Allow deleting org of a running workflow job (#15374)

Old RBAC system hits DOESNOTEXIST query errors
if a user deletes an org while a workflow job is active.

The error is triggered by
1. starting workflow job
2. delete the org that the workflow job is a part of
3. The workflow changes status (e.g. pending to waiting)

This error message would surface
awx.main.models.rbac.Role.DoesNotExist: Role matching
query does not exist.

The fix is wrap the query in a try catch, and skip
over some logic if the roles don't exist.

---------

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

.github/actions/awx_devel_image/action.yml

@@ -24,7 +24,7 @@ runs:
 
     - name: Pre-pull latest devel image to warm cache
       shell: bash
-      run: docker pull ghcr.io/${OWNER_LC}/awx_devel:${{ github.base_ref }}
+      run: docker pull -q ghcr.io/${OWNER_LC}/awx_devel:${{ github.base_ref }}
 
     - name: Build image for current source checkout
       shell: bash

.github/workflows/dab-release.yml

@@ -0,0 +1,48 @@
+---
+name: django-ansible-base requirements update
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *' # once an day @ 6 AM
+permissions:
+  pull-requests: write
+  contents: write
+jobs:
+  dab-pin-newest:
+    runs-on: ubuntu-latest
+    steps:
+      - id: dab-release
+        name: Get current django-ansible-base release version
+        uses: pozetroninc/github-action-get-latest-release@2a61c339ea7ef0a336d1daa35ef0cb1418e7676c # v0.8.0
+        with:
+          owner: ansible
+          repo: django-ansible-base
+          excludes: prerelease, draft
+
+      - name: Check out respository code
+        uses: actions/checkout@v4
+
+      - id: dab-pinned
+        name: Get current django-ansible-base pinned version
+        run:
+          echo "version=$(requirements/django-ansible-base-pinned-version.sh)" >> "$GITHUB_OUTPUT"
+
+      - name: Update django-ansible-base pinned version to upstream release
+        run:
+          requirements/django-ansible-base-pinned-version.sh -s ${{ steps.dab-release.outputs.release }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
+        with:
+          base: devel
+          branch: bump-django-ansible-base
+          title: Bump django-ansible-base to ${{ steps.dab-release.outputs.release }}
+          body: |
+            Automated .github/workflows/dab-release.yml
+
+            django-ansible-base upstream released version == ${{ steps.dab-release.outputs.release }}
+            requirements_git.txt django-ansible-base pinned version ==  ${{ steps.dab-pinned.outputs.version }}
+          commit-message: |
+            Update django-ansible-base version to ${{ steps.dab-pinned.outputs.version }}
+          add-paths:
+            requirements/requirements_git.txt

.github/workflows/devel_images.yml

@@ -2,6 +2,7 @@
 name: Build/Push Development Images
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
+  DOCKER_CACHE: "--no-cache" # using the cache will not rebuild git requirements and other things
 on:
   workflow_dispatch:
   push:
@@ -59,16 +60,26 @@ jobs:
         run: |
           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-      - name: Setup node and npm
+      - name: Setup node and npm for old UI build
         uses: actions/setup-node@v2
         with:
-          node-version: '16.13.1'
+          node-version: '16'
         if: matrix.build-targets.image-name == 'awx'
 
-      - name: Prebuild UI for awx image (to speed up build process)
+      - name: Prebuild old-UI for awx image (to speed up build process)
         run: |
           sudo apt-get install gettext
           make ui-release
+        if: matrix.build-targets.image-name == 'awx'
+
+      - name: Setup node and npm for the new UI build
+        uses: actions/setup-node@v2
+        with:
+          node-version: '18'
+        if: matrix.build-targets.image-name == 'awx'
+
+      - name: Prebuild new UI for awx image (to speed up build process)
+        run: |
           make ui-next
         if: matrix.build-targets.image-name == 'awx'
 

.github/workflows/stage.yml

@@ -136,9 +136,9 @@ jobs:
       - name: Pulling images for test deployment with awx-operator
         # awx operator molecue test expect to kind load image and buildx exports image to registry and not local
         run: |
-          docker pull ${AWX_OPERATOR_TEST_IMAGE}
-          docker pull ${AWX_EE_TEST_IMAGE}
-          docker pull ${AWX_TEST_IMAGE}:${AWX_TEST_VERSION}
+          docker pull -q ${AWX_OPERATOR_TEST_IMAGE}
+          docker pull -q ${AWX_EE_TEST_IMAGE}
+          docker pull -q ${AWX_TEST_IMAGE}:${AWX_TEST_VERSION}
 
       - name: Run test deployment with awx-operator
         working-directory: awx-operator

.github/workflows/upload_schema.yml

@@ -34,7 +34,7 @@ jobs:
 
       - name: Pre-pull image to warm build cache
         run: |
-          docker pull ghcr.io/${{ github.repository_owner }}/awx_devel:${GITHUB_REF##*/} || :
+          docker pull -q ghcr.io/${{ github.repository_owner }}/awx_devel:${GITHUB_REF##*/} || :
 
       - name: Build image
         run: |

Makefile

@@ -63,6 +63,8 @@ DEV_DOCKER_OWNER ?= ansible
 DEV_DOCKER_OWNER_LOWER = $(shell echo $(DEV_DOCKER_OWNER) | tr A-Z a-z)
 DEV_DOCKER_TAG_BASE ?= ghcr.io/$(DEV_DOCKER_OWNER_LOWER)
 DEVEL_IMAGE_NAME ?= $(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG)
+IMAGE_KUBE_DEV=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG)
+IMAGE_KUBE=$(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG)
 
 # Common command to use for running ansible-playbook
 ANSIBLE_PLAYBOOK ?= ansible-playbook -e ansible_python_interpreter=$(PYTHON)
@@ -89,6 +91,18 @@ I18N_FLAG_FILE = .i18n_built
 ## PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
 PLATFORMS ?= linux/amd64,linux/arm64  # linux/ppc64le,linux/s390x
 
+# Set up cache variables for image builds, allowing to control whether cache is used or not, ex:
+# DOCKER_CACHE=--no-cache make docker-compose-build
+ifeq ($(DOCKER_CACHE),)
+ DOCKER_DEVEL_CACHE_FLAG=--cache-from=$(DEVEL_IMAGE_NAME)
+ DOCKER_KUBE_DEV_CACHE_FLAG=--cache-from=$(IMAGE_KUBE_DEV)
+ DOCKER_KUBE_CACHE_FLAG=--cache-from=$(IMAGE_KUBE)
+else
+ DOCKER_DEVEL_CACHE_FLAG=$(DOCKER_CACHE)
+ DOCKER_KUBE_DEV_CACHE_FLAG=$(DOCKER_CACHE)
+ DOCKER_KUBE_CACHE_FLAG=$(DOCKER_CACHE)
+endif
+
 .PHONY: awx-link clean clean-tmp clean-venv requirements requirements_dev \
 	develop refresh adduser migrate dbchange \
 	receiver test test_unit test_coverage coverage_html \
@@ -606,8 +620,7 @@ docker-compose-build: Dockerfile.dev
 		-f Dockerfile.dev \
 		-t $(DEVEL_IMAGE_NAME) \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG) .
-
+		$(DOCKER_DEVEL_CACHE_FLAG) .
 
 .PHONY: docker-compose-buildx
 ## Build awx_devel image for docker compose development environment for multiple architectures
@@ -617,7 +630,7 @@ docker-compose-buildx: Dockerfile.dev
 	- docker buildx build \
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG) \
+		$(DOCKER_DEVEL_CACHE_FLAG) \
 		--platform=$(PLATFORMS) \
 		--tag $(DEVEL_IMAGE_NAME) \
 		-f Dockerfile.dev .
@@ -680,7 +693,8 @@ awx-kube-build: Dockerfile
 		--build-arg VERSION=$(VERSION) \
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
-		-t $(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG) .
+		$(DOCKER_KUBE_CACHE_FLAG) \
+		-t $(IMAGE_KUBE) .
 
 ## Build multi-arch awx image for deployment on Kubernetes environment.
 awx-kube-buildx: Dockerfile
@@ -692,7 +706,8 @@ awx-kube-buildx: Dockerfile
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
 		--platform=$(PLATFORMS) \
-		--tag $(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG) \
+		$(DOCKER_KUBE_CACHE_FLAG) \
+		--tag $(IMAGE_KUBE) \
 		-f Dockerfile .
 	- docker buildx rm awx-kube-buildx
 
@@ -710,8 +725,8 @@ Dockerfile.kube-dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 awx-kube-dev-build: Dockerfile.kube-dev
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile.kube-dev \
 	    --build-arg BUILDKIT_INLINE_CACHE=1 \
-	    --cache-from=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
-	    -t $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) .
+	     $(DOCKER_KUBE_DEV_CACHE_FLAG) \
+	    -t $(IMAGE_KUBE_DEV) .
 
