin)
-
-            orgs.append(org)
-            admins.append(org_admin)
-            invs.append(inv)
-
-        jt = JobTemplate.objects.create(name='foo', inventory=invs[0])
-        assert admins[0] in jt.read_role
-        assert admins[1] not in jt.read_role
-
-        jt.inventory = invs[1]
-        jt.save(update_fields=['inventory'])
-        assert admins[0] not in jt.read_role
-        assert admins[1] in jt.read_role
-
-    def test_inventory_read_transfer_indirect(self, patch):
-        orgs = []
-        admins = []
-        for i in range(2):
-            org = Organization.objects.create(name='org{}'.format(i))
-            org_admin = User.objects.create(username='user{}'.format(i))
-            org.auditor_role.members.add(org_admin)
-
-            orgs.append(org)
-            admins.append(org_admin)
-
-        inv = Inventory.objects.create(organization=orgs[0], name='inv{}'.format(i))
-
-        jt = JobTemplate.objects.create(name='foo', inventory=inv)
-        assert admins[0] in jt.read_role
-        assert admins[1] not in jt.read_role
-
-        inv.organization = orgs[1]
-        inv.save(update_fields=['organization'])
-        assert admins[0] not in jt.read_role
-        assert admins[1] in jt.read_role
--- a/awx/main/tests/functional/test_rbac_migration.py
+++ b/awx/main/tests/functional/test_rbac_migration.py
@@ -1,9 +1,7 @@
 import pytest

-from django.apps import apps
-
 from awx.main.migrations import _rbac as rbac
-from awx.main.models import UnifiedJobTemplate, InventorySource, Inventory, JobTemplate, Project, Organization, User
+from awx.main.models import UnifiedJobTemplate, InventorySource, Inventory, JobTemplate, Project, Organization


@pytest.mark.django_db
@@ -49,27 +47,3 @@ def test_implied_organization_subquery_job_template():
                assert jt.test_field is None
            else:
                assert jt.test_field == jt.project.organization_id
-
-
-@pytest.mark.django_db
-def test_give_explicit_inventory_permission():
-    dual_admin = User.objects.create(username='alice')
-    inv_admin = User.objects.create(username='bob')
-    inv_org = Organization.objects.create(name='inv-org')
-    proj_org = Organization.objects.create(name='proj-org')
-
-    inv_org.admin_role.members.add(inv_admin, dual_admin)
-    proj_org.admin_role.members.add(dual_admin)
-
-    proj = Project.objects.create(name="test-proj", organization=proj_org)
-    inv = Inventory.objects.create(name='test-inv', organization=inv_org)
-
-    jt = JobTemplate.objects.create(name='foo', project=proj, inventory=inv)
-
-    assert dual_admin in jt.admin_role
-
-    rbac.restore_inventory_admins(apps, None)
-
-    assert inv_admin in jt.admin_role.members.all()
-    assert dual_admin not in jt.admin_role.members.all()
-    assert dual_admin in jt.admin_role
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@@ -92,7 +92,7 @@ def test_team_accessible_by(team, user, project):
    u = user('team_member', False)

    team.member_role.children.add(project.use_role)
-    assert list(Project.accessible_objects(team.member_role, 'read_role')) == [project]
+    assert list(Project.accessible_objects(team, 'read_role')) == [project]
    assert u not in project.read_role

    team.member_role.members.add(u)
@@ -104,7 +104,7 @@ def test_team_accessible_objects(team, user, project):
    u = user('team_member', False)

    team.member_role.children.add(project.use_role)
-    assert len(Project.accessible_objects(team.member_role, 'read_role')) == 1
+    assert len(Project.accessible_objects(team, 'read_role')) == 1
    assert not Project.accessible_objects(u, 'read_role')

    team.member_role.members.add(u)
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -4,7 +4,7 @@ from unittest import mock
 from django.test import TransactionTestCase

 from awx.main.access import UserAccess, RoleAccess, TeamAccess
-from awx.main.models import User, Organization, Inventory, Role
+from awx.main.models import User, Organization, Inventory, get_system_auditor_role


 class TestSysAuditorTransactional(TransactionTestCase):
@@ -18,7 +18,8 @@ class TestSysAuditorTransactional(TransactionTestCase):

    def test_auditor_caching(self):
        rando = self.rando()
-        with self.assertNumQueries(1):
+        get_system_auditor_role()  # pre-create role, normally done by migrations
+        with self.assertNumQueries(2):
            v = rando.is_system_auditor
        assert not v
        with self.assertNumQueries(0):
@@ -153,34 +154,3 @@ def test_org_admin_cannot_delete_member_attached_to_other_group(org_admin, org_m
    access = UserAccess(org_admin)
    other_org.member_role.members.add(org_member)
    assert not access.can_delete(org_member)
-
-
-@pytest.mark.parametrize('reverse', (True, False))
-@pytest.mark.django_db
-def test_consistency_of_is_superuser_flag(reverse):
-    users = [User.objects.create(username='rando_{}'.format(i)) for i in range(2)]
-    for u in users:
-        assert u.is_superuser is False
-
-    system_admin = Role.singleton('system_administrator')
-    if reverse:
-        for u in users:
-            u.roles.add(system_admin)
-    else:
-        system_admin.members.add(*[u.id for u in users])  # like .add(42, 54)
-
-    for u in users:
-        u.refresh_from_db()
-        assert u.is_superuser is True
-
-    users[0].roles.clear()
-    for u in users:
-        u.refresh_from_db()
-    assert users[0].is_superuser is False
-    assert users[1].is_superuser is True
-
-    system_admin.members.clear()
-
-    for u in users:
-        u.refresh_from_db()
-        assert u.is_superuser is False
--- a/awx/main/tests/functional/test_teams.py
+++ b/awx/main/tests/functional/test_teams.py
@@ -1,14 +0,0 @@
-import pytest
-
-
-@pytest.mark.django_db()
-def test_admin_not_member(team):
-    """Test to ensure we don't add admin_role as a parent to team.member_role, as
-    this creates a cycle with organization administration, which we've decided
-    to remove support for
-
-    (2016-06-16) I think this might have been resolved. I'm asserting
-    this to be true in the mean time.
-    """
-
-    assert team.admin_role.is_ancestor_of(team.member_role) is True
--- a/awx/main/tests/unit/commands/test_dump_auth_config.py
+++ b/awx/main/tests/unit/commands/test_dump_auth_config.py
@@ -52,7 +52,7 @@ class TestDumpAuthConfigCommand(TestCase):
        super().setUp()
        self.expected_config = [
            {
-                "type": "awx.authentication.authenticator_plugins.saml",
+                "type": "ansible_base.authentication.authenticator_plugins.saml",
                "name": "Keycloak",
                "enabled": True,
                "create_objects": True,
@@ -94,14 +94,14 @@ class TestDumpAuthConfigCommand(TestCase):
                },
            },
            {
-                "type": "awx.authentication.authenticator_plugins.ldap",
-                "name": "1",
+                "type": "ansible_base.authentication.authenticator_plugins.ldap",
+                "name": "LDAP_1",
                "enabled": True,
                "create_objects": True,
                "users_unique": False,
                "remove_users": True,
                "configuration": {
-                    "SERVER_URI": "SERVER_URI",
+                    "SERVER_URI": ["SERVER_URI"],
                    "BIND_DN": "BIND_DN",
                    "BIND_PASSWORD": "BIND_PASSWORD",
                    "CONNECTION_OPTIONS": {},
@@ -119,4 +119,14 @@ class TestDumpAuthConfigCommand(TestCase):
    def test_json_returned_from_cmd(self):
        output = StringIO()
        call_command("dump_auth_config", stdout=output)
-        assert json.loads(output.getvalue()) == self.expected_config
+        cmmd_output = json.loads(output.getvalue())
+
+        # check configured SAML return
+        assert cmmd_output[0] == self.expected_config[0]
+
+        # check configured LDAP return
+        assert cmmd_output[2] == self.expected_config[1]
+
+        # check unconfigured LDAP return
+        assert "LDAP_0_missing_fields" in cmmd_output[1]
+        assert cmmd_output[1]["LDAP_0_missing_fields"] == ['SERVER_URI', 'GROUP_TYPE', 'GROUP_TYPE_PARAMS', 'USER_DN_TEMPLATE', 'USER_ATTR_MAP']
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -1106,6 +1106,44 @@ class TestJobCredentials(TestJobExecution):
        config = open(local_path, 'r').read()
        assert config == hcl_config

+    def test_terraform_gcs_backend_credentials(self, job, private_data_dir, mock_me):
+        terraform = CredentialType.defaults['terraform']()
+        hcl_config = '''
+        backend "gcs" {
+            bucket = "gce_storage"
+        }
+        '''
+        gce_backend_credentials = '''
+        {
+            "type": "service_account",
+            "project_id": "sample",
+            "private_key_id": "eeeeeeeeeeeeeeeeeeeeeeeeeee",
+            "private_key": "-----BEGIN PRIVATE KEY-----\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n-----END PRIVATE KEY-----\n",
+            "client_email": "sample@sample.iam.gserviceaccount.com",
+            "client_id": "0123456789",
+            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+            "token_uri": "https://oauth2.googleapis.com/token",
+            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+            "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloud-content-robot%40sample.iam.gserviceaccount.com",
+        }
+        '''
+        credential = Credential(pk=1, credential_type=terraform, inputs={'configuration': hcl_config, 'gce_credentials': gce_backend_credentials})
+        credential.inputs['configuration'] = encrypt_field(credential, 'configuration')
+        credential.inputs['gce_credentials'] = encrypt_field(credential, 'gce_credentials')
+        job.credentials.add(credential)
+
+        env = {}
+        safe_env = {}
+        credential.credential_type.inject_credential(credential, env, safe_env, [], private_data_dir)
+
+        local_path = to_host_path(env['TF_BACKEND_CONFIG_FILE'], private_data_dir)
+        config = open(local_path, 'r').read()
+        assert config == hcl_config
+
+        credentials_path = to_host_path(env['GOOGLE_BACKEND_CREDENTIALS'], private_data_dir)
+        credentials = open(credentials_path, 'r').read()
+        assert credentials == gce_backend_credentials
+
    def test_custom_environment_injectors_with_jinja_syntax_error(self, private_data_dir, mock_me):
        some_cloud = CredentialType(
            kind='cloud',
--- a/awx/main/tests/unit/utils/test_filters.py
+++ b/awx/main/tests/unit/utils/test_filters.py
@@ -69,7 +69,7 @@ class mockHost:
@mock.patch('awx.main.utils.filters.get_model', return_value=mockHost())
 class TestSmartFilterQueryFromString:
    @mock.patch(
-        'ansible_base.rest_filters.rest_framework.field_lookup_backend.get_fields_from_path', lambda model, path: ([model], path)
+        'ansible_base.rest_filters.rest_framework.field_lookup_backend.get_fields_from_path', lambda model, path, **kwargs: ([model], path)
    )  # disable field filtering, because a__b isn't a real Host field
    @pytest.mark.parametrize(
        "filter_string,q_expected",
--- a/awx/main/tests/unit/utils/test_receptor.py
+++ b/awx/main/tests/unit/utils/test_receptor.py
@@ -3,7 +3,7 @@ from awx.main.tasks.receptor import _convert_args_to_cli

 def test_file_cleanup_scenario():
    args = _convert_args_to_cli({'exclude_strings': ['awx_423_', 'awx_582_'], 'file_pattern': '/tmp/awx_*_*'})
-    assert ' '.join(args) == 'cleanup --exclude-strings=awx_423_ awx_582_ --file-pattern=/tmp/awx_*_*'
+    assert ' '.join(args) == 'cleanup --exclude-strings="awx_423_ awx_582_" --file-pattern=/tmp/awx_*_*'


 def test_image_cleanup_scenario():
@@ -17,5 +17,5 @@ def test_image_cleanup_scenario():
        }
    )
    assert (
-        ' '.join(args) == 'cleanup --remove-images=quay.invalid/foo/bar:latest quay.invalid/foo/bar:devel --image-prune --process-isolation-executable=podman'
+        ' '.join(args) == 'cleanup --remove-images="quay.invalid/foo/bar:latest quay.invalid/foo/bar:devel" --image-prune --process-isolation-executable=podman'
    )
--- a/awx/main/utils/formatters.py
+++ b/awx/main/utils/formatters.py
@@ -3,7 +3,6 @@

 from copy import copy
 import json
-import json_log_formatter
 import logging
 import traceback
 import socket
@@ -15,15 +14,6 @@ from django.core.serializers.json import DjangoJSONEncoder
 from django.conf import settings