 ## Build and push multi-arch awx_kube_devel image for development on local Kubernetes environment.
 awx-kube-dev-buildx: Dockerfile.kube-dev
@@ -720,14 +735,14 @@ awx-kube-dev-buildx: Dockerfile.kube-dev
 	- docker buildx build \
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
+		$(DOCKER_KUBE_DEV_CACHE_FLAG) \
 		--platform=$(PLATFORMS) \
-		--tag $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
+		--tag $(IMAGE_KUBE_DEV) \
 		-f Dockerfile.kube-dev .
 	- docker buildx rm awx-kube-dev-buildx
 
 kind-dev-load: awx-kube-dev-build
-	$(KIND_BIN) load docker-image $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG)
+	$(KIND_BIN) load docker-image $(IMAGE_KUBE_DEV)
 
 # Translation TASKS
 # --------------------------------------

awx/api/generics.py

@@ -227,7 +227,10 @@ class APIView(views.APIView):
             if type(response.data) is dict:
                 msg_data['error'] = response.data.get('error', response.status_text)
             elif type(response.data) is list:
-                msg_data['error'] = ", ".join(list(map(lambda x: x.get('error', response.status_text), response.data)))
+                if len(response.data) > 0 and isinstance(response.data[0], str):
+                    msg_data['error'] = str(response.data[0])
+                else:
+                    msg_data['error'] = ", ".join(list(map(lambda x: x.get('error', response.status_text), response.data)))
             else:
                 msg_data['error'] = response.status_text
 

awx/api/views/__init__.py

@@ -2392,6 +2392,14 @@ class JobTemplateList(ListCreateAPIView):
     serializer_class = serializers.JobTemplateSerializer
     always_allow_superuser = False
 
+    def check_permissions(self, request):
+        if request.method == 'POST':
+            can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
+            if not can_access:
+                self.permission_denied(request, message=messages)
+
+        super(JobTemplateList, self).check_permissions(request)
+
 
 class JobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = models.JobTemplate
@@ -3111,6 +3119,14 @@ class WorkflowJobTemplateList(ListCreateAPIView):
     serializer_class = serializers.WorkflowJobTemplateSerializer
     always_allow_superuser = False
 
+    def check_permissions(self, request):
+        if request.method == 'POST':
+            can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
+            if not can_access:
+                self.permission_denied(request, message=messages)
+
+        super(WorkflowJobTemplateList, self).check_permissions(request)
+
 
 class WorkflowJobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = models.WorkflowJobTemplate

awx/main/access.py

@@ -1387,12 +1387,11 @@ class TeamAccess(BaseAccess):
 class ExecutionEnvironmentAccess(BaseAccess):
     """
     I can see an execution environment when:
-     - I'm a superuser
-     - I'm a member of the same organization
-     - it is a global ExecutionEnvironment
+     - I can see its organization
+     - It is a global ExecutionEnvironment
     I can create/change an execution environment when:
      - I'm a superuser
-     - I'm an admin for the organization(s)
+     - I have an organization or object role that gives access
     """
 
     model = ExecutionEnvironment
@@ -1416,15 +1415,11 @@ class ExecutionEnvironmentAccess(BaseAccess):
             raise PermissionDenied
         if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
             if not self.user.has_obj_perm(obj, 'change'):
-                raise PermissionDenied
+                return False
         else:
             if self.user not in obj.organization.execution_environment_admin_role:
                 raise PermissionDenied
-        if data and 'organization' in data:
-            new_org = get_object_from_data('organization', Organization, data, obj=obj)
-            if not new_org or self.user not in new_org.execution_environment_admin_role:
-                return False
-        return self.check_related('organization', Organization, data, obj=obj, mandatory=True, role_field='execution_environment_admin_role')
+        return self.check_related('organization', Organization, data, obj=obj, role_field='execution_environment_admin_role')
 
     def can_delete(self, obj):
         if obj.managed:
@@ -1596,6 +1591,8 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         inventory = get_value(Inventory, 'inventory')
         if inventory:
             if self.user not in inventory.use_role:
+                if self.save_messages:
+                    self.messages['inventory'] = [_('You do not have use permission on Inventory')]
                 return False
 
         if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
@@ -1604,11 +1601,16 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         project = get_value(Project, 'project')
         # If the user has admin access to the project (as an org admin), should
         # be able to proceed without additional checks.
-        if project:
-            return self.user in project.use_role
-        else:
+        if not project:
             return False
 
+        if self.user not in project.use_role:
+            if self.save_messages:
+                self.messages['project'] = [_('You do not have use permission on Project')]
+            return False
+
+        return True
+
     @check_superuser
     def can_copy_related(self, obj):
         """
@@ -2092,11 +2094,23 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
         if not data:  # So the browseable API will work
             return Organization.accessible_objects(self.user, 'workflow_admin_role').exists()
 
-        return bool(
-            self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True)
-            and self.check_related('inventory', Inventory, data, role_field='use_role')
-            and self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role')
-        )
+        if not self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True):
+            if data.get('organization', None) is None:
+                if self.save_messages:
+                    self.messages['organization'] = [_('An organization is required to create a workflow job template for normal user')]
+            return False
+
+        if not self.check_related('inventory', Inventory, data, role_field='use_role'):
+            if self.save_messages:
+                self.messages['inventory'] = [_('You do not have use_role to the inventory')]
+            return False
+
+        if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
+            if self.save_messages:
+                self.messages['execution_environment'] = [_('You do not have read_role to the execution environment')]
+            return False
+
+        return True
 
     def can_copy(self, obj):
         if self.save_messages:

awx/main/dispatch/__init__.py

@@ -102,7 +102,8 @@ def create_listener_connection():
 
     # Apply overrides specifically for the listener connection
     for k, v in settings.LISTENER_DATABASES.get('default', {}).items():
-        conf[k] = v
+        if k != 'OPTIONS':
+            conf[k] = v
     for k, v in settings.LISTENER_DATABASES.get('default', {}).get('OPTIONS', {}).items():
         conf['OPTIONS'][k] = v
 

awx/main/migrations/0195_EE_permissions.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.2.6 on 2024-06-20 15:55
+
+from django.db import migrations
+
+
+def delete_execution_environment_read_role(apps, schema_editor):
+    permission_classes = [apps.get_model('auth', 'Permission'), apps.get_model('dab_rbac', 'DABPermission')]
+    for permission_cls in permission_classes:
+        ee_read_perm = permission_cls.objects.filter(codename='view_executionenvironment').first()
+        if ee_read_perm:
+            ee_read_perm.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0194_alter_inventorysource_source_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='executionenvironment',
+            options={'default_permissions': ('add', 'change', 'delete'), 'ordering': ('-created',)},
+        ),
+        migrations.RunPython(delete_execution_environment_read_role, migrations.RunPython.noop),
+    ]

awx/main/migrations/_dab_rbac.py

@@ -134,8 +134,7 @@ def get_permissions_for_role(role_field, children_map, apps):
 
     # more special cases for those same above special org-level roles
     if role_field.name == 'auditor_role':
-        for codename in ('view_notificationtemplate', 'view_executionenvironment'):
-            perm_list.append(Permission.objects.get(codename=codename))
+        perm_list.append(Permission.objects.get(codename='view_notificationtemplate'))
 
     return perm_list
 
@@ -292,12 +291,13 @@ def setup_managed_role_definitions(apps, schema_editor):
     org_perms = set()
     for cls in permission_registry.all_registered_models:
         ct = ContentType.objects.get_for_model(cls)
+        cls_name = cls._meta.model_name
         object_perms = set(Permission.objects.filter(content_type=ct))
         # Special case for InstanceGroup which has an organiation field, but is not an organization child object
-        if cls._meta.model_name != 'instancegroup':
+        if cls_name != 'instancegroup':
             org_perms.update(object_perms)
 
-        if 'object_admin' in to_create and cls != Organization:
+        if 'object_admin' in to_create and cls_name != 'organization':
             indiv_perms = object_perms.copy()
             add_perms = [perm for perm in indiv_perms if perm.codename.startswith('add_')]
             if add_perms:
@@ -310,7 +310,7 @@ def setup_managed_role_definitions(apps, schema_editor):
                 )
             )
 
-        if 'org_children' in to_create and cls != Organization:
+        if 'org_children' in to_create and (cls_name not in ('organization', 'instancegroup', 'team')):
             org_child_perms = object_perms.copy()
             org_child_perms.add(Permission.objects.get(codename='view_organization'))
 
@@ -327,17 +327,25 @@ def setup_managed_role_definitions(apps, schema_editor):
         if 'special' in to_create:
             special_perms = []
             for perm in object_perms:
-                if perm.codename.split('_')[0] not in ('add', 'change', 'update', 'delete', 'view'):
+                # Organization auditor is handled separately
+                if perm.codename.split('_')[0] not in ('add', 'change', 'delete', 'view', 'audit'):
                     special_perms.append(perm)
             for perm in special_perms:
                 action = perm.codename.split('_')[0]
                 view_perm = Permission.objects.get(content_type=ct, codename__startswith='view_')
+                perm_list = [perm, view_perm]
+                # Handle special-case where adhoc role also listed use permission
+                if action == 'adhoc':
+                    for other_perm in object_perms:
+                        if other_perm.codename == 'use_inventory':
+                            perm_list.append(other_perm)
+                            break
                 managed_role_definitions.append(
                     get_or_create_managed(
                         to_create['special'].format(cls=cls, action=action.title()),
                         f'Has {action} permissions to a single {cls._meta.verbose_name}',
                         ct,
-                        [perm, view_perm],
+                        perm_list,
                         RoleDefinition,
                     )
                 )
@@ -353,6 +361,41 @@ def setup_managed_role_definitions(apps, schema_editor):
             )
         )
 
+    # Special "organization action" roles
+    audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]
+    audit_permissions.append(Permission.objects.get(codename='audit_organization'))
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Audit',
+            'Has permission to view all objects inside of a single organization',
+            org_ct,
+            audit_permissions,
+            RoleDefinition,
+        )
+    )
+
+    org_execute_permissions = {'view_jobtemplate', 'execute_jobtemplate', 'view_workflowjobtemplate', 'execute_workflowjobtemplate', 'view_organization'}
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Execute',
+            'Has permission to execute all runnable objects in the organization',
+            org_ct,
+            [perm for perm in org_perms if perm.codename in org_execute_permissions],
+            RoleDefinition,
+        )
+    )
+
+    org_approval_permissions = {'view_organization', 'view_workflowjobtemplate', 'approve_workflowjobtemplate'}
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Approval',
+            'Has permission to approve any workflow steps within a single organization',
+            org_ct,
+            [perm for perm in org_perms if perm.codename in org_approval_permissions],
+            RoleDefinition,
+        )
+    )
+
     unexpected_role_definitions = RoleDefinition.objects.filter(managed=True).exclude(pk__in=[rd.pk for rd in managed_role_definitions])
     for role_definition in unexpected_role_definitions:
         logger.info(f'Deleting old managed role definition {role_definition.name}, pk={role_definition.pk}')

awx/main/models/__init__.py

@@ -176,17 +176,17 @@ pre_delete.connect(cleanup_created_modified_by, sender=User)
 
 @property
 def user_get_organizations(user):
-    return Organization.objects.filter(member_role__members=user)
+    return Organization.access_qs(user, 'member')
 
 
 @property
 def user_get_admin_of_organizations(user):
-    return Organization.objects.filter(admin_role__members=user)
+    return Organization.access_qs(user, 'change')
 
 
 @property
 def user_get_auditor_of_organizations(user):
-    return Organization.objects.filter(auditor_role__members=user)
+    return Organization.access_qs(user, 'audit')
 
 
 @property

awx/main/models/credential/__init__.py

@@ -21,6 +21,10 @@ from django.conf import settings
 from django.utils.encoding import force_str
 from django.utils.functional import cached_property
 from django.utils.timezone import now
+from django.contrib.auth.models import User
+
+# DRF
+from rest_framework.serializers import ValidationError as DRFValidationError
 
 # AWX
 from awx.api.versioning import reverse
@@ -41,6 +45,7 @@ from awx.main.models.rbac import (
     ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
+from awx.main.models import Team, Organization
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors
 
@@ -315,6 +320,16 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         else:
             raise ValueError('{} is not a dynamic input field'.format(field_name))
 
+    def validate_role_assignment(self, actor, role_definition):
+        if self.organization:
+            if isinstance(actor, User):
+                if actor.is_superuser or Organization.access_qs(actor, 'member').filter(id=self.organization.id).exists():
+                    return
+            if isinstance(actor, Team):
+                if actor.organization == self.organization:
+                    return
+            raise DRFValidationError({'detail': _(f"You cannot grant credential access to a {actor._meta.object_name} not in the credentials' organization")})
+
 
 class CredentialType(CommonModelNameNotUnique):
     """

awx/main/models/execution_environments.py

@@ -1,6 +1,8 @@
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
+from rest_framework.exceptions import ValidationError
+
 from awx.api.versioning import reverse
 from awx.main.models.base import CommonModel
 from awx.main.validators import validate_container_image_name
@@ -12,6 +14,8 @@ __all__ = ['ExecutionEnvironment']
 class ExecutionEnvironment(CommonModel):
     class Meta:
         ordering = ('-created',)
+        # Remove view permission, as a temporary solution, defer to organization read permission
+        default_permissions = ('add', 'change', 'delete')
 
     PULL_CHOICES = [
         ('always', _("Always pull container before running.")),
@@ -53,3 +57,16 @@ class ExecutionEnvironment(CommonModel):
 
     def get_absolute_url(self, request=None):
         return reverse('api:execution_environment_detail', kwargs={'pk': self.pk}, request=request)
+
+    def validate_role_assignment(self, actor, role_definition):
+        if self.managed:
+            raise ValidationError({'object_id': _('Can not assign object roles to managed Execution Environments')})
+        if self.organization_id is None:
+            raise ValidationError({'object_id': _('Can not assign object roles to global Execution Environments')})
+
+        if actor._meta.model_name == 'user' and (not actor.has_obj_perm(self.organization, 'view')):
+            raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})
+        if actor._meta.model_name == 'team':
+            organization_cls = self._meta.get_field('organization').related_model
+            if self.organization not in organization_cls.access_qs(actor, 'view'):
+                raise ValidationError({'team': _('Team must have view permission to Execution Environment organization')})

awx/main/models/rbac.py

@@ -591,14 +591,20 @@ def get_role_from_object_role(object_role):
         role_name = role_name.lower()
         model_cls = apps.get_model('main', target_model_name)
         target_model_name = get_type_for_model(model_cls)
+
+        # exception cases completely specific to one model naming convention
         if target_model_name == 'notification_template':
-            target_model_name = 'notification'  # total exception
+            target_model_name = 'notification'
+        elif target_model_name == 'workflow_job_template':
+            target_model_name = 'workflow'
+
         role_name = f'{target_model_name}_admin_role'
     elif rd.name.endswith(' Admin'):
         # cases like "project-admin"
         role_name = 'admin_role'
+    elif rd.name == 'Organization Audit':
+        role_name = 'auditor_role'
     else:
-        print(rd.name)
         model_name, role_name = rd.name.split()
         role_name = role_name.lower()
         role_name += '_role'
@@ -683,9 +689,15 @@ def sync_parents_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs)
 
     for role_id in pk_set:
         if reverse:
-            child_role = Role.objects.get(id=role_id)
+            try:
+                child_role = Role.objects.get(id=role_id)
+            except Role.DoesNotExist:
+                continue
         else:
-            parent_role = Role.objects.get(id=role_id)
+            try:
+                parent_role = Role.objects.get(id=role_id)
+            except Role.DoesNotExist:
+                continue
 
         # To a fault, we want to avoid running this if triggered from implicit_parents management
         # we only want to do anything if we know for sure this is a non-implicit team role

awx/main/models/unified_jobs.py

@@ -31,6 +31,7 @@ from rest_framework.exceptions import ParseError
 from polymorphic.models import PolymorphicModel
 
 from ansible_base.lib.utils.models import prevent_search, get_type_for_model
+from ansible_base.rbac import permission_registry
 
 # AWX
 from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel, NotificationFieldsModel
@@ -197,9 +198,7 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
 