-class JobLifeCycleFormatter(json_log_formatter.JSONFormatter):
-    def json_record(self, message: str, extra: dict, record: logging.LogRecord):
-        if 'time' not in extra:
-            extra['time'] = now()
-        if record.exc_info:
-            extra['exc_info'] = self.formatException(record.exc_info)
-        return extra
-
-
 class TimeFormatter(logging.Formatter):
    """
    Custom log formatter used for inventory imports
--- a/awx/main/utils/named_url_graph.py
+++ b/awx/main/utils/named_url_graph.py
@@ -5,7 +5,6 @@ from collections import deque
 # Django
 from django.db import models
 from django.conf import settings
-from django.contrib.contenttypes.models import ContentType


 NAMED_URL_RES_DILIMITER = "++"
@@ -245,6 +244,8 @@ def _generate_configurations(nodes):


 def _dfs(configuration, model, graph, dead_ends, new_deadends, parents):
+    from django.contrib.contenttypes.models import ContentType
+
    parents.add(model)
    fields, fk_names = configuration[model][0][:], configuration[model][1][:]
    adj_list = []
@@ -306,3 +307,19 @@ def generate_graph(models):
 def reset_counters():
    for node in settings.NAMED_URL_GRAPH.values():
        node.counter = 0
+
+
+def _customize_graph():
+    from django.contrib.auth.models import User
+    from awx.main.models import Instance, Schedule, UnifiedJobTemplate
+
+    for model in [Schedule, UnifiedJobTemplate]:
+        if model in settings.NAMED_URL_GRAPH:
+            settings.NAMED_URL_GRAPH[model].remove_bindings()
+            settings.NAMED_URL_GRAPH.pop(model)
+    if User not in settings.NAMED_URL_GRAPH:
+        settings.NAMED_URL_GRAPH[User] = GraphNode(User, ['username'], [])
+        settings.NAMED_URL_GRAPH[User].add_bindings()
+    if Instance not in settings.NAMED_URL_GRAPH:
+        settings.NAMED_URL_GRAPH[Instance] = GraphNode(Instance, ['hostname'], [])
+        settings.NAMED_URL_GRAPH[Instance].add_bindings()
--- a/awx/main/wsrelay.py
+++ b/awx/main/wsrelay.py
@@ -2,6 +2,7 @@ import json
 import logging
 import asyncio
 from typing import Dict
+from copy import deepcopy

 import ipaddress

@@ -241,7 +242,7 @@ class WebSocketRelayManager(object):
                # In this case, we'll be sharing a redis, no need to relay.
                if payload.get("hostname") == self.local_hostname:
                    hostname = payload.get("hostname")
-                    logger.debug("Received a heartbeat request for {hostname}. Skipping as we use redis for local host.")
+                    logger.debug(f"Received a heartbeat request for {hostname}. Skipping as we use redis for local host.")
                    continue

                action = payload.get("action")
@@ -284,6 +285,8 @@ class WebSocketRelayManager(object):
            except asyncio.CancelledError:
                # Handle the case where the task was already cancelled by the time we got here.
                pass
+            except Exception as e:
+                logger.warning(f"Failed to cancel relay connection for {hostname}: {e}")

            del self.relay_connections[hostname]

@@ -294,6 +297,8 @@ class WebSocketRelayManager(object):
            self.stats_mgr.delete_remote_host_stats(hostname)
        except KeyError:
            pass
+        except Exception as e:
+            logger.warning(f"Failed to delete stats for {hostname}: {e}")

    async def run(self):
        event_loop = asyncio.get_running_loop()
@@ -302,67 +307,90 @@ class WebSocketRelayManager(object):
        self.stats_mgr.start()

        # Set up a pg_notify consumer for allowing web nodes to "provision" and "deprovision" themselves gracefully.
-        database_conf = settings.DATABASES['default'].copy()
-        database_conf['OPTIONS'] = database_conf.get('OPTIONS', {}).copy()
+        database_conf = deepcopy(settings.DATABASES['default'])
+        database_conf['OPTIONS'] = deepcopy(database_conf.get('OPTIONS', {}))

        for k, v in settings.LISTENER_DATABASES.get('default', {}).items():
            database_conf[k] = v
        for k, v in settings.LISTENER_DATABASES.get('default', {}).get('OPTIONS', {}).items():
            database_conf['OPTIONS'][k] = v

+        if 'PASSWORD' in database_conf:
+            database_conf['OPTIONS']['password'] = database_conf.pop('PASSWORD')
+
        task = None

+        # Managing the async_conn here so that we can close it if we need to restart the connection
+        async_conn = None
+
        # Establishes a websocket connection to /websocket/relay on all API servers
-        while True:
-            if not task or task.done():
+        try:
+            while True:
+                if not task or task.done():
+                    try:
+                        # Try to close the connection if it's open
+                        if async_conn:
+                            try:
+                                await async_conn.close()
+                            except Exception as e:
+                                logger.warning(f"Failed to close connection to database for pg_notify: {e}")
+
+                        # and re-establish the connection
+                        async_conn = await psycopg.AsyncConnection.connect(
+                            dbname=database_conf['NAME'],
+                            host=database_conf['HOST'],
+                            user=database_conf['USER'],
+                            port=database_conf['PORT'],
+                            **database_conf.get("OPTIONS", {}),
+                        )
+                        await async_conn.set_autocommit(True)
+
+                        # before creating the task that uses the connection
+                        task = event_loop.create_task(self.on_ws_heartbeat(async_conn), name="on_ws_heartbeat")
+                        logger.info("Creating `on_ws_heartbeat` task in event loop.")
+
+                    except Exception as e:
+                        logger.warning(f"Failed to connect to database for pg_notify: {e}")
+
+                future_remote_hosts = self.known_hosts.keys()
+                current_remote_hosts = self.relay_connections.keys()
+                deleted_remote_hosts = set(current_remote_hosts) - set(future_remote_hosts)
+                new_remote_hosts = set(future_remote_hosts) - set(current_remote_hosts)
+
+                # This loop handles if we get an advertisement from a host we already know about but
+                # the advertisement has a different IP than we are currently connected to.
+                for hostname, address in self.known_hosts.items():
+                    if hostname not in self.relay_connections:
+                        # We've picked up a new hostname that we don't know about yet.
+                        continue
+
+                    if address != self.relay_connections[hostname].remote_host:
+                        deleted_remote_hosts.add(hostname)
+                        new_remote_hosts.add(hostname)
+
+                # Delete any hosts with closed connections
+                for hostname, relay_conn in self.relay_connections.items():
+                    if not relay_conn.connected:
+                        deleted_remote_hosts.add(hostname)
+
+                if deleted_remote_hosts:
+                    logger.info(f"Removing {deleted_remote_hosts} from websocket broadcast list")
+                    await asyncio.gather(*[self.cleanup_offline_host(h) for h in deleted_remote_hosts])
+
+                if new_remote_hosts:
+                    logger.info(f"Adding {new_remote_hosts} to websocket broadcast list")
+
+                for h in new_remote_hosts:
+                    stats = self.stats_mgr.new_remote_host_stats(h)
+                    relay_connection = WebsocketRelayConnection(name=self.local_hostname, stats=stats, remote_host=self.known_hosts[h])
+                    relay_connection.start()
+                    self.relay_connections[h] = relay_connection
+
+                await asyncio.sleep(settings.BROADCAST_WEBSOCKET_NEW_INSTANCE_POLL_RATE_SECONDS)
+        finally:
+            if async_conn:
+                logger.info("Shutting down db connection for wsrelay.")
                try:
-                    async_conn = await psycopg.AsyncConnection.connect(
-                        dbname=database_conf['NAME'],
-                        host=database_conf['HOST'],
-                        user=database_conf['USER'],
-                        password=database_conf['PASSWORD'],
-                        port=database_conf['PORT'],
-                        **database_conf.get("OPTIONS", {}),
-                    )
-
-                    task = event_loop.create_task(self.on_ws_heartbeat(async_conn), name="on_ws_heartbeat")
-                    logger.info("Creating `on_ws_heartbeat` task in event loop.")
-
+                    await async_conn.close()
                except Exception as e:
-                    logger.warning(f"Failed to connect to database for pg_notify: {e}")
-
-            future_remote_hosts = self.known_hosts.keys()
-            current_remote_hosts = self.relay_connections.keys()
-            deleted_remote_hosts = set(current_remote_hosts) - set(future_remote_hosts)
-            new_remote_hosts = set(future_remote_hosts) - set(current_remote_hosts)
-
-            # This loop handles if we get an advertisement from a host we already know about but
-            # the advertisement has a different IP than we are currently connected to.
-            for hostname, address in self.known_hosts.items():
-                if hostname not in self.relay_connections:
-                    # We've picked up a new hostname that we don't know about yet.
-                    continue
-
-                if address != self.relay_connections[hostname].remote_host:
-                    deleted_remote_hosts.add(hostname)
-                    new_remote_hosts.add(hostname)
-
-            # Delete any hosts with closed connections
-            for hostname, relay_conn in self.relay_connections.items():
-                if not relay_conn.connected:
-                    deleted_remote_hosts.add(hostname)
-
-            if deleted_remote_hosts:
-                logger.info(f"Removing {deleted_remote_hosts} from websocket broadcast list")
-                await asyncio.gather(*[self.cleanup_offline_host(h) for h in deleted_remote_hosts])
-
-            if new_remote_hosts:
-                logger.info(f"Adding {new_remote_hosts} to websocket broadcast list")
-
-            for h in new_remote_hosts:
-                stats = self.stats_mgr.new_remote_host_stats(h)
-                relay_connection = WebsocketRelayConnection(name=self.local_hostname, stats=stats, remote_host=self.known_hosts[h])
-                relay_connection.start()
-                self.relay_connections[h] = relay_connection
-
-            await asyncio.sleep(settings.BROADCAST_WEBSOCKET_NEW_INSTANCE_POLL_RATE_SECONDS)
+                    logger.info(f"Failed to close connection to database for pg_notify: {e}")
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -277,6 +277,9 @@ SESSION_COOKIE_SECURE = True
 # Note: This setting may be overridden by database settings.
 SESSION_COOKIE_AGE = 1800

+# Option to change userLoggedIn cookie SameSite policy.
+USER_COOKIE_SAMESITE = 'Lax'
+
 # Name of the cookie that contains the session information.
 # Note: Changing this value may require changes to any clients.
 SESSION_COOKIE_NAME = 'awx_sessionid'
@@ -355,6 +358,7 @@ INSTALLED_APPS = [
    'ansible_base.rest_filters',
    'ansible_base.jwt_consumer',
    'ansible_base.resource_registry',
+    'ansible_base.rbac',
 ]


@@ -497,6 +501,12 @@ CACHES = {'default': {'BACKEND': 'awx.main.cache.AWXRedisCache', 'LOCATION': 'un
 SOCIAL_AUTH_STRATEGY = 'social_django.strategy.DjangoStrategy'
 SOCIAL_AUTH_STORAGE = 'social_django.models.DjangoStorage'
 SOCIAL_AUTH_USER_MODEL = 'auth.User'
+ROLE_SINGLETON_USER_RELATIONSHIP = ''
+ROLE_SINGLETON_TEAM_RELATIONSHIP = ''
+
+# We want to short-circuit RBAC methods to get permission to system admins and auditors
+ROLE_BYPASS_SUPERUSER_FLAGS = ['is_superuser']
+ROLE_BYPASS_ACTION_FLAGS = {'view': 'is_system_auditor'}

 _SOCIAL_AUTH_PIPELINE_BASE = (
    'social_core.pipeline.social_auth.social_details',
@@ -849,7 +859,6 @@ LOGGING = {
        'json': {'()': 'awx.main.utils.formatters.LogstashFormatter'},
        'timed_import': {'()': 'awx.main.utils.formatters.TimeFormatter', 'format': '%(relativeSeconds)9.3f %(levelname)-8s %(message)s'},
        'dispatcher': {'format': '%(asctime)s %(levelname)-8s [%(guid)s] %(name)s PID:%(process)d %(message)s'},
-        'job_lifecycle': {'()': 'awx.main.utils.formatters.JobLifeCycleFormatter'},
    },
    # Extended below based on install scenario. You probably don't want to add something directly here.
    # See 'handler_config' below.
@@ -874,6 +883,7 @@ LOGGING = {
    'loggers': {
        'django': {'handlers': ['console']},
        'django.request': {'handlers': ['console', 'file', 'tower_warnings'], 'level': 'WARNING'},
+        'ansible_base': {'handlers': ['console', 'file', 'tower_warnings']},
        'daphne': {'handlers': ['console', 'file', 'tower_warnings'], 'level': 'INFO'},
        'rest_framework.request': {'handlers': ['console', 'file', 'tower_warnings'], 'level': 'WARNING', 'propagate': False},
        'py.warnings': {'handlers': ['console']},
@@ -917,7 +927,7 @@ handler_config = {
    'wsrelay': {'filename': 'wsrelay.log'},
    'task_system': {'filename': 'task_system.log'},
    'rbac_migrations': {'filename': 'tower_rbac_migrations.log'},
-    'job_lifecycle': {'filename': 'job_lifecycle.log', 'formatter': 'job_lifecycle'},
+    'job_lifecycle': {'filename': 'job_lifecycle.log'},
    'rsyslog_configurer': {'filename': 'rsyslog_configurer.log'},
    'cache_clear': {'filename': 'cache_clear.log'},
    'ws_heartbeat': {'filename': 'ws_heartbeat.log'},
@@ -1003,6 +1013,7 @@ MIDDLEWARE = [
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'awx.main.middleware.DisableLocalAuthMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
+    'awx.main.middleware.OptionalURLPrefixPath',
    'awx.sso.middleware.SocialAuthMiddleware',
    'crum.CurrentRequestUserMiddleware',
    'awx.main.middleware.URLModificationMiddleware',
@@ -1121,13 +1132,55 @@ METRICS_SUBSYSTEM_CONFIG = {
 ANSIBLE_BASE_TEAM_MODEL = 'main.Team'
 ANSIBLE_BASE_ORGANIZATION_MODEL = 'main.Organization'
 ANSIBLE_BASE_RESOURCE_CONFIG_MODULE = 'awx.resource_api'
+ANSIBLE_BASE_PERMISSION_MODEL = 'main.Permission'

 from ansible_base.lib import dynamic_config  # noqa: E402

-settings_file = os.path.join(os.path.dirname(dynamic_config.__file__), 'dynamic_settings.py')
-include(settings_file)
+include(os.path.join(os.path.dirname(dynamic_config.__file__), 'dynamic_settings.py'))

 # Add a postfix to the API URL patterns
 # example if set to '' API pattern will be /api
 # example if set to 'controller' API pattern will be /api AND /api/controller
 OPTIONAL_API_URLPATTERN_PREFIX = ''
+
+# Use AWX base view, to give 401 on unauthenticated requests
+ANSIBLE_BASE_CUSTOM_VIEW_PARENT = 'awx.api.generics.APIView'
+
+# Settings for the ansible_base RBAC system
+
+# Only used internally, names of the managed RoleDefinitions to create
+ANSIBLE_BASE_ROLE_PRECREATE = {
+    'object_admin': '{cls.__name__} Admin',
+    'org_admin': 'Organization Admin',
+    'org_children': 'Organization {cls.__name__} Admin',
+    'special': '{cls.__name__} {action}',
+}
+
+# Name for auto-created roles that give users permissions to what they create
+ANSIBLE_BASE_ROLE_CREATOR_NAME = '{cls.__name__} Creator'
+
+# Use the new Gateway RBAC system for evaluations? You should. We will remove the old system soon.
+ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED = True
+
+# Permissions a user will get when creating a new item
+ANSIBLE_BASE_CREATOR_DEFAULTS = ['change', 'delete', 'execute', 'use', 'adhoc', 'approve', 'update', 'view']
+
+# This is a stopgap, will delete after resource registry integration
+ANSIBLE_BASE_SERVICE_PREFIX = "awx"
+
+# Temporary, for old roles API compatibility, save child permissions at organization level
+ANSIBLE_BASE_CACHE_PARENT_PERMISSIONS = True
+
+# Currently features are enabled to keep compatibility with old system, except custom roles
+ANSIBLE_BASE_ALLOW_TEAM_ORG_ADMIN = False
+# ANSIBLE_BASE_ALLOW_CUSTOM_ROLES = True
+ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES = False
+ANSIBLE_BASE_ALLOW_SINGLETON_USER_ROLES = True
+ANSIBLE_BASE_ALLOW_SINGLETON_TEAM_ROLES = False  # System auditor has always been restricted to users
+ANSIBLE_BASE_ALLOW_SINGLETON_ROLES_API = False  # Do not allow creating user-defined system-wide roles
+
+# system username for django-ansible-base
+SYSTEM_USERNAME = None
+
+# Use AWX base view, to give 401 on unauthenticated requests
+ANSIBLE_BASE_CUSTOM_VIEW_PARENT = 'awx.api.generics.APIView'
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -38,7 +38,9 @@ class CompleteView(BaseRedirectView):
        response = super(CompleteView, self).dispatch(request, *args, **kwargs)
        if self.request.user and self.request.user.is_authenticated:
            logger.info(smart_str(u"User {} logged in".format(self.request.user.username)))
-            response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
+            response.set_cookie(
+                'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
+            )
            response.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
        return response

--- a/awx/templates/rest_framework/api.html
+++ b/awx/templates/rest_framework/api.html
@@ -39,7 +39,7 @@
          {% else %}
          <li><a href="{% url 'api:login' %}?next={{ request.get_full_path }}" data-toggle="tooltip" data-placement="bottom" data-delay="1000" title="Log in"><span class="glyphicon glyphicon-log-in"></span>Log in</a></li>
          {% endif %}
-          <li><a href="//docs.ansible.com/ansible-tower/{{short_tower_version}}/html/towerapi/index.html" target="_blank" data-toggle="tooltip" data-placement="bottom" data-delay="1000" title="{% trans 'API Guide' %}"><span class="glyphicon glyphicon-question-sign"></span><span class="visible-xs-inline">{% trans 'API Guide' %}</span></a></li>
+          <li><a href="//ansible.readthedocs.io/projects/awx/en/latest/rest_api/index.html" target="_blank" data-toggle="tooltip" data-placement="bottom" data-delay="1000" title="{% trans 'API Guide' %}"><span class="glyphicon glyphicon-question-sign"></span><span class="visible-xs-inline">{% trans 'API Guide' %}</span></a></li>
          <li><a href="/" data-toggle="tooltip" data-placement="bottom" data-delay="1000" title="{% trans 'Back to application' %}"><span class="glyphicon glyphicon-circle-arrow-left"></span><span class="visible-xs-inline">{% trans 'Back to application' %}</span></a></li>
          <li class="hidden-xs"><a href="#" class="resize" data-toggle="tooltip" data-placement="bottom" data-delay="1000" title="{% trans 'Resize' %}"><span class="glyphicon glyphicon-resize-full"></span></a></li>
        </ul>
--- a/awx/ui/src/screens/Instances/InstancePeers/InstancePeerList.js
+++ b/awx/ui/src/screens/Instances/InstancePeers/InstancePeerList.js
@@ -12,7 +12,7 @@ import AssociateModal from 'components/AssociateModal';
 import ErrorDetail from 'components/ErrorDetail';
 import AlertModal from 'components/AlertModal';
 import useToast, { AlertVariant } from 'hooks/useToast';
-import { getQSConfig, parseQueryString, mergeParams } from 'util/qs';
+import { getQSConfig, parseQueryString } from 'util/qs';
 import { useLocation, useParams } from 'react-router-dom';
 import useRequest, { useDismissableError } from 'hooks/useRequest';
 import DataListToolbar from 'components/DataListToolbar';
@@ -106,62 +106,38 @@ function InstancePeerList({ setBreadcrumb }) {
  const { selected, isAllSelected, handleSelect, clearSelected, selectAll } =
    useSelected(peers);

-  const fetchInstancesToAssociate = useCallback(
+  const fetchPeersToAssociate = useCallback(
    async (params) => {
      const address_list = [];

-      const instances = await InstancesAPI.read(
-        mergeParams(params, {
-          ...{ not__node_type: ['control', 'hybrid'] },
-        })
-      );
-      const receptors = (await ReceptorAPI.read()).data.results;
+      // do not show this instance or instances that are already peered
+      // to this instance (reverse_peers)
+      const not_instances = instance.reverse_peers;
+      not_instances.push(instance.id);