     @classmethod
     def _submodels_with_roles(cls):
-        ujt_classes = [c for c in cls.__subclasses__() if c._meta.model_name not in ['inventorysource', 'systemjobtemplate']]
-        ct_dict = ContentType.objects.get_for_models(*ujt_classes)
-        return [ct.id for ct in ct_dict.values()]
+        return [c for c in cls.__subclasses__() if permission_registry.is_registered(c)]
 
     @classmethod
     def accessible_pk_qs(cls, accessor, role_field):
@@ -215,8 +214,16 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
 
         action = to_permissions[role_field]
 
+        # Special condition for super auditor
+        role_subclasses = cls._submodels_with_roles()
+        role_cts = ContentType.objects.get_for_models(*role_subclasses).values()
+        all_codenames = {f'{action}_{cls._meta.model_name}' for cls in role_subclasses}
+        if not (all_codenames - accessor.singleton_permissions()):
+            qs = cls.objects.filter(polymorphic_ctype__in=role_cts)
+            return qs.values_list('id', flat=True)
+
         return (
-            RoleEvaluation.objects.filter(role__in=accessor.has_roles.all(), codename__startswith=action, content_type_id__in=cls._submodels_with_roles())
+            RoleEvaluation.objects.filter(role__in=accessor.has_roles.all(), codename__in=all_codenames, content_type_id__in=[ct.id for ct in role_cts])
             .values_list('object_id')
             .distinct()
         )

awx/main/scheduler/task_manager.py

@@ -138,7 +138,8 @@ class TaskBase:
 
         # Lock
         with task_manager_bulk_reschedule():
-            with advisory_lock(f"{self.prefix}_lock", wait=False) as acquired:
+            lock_session_timeout_milliseconds = settings.TASK_MANAGER_LOCK_TIMEOUT * 1000  # convert to milliseconds
+            with advisory_lock(f"{self.prefix}_lock", lock_session_timeout_milliseconds=lock_session_timeout_milliseconds, wait=False) as acquired:
                 with transaction.atomic():
                     if acquired is False:
                         logger.debug(f"Not running {self.prefix} scheduler, another task holds lock")

awx/main/tasks/system.py

@@ -715,7 +715,8 @@ def awx_k8s_reaper():
 
 @task(queue=get_task_queuename)
 def awx_periodic_scheduler():
-    with advisory_lock('awx_periodic_scheduler_lock', wait=False) as acquired:
+    lock_session_timeout_milliseconds = settings.TASK_MANAGER_LOCK_TIMEOUT * 1000
+    with advisory_lock('awx_periodic_scheduler_lock', lock_session_timeout_milliseconds=lock_session_timeout_milliseconds, wait=False) as acquired:
         if acquired is False:
             logger.debug("Not running periodic scheduler, another task holds lock")
             return
@@ -979,5 +980,15 @@ def periodic_resource_sync():
         if acquired is False:
             logger.debug("Not running periodic_resource_sync, another task holds lock")
             return
+        logger.debug("Running periodic resource sync")
 
-        SyncExecutor().run()
+        executor = SyncExecutor()
+        executor.run()
+        for key, item_list in executor.results.items():
+            if not item_list or key == 'noop':
+                continue
+            # Log creations and conflicts
+            if len(item_list) > 10 and settings.LOG_AGGREGATOR_LEVEL != 'DEBUG':
+                logger.info(f'Periodic resource sync {key}, first 10 items:\n{item_list[:10]}')
+            else:
+                logger.info(f'Periodic resource sync {key}:\n{item_list}')

awx/main/tests/functional/conftest.py

@@ -92,6 +92,11 @@ def deploy_jobtemplate(project, inventory, credential):
     return jt
 
 
+@pytest.fixture()
+def execution_environment():
+    return ExecutionEnvironment.objects.create(name="test-ee", description="test-ee", managed=True)
+
+
 @pytest.fixture
 def setup_managed_roles():
     "Run the migration script to pre-create managed role definitions"

awx/main/tests/functional/dab_rbac/test_access_list.py

@@ -109,3 +109,17 @@ def test_team_indirect_access(get, team, admin_user, inventory):
     assert len(by_username['u1']['summary_fields']['indirect_access']) == 0
     access_entry = by_username['u1']['summary_fields']['direct_access'][0]
     assert sorted(access_entry['descendant_roles']) == sorted(['adhoc_role', 'use_role', 'update_role', 'read_role', 'admin_role'])
+
+
+@pytest.mark.django_db
+def test_workflow_access_list(workflow_job_template, alice, bob, setup_managed_roles, get, admin_user):
+    """Basic verification that WFJT access_list is functional"""
+    workflow_job_template.admin_role.members.add(alice)
+    workflow_job_template.organization.workflow_admin_role.members.add(bob)
+
+    url = reverse('api:workflow_job_template_access_list', kwargs={'pk': workflow_job_template.pk})
+    for u in (alice, bob, admin_user):
+        response = get(url, user=u, expect=200)
+        user_ids = [item['id'] for item in response.data['results']]
+        assert alice.pk in user_ids
+        assert bob.pk in user_ids

awx/main/tests/functional/dab_rbac/test_access_regressions.py

@@ -21,3 +21,21 @@ def test_notification_template_object_role_change(rando, notification_template,
     rd.give_permission(rando, notification_template)
     access = NotificationTemplateAccess(rando)
     assert access.can_change(notification_template, {'name': 'new name'})
+
+
+@pytest.mark.django_db
+def test_organization_auditor_role(rando, setup_managed_roles, organization, inventory, project, jt_linked):
+    obj_list = (inventory, project, jt_linked)
+    for obj in obj_list:
+        assert obj.organization == organization, obj  # sanity
+
+    assert [rando.has_obj_perm(obj, 'view') for obj in obj_list] == [False for i in range(3)], obj_list
+
+    rd = RoleDefinition.objects.get(name='Organization Audit')
+    rd.give_permission(rando, organization)
+
+    codename_set = set(rd.permissions.values_list('codename', flat=True))
+    assert not ({'view_inventory', 'view_jobtemplate', 'audit_organization'} - codename_set)  # sanity
+
+    assert [obj in type(obj).access_qs(rando) for obj in obj_list] == [True for i in range(3)], obj_list
+    assert [rando.has_obj_perm(obj, 'view') for obj in obj_list] == [True for i in range(3)], obj_list

awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py

@@ -2,9 +2,11 @@ import pytest
 
 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse as django_reverse
+from django.test.utils import override_settings
 
 from awx.api.versioning import reverse
 from awx.main.models import JobTemplate, Inventory, Organization
+from awx.main.access import JobTemplateAccess, WorkflowJobTemplateAccess
 
 from ansible_base.rbac.models import RoleDefinition
 
@@ -88,3 +90,63 @@ def test_assign_custom_add_role(admin_user, rando, organization, post, setup_man
     inv_id = r.data['id']
     inventory = Inventory.objects.get(id=inv_id)
     assert rando.has_obj_perm(inventory, 'change')
+
+
+@pytest.mark.django_db
+def test_jt_creation_permissions(setup_managed_roles, inventory, project, rando):
+    """This tests that if you assign someone required permissions in the new API
+    using the managed roles, then that works to give permissions to create a job template"""
+    inv_rd = RoleDefinition.objects.get(name='Inventory Admin')
+    proj_rd = RoleDefinition.objects.get(name='Project Admin')
+    # establish prior state
+    access = JobTemplateAccess(rando)
+    assert not access.can_add({'inventory': inventory.pk, 'project': project.pk, 'name': 'foo-jt'})
+
+    inv_rd.give_permission(rando, inventory)
+    proj_rd.give_permission(rando, project)
+
+    assert access.can_add({'inventory': inventory.pk, 'project': project.pk, 'name': 'foo-jt'})
+
+
+@pytest.mark.django_db
+def test_workflow_creation_permissions(setup_managed_roles, organization, workflow_job_template, rando):
+    """Similar to JT, assigning new roles gives creator permissions"""
+    org_wf_rd = RoleDefinition.objects.get(name='Organization WorkflowJobTemplate Admin')
+    assert workflow_job_template.organization == organization  # sanity
+    # establish prior state
+    access = WorkflowJobTemplateAccess(rando)
+    assert not access.can_add({'name': 'foo-flow', 'organization': organization.pk})
+    org_wf_rd.give_permission(rando, organization)
+
+    assert access.can_add({'name': 'foo-flow', 'organization': organization.pk})
+
+
+@pytest.mark.django_db
+def test_assign_credential_to_user_of_another_org(setup_managed_roles, credential, admin_user, rando, org_admin, organization, post):
+    '''Test that a credential can only be assigned to a user in the same organization'''
+    # cannot assign credential to rando, as rando is not in the same org as the credential
+    rd = RoleDefinition.objects.get(name="Credential Admin")
+    credential.organization = organization
+    credential.save(update_fields=['organization'])
+    assert credential.organization not in Organization.access_qs(rando, 'member')
+    url = django_reverse('roleuserassignment-list')
+    resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400)
+    assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
+
+    # can assign credential to superuser
+    rando.is_superuser = True
+    rando.save()
+    post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
+
+    # can assign credential to org_admin
+    assert credential.organization in Organization.access_qs(org_admin, 'member')
+    post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
+
+
+@pytest.mark.django_db
+@override_settings(ALLOW_LOCAL_RESOURCE_MANAGEMENT=False)
+def test_team_member_role_not_assignable(team, rando, post, admin_user, setup_managed_roles):
+    member_rd = RoleDefinition.objects.get(name='Organization Member')
+    url = django_reverse('roleuserassignment-list')
+    r = post(url, data={'object_id': team.id, 'role_definition': member_rd.id, 'user': rando.id}, user=admin_user, expect=400)
+    assert 'Not managed locally' in str(r.data)

awx/main/tests/functional/dab_rbac/test_external_auditor.py

@@ -0,0 +1,120 @@
+import pytest
+
+from django.apps import apps
+
+from ansible_base.rbac.managed import SystemAuditor
+from ansible_base.rbac import permission_registry
+
+from awx.main.access import check_user_access, get_user_queryset
+from awx.main.models import User, AdHocCommandEvent
+from awx.api.versioning import reverse
+
+
+@pytest.fixture
+def ext_auditor_rd():
+    info = SystemAuditor(overrides={'name': 'Alien Auditor', 'shortname': 'ext_auditor'})
+    rd, _ = info.get_or_create(apps)
+    return rd
+
+
+@pytest.fixture
+def ext_auditor(ext_auditor_rd):
+    u = User.objects.create(username='external-auditor-user')
+    ext_auditor_rd.give_global_permission(u)
+    return u
+
+
+@pytest.fixture
+def obj_factory(request):
+    def _rf(fixture_name):
+        obj = request.getfixturevalue(fixture_name)
+
+        # special case to make obj organization-scoped
+        if obj._meta.model_name == 'executionenvironment':
+            obj.organization = request.getfixturevalue('organization')
+            obj.save(update_fields=['organization'])
+
+        return obj
+
+    return _rf
+
+
+@pytest.mark.django_db
+def test_access_qs_external_auditor(ext_auditor_rd, rando, job_template):
+    ext_auditor_rd.give_global_permission(rando)
+    jt_cls = apps.get_model('main', 'JobTemplate')
+    ujt_cls = apps.get_model('main', 'UnifiedJobTemplate')
+    assert job_template in jt_cls.access_qs(rando)
+    assert job_template.id in jt_cls.access_ids_qs(rando)
+    assert job_template.id in ujt_cls.accessible_pk_qs(rando, 'read_role')
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('model', sorted(permission_registry.all_registered_models, key=lambda cls: cls._meta.model_name))
+class TestExternalAuditorRoleAllModels:
+    def test_access_can_read_method(self, obj_factory, model, ext_auditor, rando):
+        fixture_name = model._meta.verbose_name.replace(' ', '_')
+        obj = obj_factory(fixture_name)
+
+        assert check_user_access(rando, model, 'read', obj) is False
+        assert check_user_access(ext_auditor, model, 'read', obj) is True
+
+    def test_access_get_queryset(self, obj_factory, model, ext_auditor, rando):
+        fixture_name = model._meta.verbose_name.replace(' ', '_')
+        obj = obj_factory(fixture_name)
+
+        assert obj not in get_user_queryset(rando, model)
+        assert obj in get_user_queryset(ext_auditor, model)
+
+    def test_global_list(self, obj_factory, model, ext_auditor, rando, get):
+        fixture_name = model._meta.verbose_name.replace(' ', '_')
+        obj_factory(fixture_name)
+
+        url = reverse(f'api:{fixture_name}_list')
+        r = get(url, user=rando, expect=200)
+        initial_ct = r.data['count']
+
+        r = get(url, user=ext_auditor, expect=200)
+        assert r.data['count'] == initial_ct + 1
+
+        if fixture_name in ('job_template', 'workflow_job_template'):
+            url = reverse('api:unified_job_template_list')
+            r = get(url, user=rando, expect=200)
+            initial_ct = r.data['count']
+
+            r = get(url, user=ext_auditor, expect=200)
+            assert r.data['count'] == initial_ct + 1
+
+    def test_detail_view(self, obj_factory, model, ext_auditor, rando, get):
+        fixture_name = model._meta.verbose_name.replace(' ', '_')
+        obj = obj_factory(fixture_name)
+
+        url = reverse(f'api:{fixture_name}_detail', kwargs={'pk': obj.pk})
+        get(url, user=rando, expect=403)  # NOTE: should be 401
+        get(url, user=ext_auditor, expect=200)
+
+
+@pytest.mark.django_db
+class TestExternalAuditorNonRoleModels:
+    def test_ad_hoc_command_view(self, ad_hoc_command_factory, rando, ext_auditor, get):
+        """The AdHocCommandAccess class references is_system_auditor
+
+        this is to prove it works with other system-level view roles"""
+        ad_hoc_command = ad_hoc_command_factory()
+        url = reverse('api:ad_hoc_command_list')
+        r = get(url, user=rando, expect=200)
+        assert r.data['count'] == 0
+        r = get(url, user=ext_auditor, expect=200)
+        assert r.data['count'] == 1
+        assert r.data['results'][0]['id'] == ad_hoc_command.id
+
+        event = AdHocCommandEvent.objects.create(ad_hoc_command=ad_hoc_command)
+        url = reverse('api:ad_hoc_command_ad_hoc_command_events_list', kwargs={'pk': ad_hoc_command.id})
+        r = get(url, user=rando, expect=403)
+        r = get(url, user=ext_auditor, expect=200)
+        assert r.data['count'] == 1
+
+        url = reverse('api:ad_hoc_command_event_detail', kwargs={'pk': event.id})
+        r = get(url, user=rando, expect=403)
+        r = get(url, user=ext_auditor, expect=200)
+        assert r.data['id'] == event.id

awx/main/tests/functional/dab_rbac/test_managed_roles.py

@@ -0,0 +1,31 @@
+import pytest
+
+from ansible_base.rbac.models import RoleDefinition, DABPermission
+
+
+@pytest.mark.django_db
+def test_roles_to_not_create(setup_managed_roles):
+    assert RoleDefinition.objects.filter(name='Organization Admin').count() == 1
+
+    SHOULD_NOT_EXIST = ('Organization Organization Admin', 'Organization Team Admin', 'Organization InstanceGroup Admin')
+
+    bad_rds = RoleDefinition.objects.filter(name__in=SHOULD_NOT_EXIST)
+    if bad_rds.exists():
+        bad_names = list(bad_rds.values_list('name', flat=True))
+        raise Exception(f'Found RoleDefinitions that should not exist: {bad_names}')
+
+
+@pytest.mark.django_db
+def test_project_update_role(setup_managed_roles):
+    """Role to allow updating a project on the object-level should exist"""
+    assert RoleDefinition.objects.filter(name='Project Update').count() == 1
+
+
+@pytest.mark.django_db
+def test_org_child_add_permission(setup_managed_roles):
+    for model_name in ('Project', 'NotificationTemplate', 'WorkflowJobTemplate', 'Inventory'):
+        rd = RoleDefinition.objects.get(name=f'Organization {model_name} Admin')
+        assert 'add_' in str(rd.permissions.values_list('codename', flat=True)), f'The {rd.name} role definition expected to contain add_ permissions'
+
+    # special case for JobTemplate, anyone can create one with use permission to project/inventory
+    assert not DABPermission.objects.filter(codename='add_jobtemplate').exists()

awx/main/tests/functional/dab_rbac/test_translation_layer.py

@@ -1,4 +1,5 @@
 from unittest import mock
+import json
 
 import pytest
 
@@ -6,17 +7,29 @@ from django.contrib.contenttypes.models import ContentType
 
 from crum import impersonate
 
-from awx.main.models.rbac import get_role_from_object_role, give_creator_permissions
+from awx.main.fields import ImplicitRoleField
+from awx.main.models.rbac import get_role_from_object_role, give_creator_permissions, get_role_codenames, get_role_definition
 from awx.main.models import User, Organization, WorkflowJobTemplate, WorkflowJobTemplateNode, Team
 from awx.api.versioning import reverse
 
 from ansible_base.rbac.models import RoleUserAssignment, RoleDefinition
+from ansible_base.rbac import permission_registry
 