-      // get instance ids of the current peered receptor ids
-      const already_peered_instance_ids = [];
-      for (let h = 0; h < instance.peers.length; h++) {
-        const matched = receptors.filter((obj) => obj.id === instance.peers[h]);
-        matched.forEach((element) => {
-          already_peered_instance_ids.push(element.instance);
-        });
+      params.not__instance = not_instances;
+      params.is_internal = false;
+      // do not show the current peers
+      if (instance.peers.length > 0) {
+        params.not__id__in = instance.peers.join(',');
      }

-      for (let q = 0; q < receptors.length; q++) {
-        const receptor = receptors[q];
+      const receptoraddresses = await ReceptorAPI.read(params);

-        if (already_peered_instance_ids.includes(receptor.instance)) {
-          // ignore reverse peers
-          continue;
-        }
+      // retrieve the instances that are associated with those receptor addresses
+      const instance_ids = receptoraddresses.data.results.map(
+        (obj) => obj.instance
+      );
+      const instance_ids_str = instance_ids.join(',');
+      const instances = await InstancesAPI.read({ id__in: instance_ids_str });

-        if (instance.peers.includes(receptor.id)) {
-          // no links to existing links
-          continue;
-        }
-
-        if (instance.id === receptor.instance) {
-          // no links to thy self
-          continue;
-        }
-
-        if (instance.managed) {
-          // no managed nodes
-          continue;
-        }
+      for (let q = 0; q < receptoraddresses.data.results.length; q++) {
+        const receptor = receptoraddresses.data.results[q];

        const host = instances.data.results.filter(
          (obj) => obj.id === receptor.instance
        )[0];

-        if (host === undefined) {
-          // no hosts
-          continue;
-        }
-
-        if (receptor.is_internal) {
-          continue;
-        }
-
        const copy = receptor;
        copy.hostname = host.hostname;
        copy.node_type = host.node_type;
@@ -169,9 +145,9 @@ function InstancePeerList({ setBreadcrumb }) {
        address_list.push(copy);
      }

-      instances.data.results = address_list;
+      receptoraddresses.data.results = address_list;

-      return instances;
+      return receptoraddresses;
    },
    [instance]
  );
@@ -191,7 +167,7 @@ function InstancePeerList({ setBreadcrumb }) {
        fetchPeers();
        addToast({
          id: instancesPeerToAssociate,
-          title: t`Please be sure to run the install bundle for the selected instance(s) again in order to see changes take effect.`,
+          title: t`Please be sure to run the install bundle for ${instance.hostname} again in order to see changes take effect.`,
          variant: AlertVariant.success,
          hasTimeout: true,
        });
@@ -315,13 +291,13 @@ function InstancePeerList({ setBreadcrumb }) {
      {isModalOpen && (
        <AssociateModal
          header={t`Instances`}
-          fetchRequest={fetchInstancesToAssociate}
+          fetchRequest={fetchPeersToAssociate}
          isModalOpen={isModalOpen}
          onAssociate={handlePeerAssociate}
          onClose={() => setIsModalOpen(false)}
          title={t`Select Peer Addresses`}
          optionsRequest={readInstancesOptions}
-          displayKey="hostname"
+          displayKey="address"
          columns={[
            { key: 'hostname', name: t`Name` },
            { key: 'address', name: t`Address` },
--- a/awx/ui/src/screens/Setting/MiscAuthentication/MiscAuthenticationEdit/MiscAuthenticationEdit.js
+++ b/awx/ui/src/screens/Setting/MiscAuthentication/MiscAuthenticationEdit/MiscAuthenticationEdit.js
@@ -78,12 +78,14 @@ function MiscAuthenticationEdit() {
          default: OAUTH2_PROVIDER_OPTIONS.default.ACCESS_TOKEN_EXPIRE_SECONDS,
          type: OAUTH2_PROVIDER_OPTIONS.child.type,
          label: t`Access Token Expiration`,
+          help_text: t`Access Token Expiration in seconds`,
        },
        REFRESH_TOKEN_EXPIRE_SECONDS: {
          ...OAUTH2_PROVIDER_OPTIONS,
          default: OAUTH2_PROVIDER_OPTIONS.default.REFRESH_TOKEN_EXPIRE_SECONDS,
          type: OAUTH2_PROVIDER_OPTIONS.child.type,
          label: t`Refresh Token Expiration`,
+          help_text: t`Refresh Token Expiration in seconds`,
        },
        AUTHORIZATION_CODE_EXPIRE_SECONDS: {
          ...OAUTH2_PROVIDER_OPTIONS,
@@ -91,6 +93,7 @@ function MiscAuthenticationEdit() {
            OAUTH2_PROVIDER_OPTIONS.default.AUTHORIZATION_CODE_EXPIRE_SECONDS,
          type: OAUTH2_PROVIDER_OPTIONS.child.type,
          label: t`Authorization Code Expiration`,
+          help_text: t`Authorization Code Expiration in seconds`,
        },
      };

--- a/awx/urls.py
+++ b/awx/urls.py
@@ -2,43 +2,54 @@
 # All Rights Reserved.

 from django.conf import settings
-from django.urls import path, re_path, include
+from django.urls import re_path, include, path
+
+from ansible_base.lib.dynamic_config.dynamic_urls import api_urls, api_version_urls, root_urls

 from ansible_base.resource_registry.urls import urlpatterns as resource_api_urls

 from awx.main.views import handle_400, handle_403, handle_404, handle_500, handle_csp_violation, handle_login_redirect


-urlpatterns = [
-    re_path(r'', include('awx.ui.urls', namespace='ui')),
-    re_path(r'^ui_next/.*', include('awx.ui_next.urls', namespace='ui_next')),
-    path('api/', include('awx.api.urls', namespace='api')),
-]
+def get_urlpatterns(prefix=None):
+    if not prefix:
+        prefix = '/'
+    else:
+        prefix = f'/{prefix}/'

-if settings.OPTIONAL_API_URLPATTERN_PREFIX:
-    urlpatterns += [
-        path(f'api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}/', include('awx.api.urls')),
+    urlpatterns = [
+        re_path(r'', include('awx.ui.urls', namespace='ui')),
+        re_path(r'^ui_next/.*', include('awx.ui_next.urls', namespace='ui_next')),
+        path(f'api{prefix}', include('awx.api.urls', namespace='api')),
    ]

-urlpatterns += [
-    re_path(r'^api/v2/', include(resource_api_urls)),
-    re_path(r'^sso/', include('awx.sso.urls', namespace='sso')),
-    re_path(r'^sso/', include('social_django.urls', namespace='social')),
-    re_path(r'^(?:api/)?400.html$', handle_400),
-    re_path(r'^(?:api/)?403.html$', handle_403),
-    re_path(r'^(?:api/)?404.html$', handle_404),
-    re_path(r'^(?:api/)?500.html$', handle_500),
-    re_path(r'^csp-violation/', handle_csp_violation),
-    re_path(r'^login/', handle_login_redirect),
-]
+    urlpatterns += [
+        path(f'api{prefix}v2/', include(resource_api_urls)),
+        path(f'api{prefix}v2/', include(api_version_urls)),
+        path(f'api{prefix}', include(api_urls)),
+        path('', include(root_urls)),
+        re_path(r'^sso/', include('awx.sso.urls', namespace='sso')),
+        re_path(r'^sso/', include('social_django.urls', namespace='social')),
+        re_path(r'^(?:api/)?400.html$', handle_400),
+        re_path(r'^(?:api/)?403.html$', handle_403),
+        re_path(r'^(?:api/)?404.html$', handle_404),
+        re_path(r'^(?:api/)?500.html$', handle_500),
+        re_path(r'^csp-violation/', handle_csp_violation),
+        re_path(r'^login/', handle_login_redirect),
+    ]

-if settings.SETTINGS_MODULE == 'awx.settings.development':
-    try:
-        import debug_toolbar
+    if settings.SETTINGS_MODULE == 'awx.settings.development':
+        try:
+            import debug_toolbar

-        urlpatterns += [re_path(r'^__debug__/', include(debug_toolbar.urls))]
-    except ImportError:
-        pass
+            urlpatterns += [re_path(r'^__debug__/', include(debug_toolbar.urls))]
+        except ImportError:
+            pass
+
+    return urlpatterns
+
+
+urlpatterns = get_urlpatterns()

 handler400 = 'awx.main.views.handle_400'
 handler403 = 'awx.main.views.handle_403'
--- a/awx_collection/README.md
+++ b/awx_collection/README.md
@@ -68,6 +68,7 @@ Notable releases of the `awx.awx` collection:
 - 7.0.0 is intended to be identical to the content prior to the migration, aside from changes necessary to function as a collection.
 - 11.0.0 has no non-deprecated modules that depend on the deprecated `tower-cli` [PyPI](https://pypi.org/project/ansible-tower-cli/).
 - 19.2.1 large renaming purged "tower" names (like options and module names), adding redirects for old names
+ - 21.11.0 "tower" modules deprecated and symlinks removed.
 - X.X.X added support of named URLs to all modules. Anywhere that previously accepted name or id can also support named URLs
 - 0.0.1-devel is the version you should see if installing from source, which is intended for development and expected to be unstable.