 
 @pytest.mark.django_db
 @pytest.mark.parametrize(
     'role_name',
-    ['execution_environment_admin_role', 'project_admin_role', 'admin_role', 'auditor_role', 'read_role', 'execute_role', 'notification_admin_role'],
+    [
+        'execution_environment_admin_role',
+        'workflow_admin_role',
+        'project_admin_role',
+        'admin_role',
+        'auditor_role',
+        'read_role',
+        'execute_role',
+        'approval_role',
+        'notification_admin_role',
+    ],
 )
 def test_round_trip_roles(organization, rando, role_name, setup_managed_roles):
     """
@@ -26,11 +39,41 @@ def test_round_trip_roles(organization, rando, role_name, setup_managed_roles):
     """
     getattr(organization, role_name).members.add(rando)
     assignment = RoleUserAssignment.objects.get(user=rando)
-    print(assignment.role_definition.name)
     old_role = get_role_from_object_role(assignment.object_role)
     assert old_role.id == getattr(organization, role_name).id
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize('model', sorted(permission_registry.all_registered_models, key=lambda cls: cls._meta.model_name))
+def test_role_migration_matches(request, model, setup_managed_roles):
+    fixture_name = model._meta.verbose_name.replace(' ', '_')
+    obj = request.getfixturevalue(fixture_name)
+    role_ct = 0
+    for field in obj._meta.get_fields():
+        if isinstance(field, ImplicitRoleField):
+            if field.name == 'read_role':
+                continue  # intentionally left as "Compat" roles
+            role_ct += 1
+            old_role = getattr(obj, field.name)
+            old_codenames = set(get_role_codenames(old_role))
+            rd = get_role_definition(old_role)
+            new_codenames = set(rd.permissions.values_list('codename', flat=True))
+            # all the old roles should map to a non-Compat role definition
+            if 'Compat' not in rd.name:
+                model_rds = RoleDefinition.objects.filter(content_type=ContentType.objects.get_for_model(obj))
+                rd_data = {}
+                for rd in model_rds:
+                    rd_data[rd.name] = list(rd.permissions.values_list('codename', flat=True))
+            assert (
+                'Compat' not in rd.name
+            ), f'Permissions for old vs new roles did not match.\nold {field.name}: {old_codenames}\nnew:\n{json.dumps(rd_data, indent=2)}'
+            assert new_codenames == set(old_codenames)
+
+    # In the old system these models did not have object-level roles, all others expect some model roles
+    if model._meta.model_name not in ('notificationtemplate', 'executionenvironment'):
+        assert role_ct > 0
+
+
 @pytest.mark.django_db
 def test_role_naming(setup_managed_roles):
     qs = RoleDefinition.objects.filter(content_type=ContentType.objects.get(model='jobtemplate'), name__endswith='dmin')
@@ -141,3 +184,11 @@ def test_implicit_parents_no_assignments(organization):
     with mock.patch('awx.main.models.rbac.give_or_remove_permission') as mck:
         Team.objects.create(name='random team', organization=organization)
     mck.assert_not_called()
+
+
+@pytest.mark.django_db
+def test_user_auditor_rel(organization, rando, setup_managed_roles):
+    assert rando not in organization.auditor_role
+    audit_rd = RoleDefinition.objects.get(name='Organization Audit')
+    audit_rd.give_permission(rando, organization)
+    assert list(rando.auditor_of_organizations) == [organization]

awx/main/tests/functional/models/test_unified_job.py

@@ -4,25 +4,19 @@ import pytest
 # CRUM
 from crum import impersonate
 
-# Django
-from django.contrib.contenttypes.models import ContentType
-
 # AWX
-from awx.main.models import UnifiedJobTemplate, Job, JobTemplate, WorkflowJobTemplate, WorkflowApprovalTemplate, Project, WorkflowJob, Schedule, Credential
+from awx.main.models import UnifiedJobTemplate, Job, JobTemplate, WorkflowJobTemplate, Project, WorkflowJob, Schedule, Credential
 from awx.api.versioning import reverse
 from awx.main.constants import JOB_VARIABLE_PREFIXES
 
 
 @pytest.mark.django_db
 def test_subclass_types():
-    assert set(UnifiedJobTemplate._submodels_with_roles()) == set(
-        [
-            ContentType.objects.get_for_model(JobTemplate).id,
-            ContentType.objects.get_for_model(Project).id,
-            ContentType.objects.get_for_model(WorkflowJobTemplate).id,
-            ContentType.objects.get_for_model(WorkflowApprovalTemplate).id,
-        ]
-    )
+    assert set(UnifiedJobTemplate._submodels_with_roles()) == {
+        JobTemplate,
+        Project,
+        WorkflowJobTemplate,
+    }
 
 
 @pytest.mark.django_db

awx/main/tests/functional/test_migrations.py

@@ -85,3 +85,17 @@ class TestMigrationSmoke:
 
         RoleUserAssignment = new_state.apps.get_model('dab_rbac', 'RoleUserAssignment')
         assert RoleUserAssignment.objects.filter(user=user.id, object_id=org.id).exists()
+
+        # Regression testing for bug that comes from current vs past models mismatch
+        RoleDefinition = new_state.apps.get_model('dab_rbac', 'RoleDefinition')
+        assert not RoleDefinition.objects.filter(name='Organization Organization Admin').exists()
+        # Test special cases in managed role creation
+        assert not RoleDefinition.objects.filter(name='Organization Team Admin').exists()
+        assert not RoleDefinition.objects.filter(name='Organization InstanceGroup Admin').exists()
+
+        # Test that a removed EE model permission has been deleted
+        new_state = migrator.apply_tested_migration(
+            ('main', '0195_EE_permissions'),
+        )
+        DABPermission = new_state.apps.get_model('dab_rbac', 'DABPermission')
+        assert not DABPermission.objects.filter(codename='view_executionenvironment').exists()

awx/main/tests/functional/test_rbac_execution_environment.py

@@ -0,0 +1,145 @@
+import pytest
+
+from django.contrib.contenttypes.models import ContentType
+
+from awx.main.access import ExecutionEnvironmentAccess
+from awx.main.models import ExecutionEnvironment, Organization, Team
+from awx.main.models.rbac import get_role_codenames
+
+from awx.api.versioning import reverse
+from django.urls import reverse as django_reverse
+
+from ansible_base.rbac.models import RoleDefinition
+
+
+@pytest.fixture
+def ee_rd():
+    return RoleDefinition.objects.create_from_permissions(
+        name='EE object admin',
+        permissions=['change_executionenvironment', 'delete_executionenvironment'],
+        content_type=ContentType.objects.get_for_model(ExecutionEnvironment),
+    )
+
+
+@pytest.fixture
+def org_ee_rd():
+    return RoleDefinition.objects.create_from_permissions(
+        name='EE org admin',
+        permissions=['add_executionenvironment', 'change_executionenvironment', 'delete_executionenvironment', 'view_organization'],
+        content_type=ContentType.objects.get_for_model(Organization),
+    )
+
+
+@pytest.mark.django_db
+def test_old_ee_role_maps_to_correct_permissions(organization):
+    assert set(get_role_codenames(organization.execution_environment_admin_role)) == {
+        'view_organization',
+        'add_executionenvironment',
+        'change_executionenvironment',
+        'delete_executionenvironment',
+    }
+
+
+@pytest.fixture
+def org_ee(organization):
+    return ExecutionEnvironment.objects.create(name='some user ee', organization=organization)
+
+
+@pytest.fixture
+def check_user_capabilities(get, setup_managed_roles):
+    def _rf(user, obj, expected):
+        url = reverse('api:execution_environment_list')
+        r = get(url, user=user, expect=200)
+        for item in r.data['results']:
+            if item['id'] == obj.pk:
+                assert expected == item['summary_fields']['user_capabilities']
+                break
+        else:
+            raise RuntimeError(f'Could not find expected object ({obj}) in EE list result: {r.data}')
+
+    return _rf
+
+
+# ___ begin tests ___
+
+
+@pytest.mark.django_db
+def test_managed_ee_not_assignable(control_plane_execution_environment, ee_rd, rando, admin_user, post):
+    url = django_reverse('roleuserassignment-list')
+    r = post(url, {'role_definition': ee_rd.pk, 'user': rando.id, 'object_id': control_plane_execution_environment.pk}, user=admin_user, expect=400)
+    assert 'Can not assign object roles to managed Execution Environment' in str(r.data)
+
+
+@pytest.mark.django_db
+def test_org_member_required_for_assignment(org_ee, ee_rd, rando, admin_user, post):
+    url = django_reverse('roleuserassignment-list')
+    r = post(url, {'role_definition': ee_rd.pk, 'user': rando.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
+    assert 'User must have view permission to Execution Environment organization' in str(r.data)
+
+
+@pytest.mark.django_db
+def test_team_view_permission_required(org_ee, ee_rd, rando, admin_user, post):
+    org2 = Organization.objects.create(name='a different team')
+    team = Team.objects.create(name='a team', organization=org2)
+    team.member_role.members.add(rando)
+    assert org_ee not in ExecutionEnvironmentAccess(rando).get_queryset()  # user can not view the EE
+    url = django_reverse('roleteamassignment-list')
+    r = post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
+    assert 'Team must have view permission to Execution Environment organization' in str(r.data)
+
+    org_view_rd = RoleDefinition.objects.create_from_permissions(
+        name='organization viewer role', permissions=['view_organization'], content_type=ContentType.objects.get_for_model(Organization)
+    )
+    org_view_rd.give_permission(team, org_ee.organization)
+    assert org_ee in ExecutionEnvironmentAccess(rando).get_queryset()  # user can view the EE now
+    # can give object roles to the team now
+    post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=201)
+    assert rando.has_obj_perm(org_ee, 'change')
+
+
+@pytest.mark.django_db
+def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capabilities):
+    access = ExecutionEnvironmentAccess(org_member)
+    assert access.can_read(org_ee)  # by virtue of being an org member
+    assert not access.can_change(org_ee, {'name': 'new'})
+    check_user_capabilities(org_member, org_ee, {'edit': False, 'delete': False, 'copy': False})
+
+    ee_rd.give_permission(org_member, org_ee)
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization.id})
+
+    check_user_capabilities(org_member, org_ee, {'edit': True, 'delete': True, 'copy': False})
+
+
+@pytest.mark.django_db
+def test_need_related_organization_access(org_ee, ee_rd, org_member):
+    org2 = Organization.objects.create(name='another organization')
+    ee_rd.give_permission(org_member, org_ee)
+    org2.member_role.members.add(org_member)
+    access = ExecutionEnvironmentAccess(org_member)
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization.id})
+    assert not access.can_change(org_ee, {'name': 'new', 'organization': org2.id})
+    assert not access.can_change(org_ee, {'name': 'new', 'organization': org2})
+
+    # User can make the change if they have relevant permission to the new organization
+    org_ee.organization.execution_environment_admin_role.members.add(org_member)
+    org2.execution_environment_admin_role.members.add(org_member)
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org2.id})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org2})
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('style', ['new', 'old'])
+def test_give_org_permission_to_ee(org_ee, organization, org_member, check_user_capabilities, style, org_ee_rd):
+    access = ExecutionEnvironmentAccess(org_member)
+    assert not access.can_change(org_ee, {'name': 'new'})
+    check_user_capabilities(org_member, org_ee, {'edit': False, 'delete': False, 'copy': False})
+
+    if style == 'new':
+        org_ee_rd.give_permission(org_member, organization)
+        assert org_member.has_obj_perm(org_ee.organization, 'add_executionenvironment')  # sanity
+    else:
+        organization.execution_environment_admin_role.members.add(org_member)
+
+    assert access.can_change(org_ee, {'name': 'new', 'organization': organization.id})
+    check_user_capabilities(org_member, org_ee, {'edit': True, 'delete': True, 'copy': True})

awx/main/tests/functional/test_rbac_job_templates.py

@@ -182,8 +182,14 @@ def test_job_template_creator_access(project, organization, rando, post, setup_m
 
 @pytest.mark.django_db
 @pytest.mark.job_permissions
-@pytest.mark.parametrize('lacking', ['project', 'inventory'])
-def test_job_template_insufficient_creator_permissions(lacking, project, inventory, organization, rando, post):
+@pytest.mark.parametrize(
+    'lacking,reason',
+    [
+        ('project', 'You do not have use permission on Project'),
+        ('inventory', 'You do not have use permission on Inventory'),
+    ],
+)
+def test_job_template_insufficient_creator_permissions(lacking, reason, project, inventory, organization, rando, post):
     if lacking != 'project':
         project.use_role.members.add(rando)
     else:
@@ -192,12 +198,13 @@ def test_job_template_insufficient_creator_permissions(lacking, project, invento
         inventory.use_role.members.add(rando)
     else:
         inventory.read_role.members.add(rando)
-    post(
+    response = post(
         url=reverse('api:job_template_list'),
         data=dict(name='newly-created-jt', inventory=inventory.id, project=project.pk, playbook='helloworld.yml'),
         user=rando,
         expect=403,
     )
+    assert reason in response.data[lacking]
 
 
 @pytest.mark.django_db

awx/main/tests/functional/test_rbac_organization.py

@@ -48,3 +48,17 @@ def test_org_resource_role(ext_auth, organization, rando, org_admin):
         assert access.can_attach(organization, rando, 'member_role.members') == ext_auth
         organization.member_role.members.add(rando)
         assert access.can_unattach(organization, rando, 'member_role.members') == ext_auth
+
+
+@pytest.mark.django_db
+def test_delete_org_while_workflow_active(workflow_job_template):
+    '''
+    Delete org while workflow job is active (i.e. changing status)
+    '''
+    assert workflow_job_template.organization  # sanity check
+    wj = workflow_job_template.create_unified_job()  # status should be new
+    workflow_job_template.organization.delete()
+    wj.refresh_from_db()
+    assert wj.status != 'pending'  # sanity check
+    wj.status = 'pending'  # status needs to change in order to trigger workflow_job_template.save()
+    wj.save(update_fields=['status'])

awx/main/tests/functional/test_rbac_workflow.py

@@ -35,6 +35,13 @@ class TestWorkflowJobTemplateAccess:
         assert org_member in wfjt.execute_role
         assert org_member in wfjt.read_role
 
+    def test_non_super_admin_no_add_without_org(self, wfjt, organization, rando):
+        organization.member_role.members.add(rando)
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateAccess(rando, save_messages=True)
+        assert not access.can_add({'name': 'without org'})
+        assert 'An organization is required to create a workflow job template for normal user' in access.messages['organization']
+
 
 @pytest.mark.django_db
 class TestWorkflowJobTemplateNodeAccess:

awx/main/utils/pglock.py

@@ -8,9 +8,22 @@ from django.db import connection
 
 
 @contextmanager
-def advisory_lock(*args, **kwargs):
+def advisory_lock(*args, lock_session_timeout_milliseconds=0, **kwargs):
     if connection.vendor == 'postgresql':
+        cur = None
+        idle_in_transaction_session_timeout = None
+        idle_session_timeout = None
+        if lock_session_timeout_milliseconds > 0:
+            with connection.cursor() as cur:
+                idle_in_transaction_session_timeout = cur.execute('SHOW idle_in_transaction_session_timeout').fetchone()[0]
+                idle_session_timeout = cur.execute('SHOW idle_session_timeout').fetchone()[0]
+                cur.execute(f"SET idle_in_transaction_session_timeout = '{lock_session_timeout_milliseconds}'")
+                cur.execute(f"SET idle_session_timeout = '{lock_session_timeout_milliseconds}'")
         with django_pglocks_advisory_lock(*args, **kwargs) as internal_lock:
             yield internal_lock
+            if lock_session_timeout_milliseconds > 0:
+                with connection.cursor() as cur:
+                    cur.execute(f"SET idle_in_transaction_session_timeout = '{idle_in_transaction_session_timeout}'")
+                    cur.execute(f"SET idle_session_timeout = '{idle_session_timeout}'")
     else:
         yield True

awx/main/wsrelay.py

@@ -306,7 +306,8 @@ class WebSocketRelayManager(object):
         database_conf['OPTIONS'] = deepcopy(database_conf.get('OPTIONS', {}))
 
         for k, v in settings.LISTENER_DATABASES.get('default', {}).items():
-            database_conf[k] = v
+            if k != 'OPTIONS':
+                database_conf[k] = v
         for k, v in settings.LISTENER_DATABASES.get('default', {}).get('OPTIONS', {}).items():
             database_conf['OPTIONS'][k] = v
 

awx/settings/defaults.py

@@ -262,6 +262,7 @@ START_TASK_LIMIT = 100
 # We have the grace period so the task manager can bail out before the timeout.
 TASK_MANAGER_TIMEOUT = 300
 TASK_MANAGER_TIMEOUT_GRACE_PERIOD = 60
+TASK_MANAGER_LOCK_TIMEOUT = TASK_MANAGER_TIMEOUT + TASK_MANAGER_TIMEOUT_GRACE_PERIOD
 