@@ -112,7 +113,7 @@ Ansible source, set up a dedicated virtual environment:

 ```
 mkvirtualenv my_new_venv
-# may need to replace psycopg2 with psycopg2-binary in requirements/requirements.txt
+# may need to replace psycopg3 with psycopg3-binary in requirements/requirements.txt
 pip install -r requirements/requirements.txt -r requirements/requirements_dev.txt -r requirements/requirements_git.txt
 make clean-api
 pip install -e <path to your Ansible>
--- a/awx_collection/meta/runtime.yml
+++ b/awx_collection/meta/runtime.yml
@@ -35,6 +35,9 @@ action_groups:
    - project
    - project_update
    - role
+    - role_definition
+    - role_team_assignment
+    - role_user_assignment
    - schedule
    - settings
    - subscriptions
--- a/awx_collection/plugins/module_utils/controller_api.py
+++ b/awx_collection/plugins/module_utils/controller_api.py
@@ -652,7 +652,7 @@ class ControllerAPIModule(ControllerModule):
        # If we have neither of these, then we can try un-authenticated access
        self.authenticated = True

-    def delete_if_needed(self, existing_item, on_delete=None, auto_exit=True):
+    def delete_if_needed(self, existing_item, item_type=None, on_delete=None, auto_exit=True):
        # This will exit from the module on its own.
        # If the method successfully deletes an item and on_delete param is defined,
        #   the on_delete parameter will be called as a method pasing in this object and the json from the response
@@ -664,8 +664,9 @@ class ControllerAPIModule(ControllerModule):
            # If we have an item, we can try to delete it
            try:
                item_url = existing_item['url']
-                item_type = existing_item['type']
                item_id = existing_item['id']
+                if not item_type:
+                    item_type = existing_item['type']
                item_name = self.get_item_name(existing_item, allow_unknown=True)
            except KeyError as ke:
                self.fail_json(msg="Unable to process delete of item due to missing data {0}".format(ke))
@@ -907,7 +908,7 @@ class ControllerAPIModule(ControllerModule):
                    return True
        return False

-    def update_if_needed(self, existing_item, new_item, on_update=None, auto_exit=True, associations=None):
+    def update_if_needed(self, existing_item, new_item, item_type=None, on_update=None, auto_exit=True, associations=None):
        # This will exit from the module on its own
        # If the method successfully updates an item and on_update param is defined,
        #   the on_update parameter will be called as a method pasing in this object and the json from the response
@@ -921,7 +922,8 @@ class ControllerAPIModule(ControllerModule):
            # If we have an item, we can see if it needs an update
            try:
                item_url = existing_item['url']
-                item_type = existing_item['type']
+                if not item_type:
+                    item_type = existing_item['type']
                if item_type == 'user':
                    item_name = existing_item['username']
                elif item_type == 'workflow_job_template_node':
@@ -990,7 +992,7 @@ class ControllerAPIModule(ControllerModule):
                        new_item.pop(key)

        if existing_item:
-            return self.update_if_needed(existing_item, new_item, on_update=on_update, auto_exit=auto_exit, associations=associations)
+            return self.update_if_needed(existing_item, new_item, item_type=item_type, on_update=on_update, auto_exit=auto_exit, associations=associations)
        else:
            return self.create_if_needed(
                existing_item, new_item, endpoint, on_create=on_create, item_type=item_type, auto_exit=auto_exit, associations=associations
--- a/awx_collection/plugins/modules/application.py
+++ b/awx_collection/plugins/modules/application.py
@@ -147,8 +147,12 @@ def main():
    if redirect_uris is not None:
        application_fields['redirect_uris'] = ' '.join(redirect_uris)

-    # If the state was present and we can let the module build or update the existing application, this will return on its own
-    module.create_or_update_if_needed(application, application_fields, endpoint='applications', item_type='application')
+    response = module.create_or_update_if_needed(application, application_fields, endpoint='applications', item_type='application', auto_exit=False)
+    if 'client_id' in response:
+        module.json_output['client_id'] = response['client_id']
+    if 'client_secret' in response:
+        module.json_output['client_secret'] = response['client_secret']
+    module.exit_json(**module.json_output)


 if __name__ == '__main__':
--- a/awx_collection/plugins/modules/role_definition.py
+++ b/awx_collection/plugins/modules/role_definition.py
@@ -0,0 +1,114 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_definition
+author: "Seth Foster (@fosterseth)"
+short_description: Add role definition to Automation Platform Controller
+description:
+    - Contains a list of permissions and a resource type that can then be assigned to users or teams.
+options:
+    name:
+        description:
+            - Name of this role definition.
+        required: True
+        type: str
+    permissions:
+        description:
+            - List of permissions to include in the role definition.
+        required: True
+        type: list
+        elements: str
+    content_type:
+        description:
+            - The type of resource this applies to.
+        required: True
+        type: str
+    description:
+        description:
+            - Optional description of this role definition.
+        type: str
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Create Role Definition
+  role_definition:
+    name: test_view_jt
+    permissions:
+      - awx.view_jobtemplate
+      - awx.execute_jobtemplate
+    content_type: awx.jobtemplate
+    description: role definition to view and execute jt
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        name=dict(required=True, type='str'),
+        permissions=dict(required=True, type='list', elements='str'),
+        content_type=dict(required=True, type='str'),
+        description=dict(required=False, type='str'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    name = module.params.get('name')
+    permissions = module.params.get('permissions')
+    content_type = module.params.get('content_type')
+    description = module.params.get('description')
+    state = module.params.get('state')
+    if description is None:
+        description = ''
+
+    role_definition = module.get_one('role_definitions', name_or_id=name)
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_definition,
+            item_type='role_definition',
+        )
+
+    post_kwargs = {
+        'name': name,
+        'permissions': permissions,
+        'content_type': content_type,
+        'description': description
+    }
+
+    if state == 'present':
+        module.create_or_update_if_needed(
+            role_definition,
+            post_kwargs,
+            endpoint='role_definitions',
+            item_type='role_definition',
+        )
+
+
+if __name__ == '__main__':
+    main()
--- a/awx_collection/plugins/modules/role_team_assignment.py
+++ b/awx_collection/plugins/modules/role_team_assignment.py
@@ -0,0 +1,123 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_team_assignment
+author: "Seth Foster (@fosterseth)"
+short_description: Gives a team permission to a resource or an organization.
+description:
+    - Use this endpoint to give a team permission to a resource or an organization.
+    - After creation, the assignment cannot be edited, but can be deleted to remove those permissions.
+options:
+    role_definition:
+        description:
+            - The name or id of the role definition to assign to the team.
+        required: True
+        type: str
+    object_id:
+        description:
+            - Primary key of the object this assignment applies to.
+        required: True
+        type: int
+    team:
+        description:
+            - The name or id of the team to assign to the object.
+        required: False
+        type: str
+    object_ansible_id:
+        description:
+            - Resource id of the object this role applies to. Alternative to the object_id field.
+        required: False
+        type: int
+    team_ansible_id:
+        description:
+            - Resource id of the team who will receive permissions from this assignment. Alternative to team field.
+        required: False
+        type: int
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Give Team A JT permissions
+  role_team_assignment:
+    role_definition: launch JT
+    object_id: 1
+    team: Team A
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        team=dict(required=False, type='str'),
+        object_id=dict(required=True, type='int'),
+        role_definition=dict(required=True, type='str'),
+        object_ansible_id=dict(required=False, type='int'),
+        team_ansible_id=dict(required=False, type='int'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    team = module.params.get('team')
+    object_id = module.params.get('object_id')
+    role_definition_str = module.params.get('role_definition')
+    object_ansible_id = module.params.get('object_ansible_id')
+    team_ansible_id = module.params.get('team_ansible_id')
+    state = module.params.get('state')
+
+    role_definition = module.get_one('role_definitions', allow_none=False, name_or_id=role_definition_str)
+    team = module.get_one('teams', allow_none=False, name_or_id=team)
+
+    kwargs = {
+        'role_definition': role_definition['id'],
+        'object_id': object_id,
+        'team': team['id'],
+        'object_ansible_id': object_ansible_id,
+        'team_ansible_id': team_ansible_id,
+    }
+
+    # get rid of None type values
+    kwargs = {k: v for k, v in kwargs.items() if v is not None}
+    role_team_assignment = module.get_one('role_team_assignments', **{'data': kwargs})
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_team_assignment,
+            item_type='role_team_assignment',
+        )
+
+    if state == 'present':
+        module.create_if_needed(
+            role_team_assignment,
+            kwargs,
+            endpoint='role_team_assignments',
+            item_type='role_team_assignment',
+        )
+
+
+if __name__ == '__main__':
+    main()
--- a/awx_collection/plugins/modules/role_user_assignment.py
+++ b/awx_collection/plugins/modules/role_user_assignment.py
@@ -0,0 +1,124 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_user_assignment
+author: "Seth Foster (@fosterseth)"
+short_description: Gives a user permission to a resource or an organization.
+description:
+    - Use this endpoint to give a user permission to a resource or an organization.
+    - After creation, the assignment cannot be edited, but can be deleted to remove those permissions.
+options:
+    role_definition:
+        description:
+            - The name or id of the role definition to assign to the user.
+        required: True
+        type: str
+    object_id:
+        description:
+            - Primary key of the object this assignment applies to.
+        required: True
+        type: int
+    user:
+        description:
+            - The name or id of the user to assign to the object.
+        required: False
+        type: str
+    object_ansible_id:
+        description:
+            - Resource id of the object this role applies to. Alternative to the object_id field.
+        required: False
+        type: int
+    user_ansible_id:
+        description:
+            - Resource id of the user who will receive permissions from this assignment. Alternative to user field.
+        required: False
+        type: int
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Give Bob JT permissions
+  role_user_assignment:
+    role_definition: launch JT
+    object_id: 1
+    user: bob
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        user=dict(required=False, type='str'),
+        object_id=dict(required=True, type='int'),
+        role_definition=dict(required=True, type='str'),
+        object_ansible_id=dict(required=False, type='int'),
+        user_ansible_id=dict(required=False, type='int'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    user = module.params.get('user')
+    object_id = module.params.get('object_id')
+    role_definition_str = module.params.get('role_definition')
+    object_ansible_id = module.params.get('object_ansible_id')
+    user_ansible_id = module.params.get('user_ansible_id')
+    state = module.params.get('state')
+
+    role_definition = module.get_one('role_definitions', allow_none=False, name_or_id=role_definition_str)
+    user = module.get_one('users', allow_none=False, name_or_id=user)
+
+    kwargs = {
+        'role_definition': role_definition['id'],
+        'object_id': object_id,
+        'user': user['id'],
+        'object_ansible_id': object_ansible_id,
+        'user_ansible_id': user_ansible_id,
+    }
+
+    # get rid of None type values
+    kwargs = {k: v for k, v in kwargs.items() if v is not None}
+
+    role_user_assignment = module.get_one('role_user_assignments', **{'data': kwargs})
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_user_assignment,
+            item_type='role_user_assignment',
+        )
+
+    if state == 'present':
+        module.create_if_needed(
+            role_user_assignment,
+            kwargs,
+            endpoint='role_user_assignments',
+            item_type='role_user_assignment',
+        )
+
+
+if __name__ == '__main__':
+    main()
--- a/awx_collection/plugins/modules/workflow_launch.py
+++ b/awx_collection/plugins/modules/workflow_launch.py
@@ -39,6 +39,16 @@ options:
      description:
        - Limit to use for the I(job_template).
      type: str
+    tags:
+      description:
+        - Specific tags to apply from the I(job_template).
+      type: list
+      elements: str
+    skip_tags:
+      description:
+        - Specific tags to skip from the I(job_template).
+      type: list
+      elements: str
    scm_branch:
      description:
        - A specific branch of the SCM project to run the template on.
@@ -100,6 +110,8 @@ def main():
        organization=dict(),
        inventory=dict(),
        limit=dict(),
+        tags=dict(type='list', elements='str'),
+        skip_tags=dict(type='list', elements='str'),
        scm_branch=dict(),
        extra_vars=dict(type='dict'),
        wait=dict(required=False, default=True, type='bool'),
@@ -128,6 +140,14 @@ def main():
        if field_val is not None:
            optional_args[field_name] = field_val

+    # Special treatment of tags parameters
+    job_tags = module.params.get('tags')
+    if job_tags is not None:
+        optional_args['job_tags'] = ",".join(job_tags)
+    skip_tags = module.params.get('skip_tags')
+    if skip_tags is not None:
+        optional_args['skip_tags'] = ",".join(skip_tags)
+
    # Create a datastructure to pass into our job launch
    post_data = {}
    for arg_name, arg_value in optional_args.items():
@@ -152,6 +172,8 @@ def main():
    check_vars_to_prompts = {
        'inventory': 'ask_inventory_on_launch',
        'limit': 'ask_limit_on_launch',
+        'job_tags': 'ask_tags_on_launch',
+        'skip_tags': 'ask_skip_tags_on_launch',
        'scm_branch': 'ask_scm_branch_on_launch',
    }

--- a/awx_collection/test/awx/conftest.py
+++ b/awx_collection/test/awx/conftest.py
@@ -17,6 +17,7 @@ import pytest

 from ansible.module_utils.six import raise_from

+from ansible_base.rbac.models import RoleDefinition, DABPermission
 from awx.main.tests.functional.conftest import _request
 from awx.main.tests.functional.conftest import credentialtype_scm, credentialtype_ssh  # noqa: F401; pylint: disable=unused-variable
 from awx.main.models import (
@@ -31,9 +32,11 @@ from awx.main.models import (
    WorkflowJobTemplate,
    NotificationTemplate,
    Schedule,
+    Team,
 )

 from django.db import transaction
+from django.contrib.contenttypes.models import ContentType


 HAS_TOWER_CLI = False
@@ -258,6 +261,11 @@ def job_template(project, inventory):
    return JobTemplate.objects.create(name='test-jt', project=project, inventory=inventory, playbook='helloworld.yml')


+@pytest.fixture
+def team(organization):
+    return Team.objects.create(name='test-team', organization=organization)
+
+
@pytest.fixture
 def machine_credential(credentialtype_ssh, organization):  # noqa: F811
    return Credential.objects.create(credential_type=credentialtype_ssh, name='machine-cred', inputs={'username': 'test_user', 'password': 'pas4word'})
@@ -331,6 +339,15 @@ def notification_template(organization):
    )


+@pytest.fixture
+def job_template_role_definition():
+    rd = RoleDefinition.objects.create(name='test_view_jt', content_type=ContentType.objects.get_for_model(JobTemplate))
+    permission_codenames = ['view_jobtemplate', 'execute_jobtemplate']
+    permissions = DABPermission.objects.filter(codename__in=permission_codenames)
+    rd.permissions.add(*permissions)
+    return rd
+
+
@pytest.fixture
 def scm_credential(credentialtype_scm, organization):  # noqa: F811
    return Credential.objects.create(
--- a/awx_collection/test/awx/test_notification_template.py
+++ b/awx_collection/test/awx/test_notification_template.py
@@ -155,4 +155,4 @@ def test_build_notification_message_undefined(run_module, admin_user, organizati
    nt = NotificationTemplate.objects.get(id=result['id'])

    body = job.build_notification_message(nt, 'running')
-    assert 'The template rendering return a blank body' in body[1]
+    assert '{"started_by": "My Placeholder"}' in body[1]
--- a/awx_collection/test/awx/test_role.py
+++ b/awx_collection/test/awx/test_role.py
@@ -18,9 +18,9 @@ def test_grant_organization_permission(run_module, admin_user, organization, sta
    assert not result.get('failed', False), result.get('msg', result)

    if state == 'present':
-        assert rando in organization.execute_role
+        assert rando in organization.admin_role
    else:
-        assert rando not in organization.execute_role
+        assert rando not in organization.admin_role


@pytest.mark.django_db
--- a/awx_collection/test/awx/test_role_definition.py
+++ b/awx_collection/test/awx/test_role_definition.py
@@ -0,0 +1,122 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import pytest
+
+from ansible_base.rbac.models import RoleDefinition
+
+
+@pytest.mark.django_db
+def test_create_new(run_module, admin_user):
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+    assert result['changed']
+
+    role_definition = RoleDefinition.objects.get(name='test_view_jt')
+    assert role_definition
+    permission_codenames = [p.codename for p in role_definition.permissions.all()]
+    assert set(permission_codenames) == set(['view_jobtemplate', 'execute_jobtemplate'])
+    assert role_definition.content_type.model == 'jobtemplate'
+
+
+@pytest.mark.django_db
+def test_update_existing(run_module, admin_user):
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+
+    assert result['changed']
+
+    role_definition = RoleDefinition.objects.get(name='test_view_jt')
+    permission_codenames = [p.codename for p in role_definition.permissions.all()]
+    assert set(permission_codenames) == set(['view_jobtemplate'])
+    assert role_definition.content_type.model == 'jobtemplate'
+
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+
+    assert result['changed']
+
+    role_definition.refresh_from_db()
+    permission_codenames = [p.codename for p in role_definition.permissions.all()]
+    assert set(permission_codenames) == set(['view_jobtemplate', 'execute_jobtemplate'])
+    assert role_definition.content_type.model == 'jobtemplate'
+
+
+@pytest.mark.django_db
+def test_delete_existing(run_module, admin_user):
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+
+    assert result['changed']
+
+    role_definition = RoleDefinition.objects.get(name='test_view_jt')
+    assert role_definition
+
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+            'state': 'absent',
+        },
+        admin_user)
+
+    assert result['changed']
+
+    with pytest.raises(RoleDefinition.DoesNotExist):
+        role_definition.refresh_from_db()
+
+
+@pytest.mark.django_db
+def test_idempotence(run_module, admin_user):
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+
+    assert result['changed']
+
+    result = run_module(
+        'role_definition',
+        {
+            'name': 'test_view_jt',
+            'permissions': ['awx.view_jobtemplate', 'awx.execute_jobtemplate'],
+            'content_type': 'awx.jobtemplate',
+        },
+        admin_user)
+
+    assert not result['changed']
+
+    role_definition = RoleDefinition.objects.get(name='test_view_jt')
+    permission_codenames = [p.codename for p in role_definition.permissions.all()]
+    assert set(permission_codenames) == set(['view_jobtemplate', 'execute_jobtemplate'])
--- a/awx_collection/test/awx/test_role_team_assignment.py
+++ b/awx_collection/test/awx/test_role_team_assignment.py
@@ -0,0 +1,70 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import pytest
+
+from ansible_base.rbac.models import RoleTeamAssignment
+
+
+@pytest.mark.django_db
+def test_create_new(run_module, admin_user, team, job_template, job_template_role_definition):
+    result = run_module(
+        'role_team_assignment',
+        {
+            'team': team.name,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+    assert RoleTeamAssignment.objects.filter(team=team, object_id=job_template.id, role_definition=job_template_role_definition).exists()
+
+
+@pytest.mark.django_db
+def test_idempotence(run_module, admin_user, team, job_template, job_template_role_definition):
+    result = run_module(
+        'role_team_assignment',
+        {
+            'team': team.name,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+
+    result = run_module(
+        'role_team_assignment',
+        {
+            'team': team.name,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert not result['changed']
+
+
+@pytest.mark.django_db
+def test_delete_existing(run_module, admin_user, team, job_template, job_template_role_definition):
+    result = run_module(
+        'role_team_assignment',
+        {
+            'team': team.name,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+    assert RoleTeamAssignment.objects.filter(team=team, object_id=job_template.id, role_definition=job_template_role_definition).exists()
+
+    result = run_module(
+        'role_team_assignment',
+        {
+            'team': team.name,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+            'state': 'absent'
+        },
+        admin_user)
+    assert result['changed']
+    assert not RoleTeamAssignment.objects.filter(team=team, object_id=job_template.id, role_definition=job_template_role_definition).exists()
--- a/awx_collection/test/awx/test_role_user_assignment.py
+++ b/awx_collection/test/awx/test_role_user_assignment.py
@@ -0,0 +1,70 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import pytest
+
+from ansible_base.rbac.models import RoleUserAssignment
+
+
+@pytest.mark.django_db
+def test_create_new(run_module, admin_user, job_template, job_template_role_definition):
+    result = run_module(
+        'role_user_assignment',
+        {
+            'user': admin_user.username,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+    assert RoleUserAssignment.objects.filter(user=admin_user, object_id=job_template.id, role_definition=job_template_role_definition).exists()
+
+
+@pytest.mark.django_db
+def test_idempotence(run_module, admin_user, job_template, job_template_role_definition):
+    result = run_module(
+        'role_user_assignment',
+        {
+            'user': admin_user.username,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+
+    result = run_module(
+        'role_user_assignment',
+        {
+            'user': admin_user.username,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert not result['changed']
+
+
+@pytest.mark.django_db
+def test_delete_existing(run_module, admin_user, job_template, job_template_role_definition):
+    result = run_module(
+        'role_user_assignment',
+        {
+            'user': admin_user.username,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+        },
+        admin_user)
+    assert result['changed']
+    assert RoleUserAssignment.objects.filter(user=admin_user, object_id=job_template.id, role_definition=job_template_role_definition).exists()
+
+    result = run_module(
+        'role_user_assignment',
+        {
+            'user': admin_user.username,
+            'object_id': job_template.id,
+            'role_definition': job_template_role_definition.name,
+            'state': 'absent'
+        },
+        admin_user)
+    assert result['changed']
+    assert not RoleUserAssignment.objects.filter(user=admin_user, object_id=job_template.id, role_definition=job_template_role_definition).exists()
--- a/awx_collection/test/awx/test_workflow_job_template.py
+++ b/awx_collection/test/awx/test_workflow_job_template.py
@@ -4,7 +4,7 @@ __metaclass__ = type

 import pytest

-from awx.main.models import WorkflowJobTemplate, NotificationTemplate
+from awx.main.models import WorkflowJobTemplate, WorkflowJob, NotificationTemplate


@pytest.mark.django_db
@@ -135,6 +135,37 @@ def test_associate_only_on_success(run_module, admin_user, organization, project
    assert list(wfjt.notification_templates_error.values_list('id', flat=True)) == [nt1.id]


+@pytest.mark.django_db
+def test_workflow_launch_with_prompting(run_module, admin_user, organization, inventory):
+    WorkflowJobTemplate.objects.create(
+        name='foo-workflow-launch-test',
+        organization=organization,
+        ask_variables_on_launch=True,
+        ask_inventory_on_launch=True,
+        ask_tags_on_launch=True,
+        ask_skip_tags_on_launch=True,
+    )
+    result = run_module(
+        'workflow_launch',
+        dict(
+            name='foo-workflow-launch-test',
+            inventory=inventory.name,
+            wait=False,
+            extra_vars={"var1": "My First Variable", "var2": "My Second Variable", "var3": "My Third Variable"},
+            tags=["my_tag"],
+            skip_tags=["your_tag", "their_tag"],
+        ),
+        admin_user,
+    )
+    assert result.get('changed', True), result
+
+    job = WorkflowJob.objects.get(id=result['id'])
+    assert job.extra_vars == '{"var1": "My First Variable", "var2": "My Second Variable", "var3": "My Third Variable"}'
+    assert job.inventory == inventory
+    assert job.job_tags == "my_tag"
+    assert job.skip_tags == "your_tag,their_tag"
+
+
@pytest.mark.django_db
 def test_delete_with_spec(run_module, admin_user, organization, survey_spec):
    WorkflowJobTemplate.objects.create(organization=organization, name='foo-workflow', survey_enabled=True, survey_spec=survey_spec)
--- a/awx_collection/tests/integration/targets/ad_hoc_command_cancel/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/ad_hoc_command_cancel/tasks/main.yml
@@ -1,63 +1,63 @@
 ---
 - name: Generate a random string for test
-  set_fact:
+  ansible.builtin.set_fact:
    test_id: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') }}"
  when: test_id is not defined

 - name: Generate names
-  set_fact:
+  ansible.builtin.set_fact:
    inv_name: "AWX-Collection-tests-ad_hoc_command_cancel-inventory-{{ test_id }}"
    ssh_cred_name: "AWX-Collection-tests-ad_hoc_command_cancel-ssh-cred-{{ test_id }}"
    org_name: "AWX-Collection-tests-ad_hoc_command_cancel-org-{{ test_id }}"

 - name: Create a New Organization
-  organization:
+  awx.awx.organization:
    name: "{{ org_name }}"

 - name: Create an Inventory
-  inventory:
+  awx.awx.inventory:
    name: "{{ inv_name }}"
    organization: "{{ org_name }}"
    state: present

 - name: Add localhost to the Inventory
-  host:
+  awx.awx.host:
    name: localhost
    inventory: "{{ inv_name }}"
    variables:
      ansible_connection: local

 - name: Create a Credential
-  credential:
+  awx.awx.credential:
    name: "{{ ssh_cred_name }}"
    organization: "{{ org_name }}"
    credential_type: 'Machine'
    state: present

 - name: Launch an Ad Hoc Command
-  ad_hoc_command:
+  awx.awx.ad_hoc_command:
    inventory: "{{ inv_name }}"
    credential: "{{ ssh_cred_name }}"
    module_name: "command"
    module_args: "sleep 100"
  register: command

- assert:
+- ansible.builtin.assert:
    that:
      - "command is changed"

 - name: Cancel the command
-  ad_hoc_command_cancel:
+  awx.awx.ad_hoc_command_cancel:
    command_id: "{{ command.id }}"
    request_timeout: 60
  register: results

- assert:
+- ansible.builtin.assert:
    that:
      - results is changed

 - name: "Wait for up to a minute until the job enters the can_cancel: False state"
-  debug:
+  ansible.builtin.debug:
    msg: "The job can_cancel status has transitioned into False, we can proceed with testing"
  until: not job_status
  retries: 6
@@ -66,51 +66,51 @@
    job_status: "{{ lookup('awx.awx.controller_api', 'ad_hoc_commands/'+ command.id | string +'/cancel')['can_cancel'] }}"

 - name: Cancel the command with hard error if it's not running
-  ad_hoc_command_cancel:
+  awx.awx.ad_hoc_command_cancel:
    command_id: "{{ command.id }}"
    fail_if_not_running: true
  register: results
  ignore_errors: true

- assert:
+- ansible.builtin.assert:
    that:
      - results is failed

 - name: Cancel an already canceled command (assert failure)
-  ad_hoc_command_cancel:
+  awx.awx.ad_hoc_command_cancel:
    command_id: "{{ command.id }}"
    fail_if_not_running: true
  register: results
  ignore_errors: true

- assert:
+- ansible.builtin.assert:
    that:
      - results is failed

 - name: Check module fails with correct msg
-  ad_hoc_command_cancel:
+  awx.awx.ad_hoc_command_cancel:
    command_id: 9999999999
  register: result
  ignore_errors: true

- assert:
+- ansible.builtin.assert:
    that:
      - "result.msg == 'Unable to find command with id 9999999999'"

 - name: Delete the Credential
-  credential:
+  awx.awx.credential:
    name: "{{ ssh_cred_name }}"
    organization: "{{ org_name }}"
    credential_type: 'Machine'
    state: absent

 - name: Delete the Inventory
-  inventory:
+  awx.awx.inventory:
    name: "{{ inv_name }}"
    organization: "{{ org_name }}"
    state: absent

 - name: Remove the Organization
-  organization:
+  awx.awx.organization:
    name: "{{ org_name }}"
    state: absent
--- a/awx_collection/tests/integration/targets/application/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/application/tasks/main.yml
@@ -103,6 +103,7 @@
    - assert:
        that:
          - "result is changed"
+          - "'client_secret' in result"

    - name: Rename an inventory
      application:
--- a/awx_collection/tests/integration/targets/instance/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/instance/tasks/main.yml
@@ -1,23 +1,23 @@
 ---
 - name: Generate a test ID
-  set_fact:
+  ansible.builtin.set_fact:
    test_id: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') }}"
  when: test_id is not defined

 - name: Generate hostnames
-  set_fact:
+  ansible.builtin.set_fact:
    hostname1: "AWX-Collection-tests-instance1.{{ test_id }}.example.com"
    hostname2: "AWX-Collection-tests-instance2.{{ test_id }}.example.com"
    hostname3: "AWX-Collection-tests-instance3.{{ test_id }}.example.com"
  register: facts

 - name: Get the k8s setting
-  set_fact:
+  ansible.builtin.set_fact:
    IS_K8S: "{{ controller_settings['IS_K8S'] | default(False) }}"
  vars:
    controller_settings: "{{ lookup('awx.awx.controller_api', 'settings/all') }}"

- debug:
+- ansible.builtin.debug:
    msg: "Skipping instance test since this is instance is not running on a K8s platform"
  when: not IS_K8S

@@ -32,7 +32,7 @@
        - "{{ hostname2 }}"
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -44,7 +44,7 @@
        capacity_adjustment: 0.4
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -54,7 +54,7 @@
        capacity_adjustment: 0.7
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -78,7 +78,7 @@
        node_state: installed
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -89,7 +89,7 @@
        node_state: installed
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -103,7 +103,7 @@
          - "{{ hostname2 }}"
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

@@ -115,7 +115,7 @@
        peers: []
      register: result

-    - assert:
+    - ansible.builtin.assert:
        that:
          - result is changed

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elijah DeLee	19e3cba35c	Merge branch 'devel' into x-request-id	2024-04-24 15:04:13 -05:00
irozet12	e4646ae611	Add help message for expiration tokens (#15076 ) (#15077 ) Co-authored-by: Ирина Розет <irozet@astralinux.ru>	2024-04-24 19:58:09 +00:00
Elijah DeLee	c11ff49a56	fixup syntax	2024-04-24 14:48:02 -05:00
Bruno Sanchez	7dc77546f4	Adding CSRF Validation for schemas (#15027 ) * Adding CSRF Validation for schemas * Changing retrieve of scheme to avoid importing new library * check if CSRF_TRUSTED_ORIGINS exists before accessing it --------- Signed-off-by: Bruno Sanchez <brsanche@redhat.com>	2024-04-24 15:47:03 -04:00
Michael Tipton	f5f85666c8	Add ability to set SameSite policy for userLoggedIn cookie (#15100 ) * Add ability to set SameSite policy for userLoggedIn cookie * reformat line for linter	2024-04-24 15:44:31 -04:00
Alan Rominger	47a061eb39	Fix and test data migration error from DAB RBAC (#15138 ) * Fix and test data migration error from DAB RBAC * Fix up migration test * Fix custom method bug * Fix another fat fingered bug	2024-04-24 15:14:03 -04:00
Elijah DeLee	51bcf82cf4	include x-request-id header in perf log if exists	2024-04-24 13:51:42 -05:00
Alan Rominger	c760577855	Adjust test for stricter DAB user view permission enforcement (#15130 )	2024-04-23 15:21:06 -04:00
TVo	814ceb0d06	Backports previously approved corrections. (#15121 ) * Backports previously approved corrections. * Deleted a blank line in inventories line 100	2024-04-22 09:55:19 -06:00
Seth Foster	f178c84728	Fix instance peering pagination (#15108 ) Currently the association box displays a list of available instances/addresses that can be peered to. The pagination issue arises as follows: - fetch 5 instances (based on page_size) - filter these instances down based on some criteria (like is_internal: false) - show results Filtering down the results inside of the fetch method results in pagnation errors (may return fewer than 5, for example) instead, do the filtering by API queries. That way the pagination count will be correct. Signed-off-by: Seth Foster <fosterbseth@gmail.com>	2024-04-18 15:17:10 -04:00
Jeff Bradberry	c0f71801f6	Use $(shell ...) to filter the redis docker volumes Makefiles use $() for variable templating, so trying to use it directly as a shell subcommand doesn't work.	2024-04-17 16:45:23 -04:00
Jan-Piet Mens	4e8e1398d7	Omit using -X when not needed, and don't default to demonstrating -k It's the year 2024: using -k as default in https URL schemes should be deprecated. (I have left one mention of it possibly being required if no CA available). Furtheremore, neither -XGET or -XPOST are required, as curl(1) well knows when to use which method.	2024-04-17 15:18:57 -04:00
STEVEN ADAMS	3d6a8fd4ef	chore: remove repetitive words (#15101 ) Signed-off-by: hugehope <cmm7@sina.cn>	2024-04-17 19:18:25 +00:00
Hao Liu	e873bb1304	Fix wsrelay connection leak (#15113 ) - when re-establishing connection to db close old connection - re-initialize WebSocketRelayManager when restarting asyncio.run - log and ignore error in cleanup_offline_host (this might come back to bite us) - cleanup connection when WebSocketRelayManager crash	2024-04-16 14:54:36 -04:00
lucas-benedito	672f1eb745	Fixed missing fstring from wsrelay logging (#15094 ) Fixed missing fstring from wsrelay logging	2024-04-16 13:32:34 -04:00
abikouo	199507c6f1	Support Google credentials on Terraform credentials type	2024-04-16 10:34:38 -04:00
jessicamack	a176c04c14	Update LDAP/SAML config dump command (#15106 ) * update LDAP config dump * return missing fields if any * update test, remove unused import * return bool and fields. check for missing_fields	2024-04-15 12:26:57 -04:00
Alan Rominger	e3af658f82	Use released version of django-radius (#15103 )	2024-04-12 16:34:23 -04:00
Hao Liu	e8a3b96482	Use latest awx-ee in devel CI (#15098 )	2024-04-12 14:30:39 -04:00
Hao Liu	c015e8413e	Store molecule debug output to github artifacts (#15107 ) Related to https://github.com/ansible/awx-operator/pull/1823	2024-04-12 13:56:25 -04:00
Alan Rominger	390c2d8907	[RBAC] Update related name to reflect upstream DAB change (#15093 ) Update related name to reflect upstream DAB change	2024-04-11 14:59:09 -04:00
Alan Rominger	97605c5f19	Make custom urls work with RBAC	2024-04-11 14:59:09 -04:00
Alan Rominger	818c326160	[RBAC] Rename managed role definitions, and move migration logic here (#15087 ) * Rename managed role definitions, and move migration logic here * Fix naming capitalization	2024-04-11 14:59:09 -04:00
Alan Rominger	c98727d83e	[RBAC] Fix bug where team could not be given read_role to other team (#15067 ) * Fix bug where team could not be given read_role to other team * Avoid unwanted triggers of parentage granting * Restructure signal structure * Fix another bug unmasked by team member permission fix * Changes to live with test writing * Use equality as opposed to string "in" from Seth in review comment Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com> --------- Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>	2024-04-11 14:59:09 -04:00
Alan Rominger	a138a92e67	[RBAC] Tweaks to reflect what endpoints are deprecated (#15068 ) Tweaks to reflect what endpoints are deprecated	2024-04-11 14:59:09 -04:00
Alan Rominger	7aed19ffda	Fix missing role membership when giving creator permissions (#15058 )	2024-04-11 14:59:09 -04:00
Seth Foster	3bb559dd09	AWX Collections for DAB RBAC Adds new modules for CRUD operations on the following endpoints: - api/v2/role_definitions - api/v2/role_user_assignments - api/v2/role_team_assignments Note: assignment is Create or Delete only Additional changes: - Currently DAB endpoints do not have "type" field on the resource list items. So this modifies the create_or_update_if_needed to allow manually specifying item type. Signed-off-by: Seth Foster <fosterbseth@gmail.com>	2024-04-11 14:59:09 -04:00
Alan Rominger	389a729b75	[RBAC] Fix known issues with backward compatible access_list (#15052 ) * Remove duplicate access_list entries for direct team access * Revert test changes for superuser in access_list	2024-04-11 14:59:09 -04:00
Alan Rominger	2f3c9122fd	Generalize can_delete solution, use devel DAB (#15009 ) * Generalize can_delete solution, use devel DAB * Fix bug where model was used instead of model_name * Linter fixes	2024-04-11 14:59:09 -04:00
Alan Rominger	733478ee19	[RBAC] Fix server error from delete capability of approvals (#15002 ) Fix server error from delete capability of approvals	2024-04-11 14:59:09 -04:00
Alan Rominger	41c6337fc1	[RBAC] Fix migration for created and modified field changes (#14999 ) Fix migration for created and modified field changes	2024-04-11 14:59:09 -04:00
Alan Rominger	7446da1c2f	Bump migration number for RBAC branch	2024-04-11 14:59:09 -04:00
Alan Rominger	c79fca5ceb	Adopt internal DAB RBAC Permission model (#14994 )	2024-04-11 14:59:09 -04:00
Alan Rominger	dc5f43927a	Minor RBAC test fix (#14982 )	2024-04-11 14:59:09 -04:00
Alan Rominger	35a5a81e19	Use AWX base view to make unauth requests 401 (#14981 )	2024-04-11 14:59:09 -04:00
Alan Rominger	9dcc11d54c	[DAB RBAC] Re-implement system auditor as a singleton role in new system (#14963 ) * Add new enablement settings from DAB RBAC * Initial implementation of system auditor as role without testing * Fix system auditor role, remove duplicate assignments * Make the system auditor role managed * Flake8 fix * Remove another thing from old solution * Fix a few test failures * Add extra setting to disable custom system roles via API * Add test for custom role prohibition	2024-04-11 14:59:09 -04:00
Alan Rominger	74ce21fa54	Bump number of allowed endpoints (#14956 )	2024-04-11 14:59:09 -04:00
Alan Rominger	eb93660b36	Cache organization child evaluations and remove hacks	2024-04-11 14:59:09 -04:00
Alan Rominger	f50e597548	Cast ObjectRole object_id to int, very wrong, tmp fix	2024-04-11 14:59:09 -04:00
Alan Rominger	817c3b36b9	Replace role system with permissions-based DB roles Develop ability to list permissions for existing roles Create a model registry for RBAC-tracked models Write the data migration logic for creating the preloaded role definitions Write migration to migrate old Role into ObjectRole model This loops over the old Role model, knowing it is unique on object and role_field Most of the logic is concerned with identifying the needed permissions, and then corresponding role definition As needed, object roles are created and users then teams are assigned Write re-computation of cache logic for teams and then for object role permissions Migrate new RBAC internals to ansible_base Migrate tests to ansible_base Implement solution for visible_roles Expose URLs for DAB RBAC	2024-04-11 14:59:09 -04:00
Alan Rominger	1859a6ae69	Fix failure from DAB (#15102 ) @AlanCoding said to do this 🚌	2024-04-11 17:10:11 +00:00
Chris Meyers	0645d342dd	Implement optional url prefix the Django way * Before, the optional url prefix feature required calling our versioning version of reverse(). This worked _ok_ until we added more and more urls from 3rd party apps. Those 3rd party apps do not call our reverse(), writefully so. * This implementation looks at the incoming request path. If it includes the special optional prefix url, then we register ALL the urls WITH the optional url prefix. If the incoming request path does NOT contain the options url prefix then we register ALL the urls WITHOUT the optional url prefix. * Before this, we were registering BOTH sets of urls and then reverse() + the request as context to decide which url.	2024-04-10 16:03:09 -04:00
Chris Meyers	61ec03e540	Move named url init out of Middleware init * Middleware classes can be instantiated multiple times in testing. To make this a non-issue, move the init code for named urls out of the middleware init and into the app init. * This makes it easier to use other testing facilities, like LiveServerTestCase, without having to mock the named url middleware init.	2024-04-10 15:46:30 -04:00
Shane McDonald	09f0a366bf	Revert accidental line deletion I made a mistake in https://github.com/ansible/awx/pull/15096. I realized afterwards that it must have been being consumed by the make target.	2024-04-10 12:19:07 -04:00
Shane McDonald	778961d31e	Fix awxkit uploads when re-running promote workflow	2024-04-10 12:12:35 -04:00
Shane McDonald	f962c88df3	Allow for manually restarting promote workflow The promote workflow recently failed. Since this was just a problem with our automation, it would be nice if we didn't have to do another release just to fix our tooling.	2024-04-10 12:00:30 -04:00
Hao Liu	8db3ffe719	Check galaxy collection with and without redirect	2024-04-10 11:26:42 -04:00
Alan Rominger	cc5d4dd119	Clean the postgres 15 volume (#15083 )	2024-04-09 16:06:42 -04:00
Hao Liu	86204cf23b	Publish amd64 and arm64 awx image on release (#15053 ) * Stage multi-arch awx image - change CI to use `make awx-kube-build` instead of build playbook - update staging CI to build and push multiarch awx image - update doc to use `make awx-kube-build` to build awx image - remove build playbook (no longer used)	2024-04-09 09:50:09 -04:00
Chris Meyers	468949b899	Remove uneeded drf_reverse overwrite * `drf_reverse()` was introduced here `1a75b1836e` * There is a comment about monkey patching. I can't find the monkey patch it is referencing. * AWX `drf_reverse()` is a copy paste of this https://github.com/encode/django-rest-framework/blob/master/rest_framework/reverse.py#L32 * The only difference is DRF's version calls `preserve_builtin_query_params()` * `preserve_builtin_query_params()` only does something if `api_settings.URL_FORMAT_OVERRIDE` is defined. * We don't use `REST_FRAMEWORK.URL_FORMAT_OVERRIDE`	2024-04-08 16:14:11 -04:00
TVo	f1d9966224	Added docs for terraform credential/inventory source (#15004 ) * Added docs for terraform credential/inventory source * Updated screen captures for inventories and source to match wfjt example * Added docs for terraform credential/inventory source * Updated screen captures for inventories and source to match wfjt example * Update docs/docsite/rst/userguide/inventories.rst Co-authored-by: Aoki <lucasaoki@users.noreply.github.com> * Revised per review feedback. * Update docs/docsite/rst/userguide/inventories.rst Co-authored-by: Helen Bailey <hakbailey@gmail.com> --------- Co-authored-by: Aoki <lucasaoki@users.noreply.github.com> Co-authored-by: Helen Bailey <hakbailey@gmail.com>	2024-04-05 09:57:27 -06:00
César Francisco San Nicolás Martínez	b022b50966	fix service-index url calling reverse method	2024-04-04 07:48:04 -04:00
Elijah DeLee	e2f4213839	Round out options url prefix edge cases	2024-04-04 07:48:04 -04:00
Chris Meyers	ae1235b223	Rename container hostname from awx_1 to awx-1 * Django and other webservers that care about proper hostnames don't like underscores in them.	2024-04-03 15:58:17 -04:00
Tom Page	c061f59f1c	Add tags and skip_tags option to awx.awx.workflow_launch (#15011 ) Signed-off-by: Tom Page <tpage@redhat.com>	2024-04-03 15:29:43 -04:00
Jeff Bradberry	3edaaebba2	Adjust the awx-manage script to make use of importlib (#15015 ) * Adjust the awx-manage script to make use of importlib removing the deprecation warning. * Synlink awx-manage in docker-compose No longer need to rebuild docker-compose devel image to load change for `tools/docker-compose/awx-manage` in development environment --------- Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>	2024-04-02 17:20:05 -04:00
Hao Liu	7cdf1c7f96	Update DOCKER_COMPOSE command to `docker compose` (#15056 ) * Update DOCKER_COMPOSE command docker-compose will stop being supported soon and this is causing CI flake setting DOCKER_COMPOSE default to `docker compose` * Give AWX network a static name	2024-04-02 15:13:14 -04:00
Hao Liu	d558204192	Make db password optional for wsrelay (#15046 ) * Make db password optional for wsrelay * Change DB setting copy to deepcopy safer than copy() Co-Authored-By: Jeff Bradberry <685957+jbradberry@users.noreply.github.com> --------- Co-authored-by: Jeff Bradberry <685957+jbradberry@users.noreply.github.com>	2024-04-02 11:47:24 -04:00
Chris Meyers	d06ce8f911	Remove json formatter for job lifecycle * We didn't really make use of json formatting across the app. Remove the special case json formatter. Instead, output all of the meta-data associated with a job lifecycle event every time. Before, we tried to only output this extra meta data when in DEBUG mode. It turns out this information is smaller than we thought and more useful than we thought so always output it.	2024-04-02 11:39:34 -04:00
Alan Rominger	4b6f7e0ebe	Add link to service-index URL	2024-03-29 10:07:15 +00:00
John Barker	370c567be1	Remove /17 magic number from Forum URL	2024-03-29 10:03:45 +00:00
John Barker	9be64f3de5	Improve social documentation release_process.md	2024-03-29 10:03:45 +00:00
Alan Rominger	30500e5a95	Re-parent DAB views from AWX base	2024-03-29 10:03:12 +00:00
David O Neill	bb323c5710	Loosen up body check on template https://github.com/ansible/awx/issues/14985 https://github.com/ansible/awx/issues/13983	2024-03-29 10:02:18 +00:00
Chris Meyers	7571df49d5	Pass --exclude="list of exclude dirs like this" * Previously, the params were passed without quotes and each directory was being interpreted as a seperate command line flag. * Added some structure around the error messages returned from receptorctl so we can more easily decide how to handle each case. For example, releasing the cleanup job from receptor doesn't absolutely need to succeed because we have a periodic job that does that. In fact, that is the thing that is making it fail .. but I digress.	2024-03-28 14:42:08 -04:00
Jeff Bradberry	1559c21033	Change awx.awx.application to output the OAuth2 client secret if one was generated.	2024-03-28 10:17:46 -04:00
PabloHiro	d9b81731e9	Fix: broken reference to API url	2024-03-27 20:37:53 +01:00
Adam Miller	2034cca3a9	update playbooks to use fqcn Signed-off-by: Adam Miller <admiller@redhat.com>	2024-03-27 15:13:43 -04:00
Chris Meyers	0b5e59d9cb	Fix websocket relay. Set autocommit so conn.notifies() does not blocks forever (#15043 ) Without autocommit conn.notifies() blocks forever	2024-03-27 15:11:17 -04:00
Alan Rominger	f48b2d1ae5	Add resource and ansible_id to serializers (#15020 )	2024-03-26 22:37:15 -04:00