 # Number of seconds _in addition to_ the task manager timeout a job can stay
 # in waiting without being reaped

awx/templates/rest_framework/api.html

@@ -64,7 +64,7 @@
       <div class="col-sm-6">
       </div>
       <div class="col-sm-6 footer-copyright">
-        Copyright &copy; 2021 <a href="http://www.redhat.com" target="_blank">Red Hat</a>, Inc. All Rights Reserved.
+        Copyright &copy; 2024 <a href="http://www.redhat.com" target="_blank">Red Hat</a>, Inc. All Rights Reserved.
       </div>
     </div>
   </div>

awx/ui/src/screens/ActivityStream/ActivityStream.js

@@ -59,7 +59,7 @@ function ActivityStream() {
     {
       page: 1,
       page_size: 20,
-      order_by: '-timestamp',
+      order_by: '-id',
     },
     ['id', 'page', 'page_size']
   );

docs/docsite/rst/administration/configure_awx.rst

@@ -23,7 +23,6 @@ Authentication
 .. index::
     single: social authentication
     single: authentication
-    single: enterprise authentication
     pair: configuration; authentication
 
 .. include:: ./configure_awx_authentication.rst

docs/docsite/rst/administration/containers_instance_groups.rst

@@ -300,13 +300,10 @@ Container Groups
    single: container groups
    pair: containers; instance groups
 
-AWX supports :term:`Container Groups`, which allow you to execute jobs in AWX regardless of whether AWX is installed as a standalone, in  a virtual environment, or in a container. Container groups act as a pool of resources within a virtual environment. You can create instance groups to point to an OpenShift container, which are job environments that are provisioned on-demand as a Pod that exists only for the duration of the playbook run. This is known as the ephemeral execution model and ensures a clean environment for every job run.
+AWX supports :term:`Container Groups`, which allow you to execute jobs in pods on Kubernetes (k8s) or OpenShift clusters. Container groups act as a pool of resources within a virtual environment. These pods are created on-demand and only exist for the duration of the playbook run. This is known as the ephemeral execution model and ensures a clean environment for every job run.
 
 In some cases, it is desirable to have container groups be "always-on", which is configured through the creation of an instance.
 
-.. note::
-
-	Container Groups upgraded from versions prior to |at| 4.0 will revert back to default and completely remove the old pod definition, clearing out all custom pod definitions in the migration.
 
 
 Container groups are different from |ees| in that |ees| are container images and do not use a virtual environment. See :ref:`ug_execution_environments` in the |atu| for further detail.
@@ -335,19 +332,19 @@ To create a container group:
 
 .. _ag_customize_pod_spec:
 
-Customize the Pod spec
+Customize the pod spec
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
-AWX provides a simple default Pod specification, however, you can provide a custom YAML (or JSON) document that overrides the default Pod spec. This field uses any custom fields (i.e. ``ImagePullSecrets``) that can be "serialized" as valid Pod JSON or YAML. A full list of options can be found in the `OpenShift documentation <https://docs.openshift.com/online/pro/architecture/core_concepts/pods_and_services.html>`_.
+AWX provides a simple default pod specification, however, you can provide a custom YAML (or JSON) document that overrides the default pod spec. This field uses any custom fields (for example, ``ImagePullSecrets``) that can be "serialized" as valid pod JSON or YAML. A full list of options can be found in the `OpenShift documentation <https://docs.openshift.com/online/pro/architecture/core_concepts/pods_and_services.html>`_.
 
-To customize the Pod spec, specify the namespace in the **Pod Spec Override** field by using the toggle to enable and expand the **Pod Spec Override** field and click **Save** when done.
+To customize the pod spec, check the **Customize pod specification** option to enable and expand the **Custom pod spec** field where you specify the namespace and provide additional customizations as needed.
 
 |IG - CG customize pod|
 
 .. |IG - CG customize pod| image:: ../common/images/instance-group-customize-cg-pod.png
 		:alt: Create new container group form with the option to custom the pod spec.
 
-You may provide additional customizations, if needed. Click **Expand** to view the entire customization window.
+Click **Expand** to view the entire customization window.
 
 .. image:: ../common/images/instance-group-customize-cg-pod-expanded.png
 	:alt: The expanded view for customizing the pod spec.
@@ -356,6 +353,21 @@ You may provide additional customizations, if needed. Click **Expand** to view t
 
 	The image used at job launch time is determined by which |ee| is associated with the job. If a Container Registry credential is associated with the |ee|, then AWX will attempt to make a ``ImagePullSecret`` to pull the image. If you prefer not to give the service account permission to manage secrets, you must pre-create the ``ImagePullSecret`` and specify it on the pod spec, and omit any credential from the |ee| used.
 
+.. tip::
+
+	In order to override DNS/host entries, use the ``hostAliases`` attribute on the pod spec. When the pod is created, these entries will be added to ``/etc/hosts`` in the container running the job.
+
+	::
+
+		spec:
+		  hostAliases:
+		  - ip: "127.0.0.1"
+		    hostnames:
+		    - "foo.local"
+
+	For more information, refer to Kubernetes' documentation on `Adding additional entries with hostAliases <https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases>`_.
+
+
 Once the container group is successfully created, the **Details** tab of the newly created container group remains, which allows you to review and edit your container group information. This is the same menu that is opened if the Edit (|edit-button|) button is clicked from the **Instance Group** link. You can also edit **Instances** and review **Jobs** associated with this instance group.
 
 .. |edit-button| image:: ../common/images/edit-button.png
@@ -370,7 +382,7 @@ Container groups and instance groups are labeled accordingly.
 
 .. note::
 
-	Despite the fact that customers have custom Pod specs, upgrades may be difficult if the default ``pod_spec`` changes. Most any manifest can be applied to any namespace, with the namespace specified separately, most likely you will only need to override the namespace. Similarly, pinning a default image for different releases of the platform to different versions of the default job runner container is tricky. If the default image is specified in the Pod spec, then upgrades do not pick up the new default changes are made to the default Pod spec.
+	Using a custom pod spec may cause issues on upgrades if the default ``pod_spec`` changes. Since any manifest can be applied to any namespace, with the namespace specified separately, most likely you will only need to override the namespace. Similarly, pinning a default image for different releases of the platform to different versions of the default job runner container is tricky. If the default image is specified in the pod spec, then upgrades do not pick up the new default changes that are made to the default pod spec.
 
 
 Verify container group functions
@@ -411,7 +423,7 @@ You can see in the jobs detail view the container was reached successfully using
 .. |Inventory with localhost ping success| image:: ../common/images/inventories-launch-adhoc-cg-test-localhost-success.png
 	:alt: Jobs output view showing a successfully ran adhoc job.
 
-If you have an OpenShift UI, you can see Pods appear and disappear as they deploy and terminate. Alternatively, you can use the CLI to perform a ``get pod`` operation on your namespace to watch these same events occurring in real-time.
+If you have an OpenShift UI, you can see pods appear and disappear as they deploy and terminate. Alternatively, you can use the CLI to perform a ``get pod`` operation on your namespace to watch these same events occurring in real-time.
 
 
 View container group jobs

docs/docsite/rst/administration/troubleshooting.rst

@@ -8,6 +8,21 @@ Troubleshooting AWX
    single: troubleshooting
    single: help
   
+
+Some troubleshooting tools are built in the AWX user interface that may help you address some issues you might encounter. To access these tools, navigate to **Settings** and select **Troubleshooting**.
+
+.. image:: ../common/images/settings_troubleshooting_highlighted.png
+
+The options available are:
+
+- **Enable or Disable tmp dir cleanup**: choose whether you want to clean up the ``tmp`` directory.
+- **Debug Web Requests**: choose whether you want web requests to log messages for debugging purposes.
+- **Release Receptor Work**: disables cleaning up job pods. If you disable this, the jobs pods will remain in your cluster indefinitely, allowing you to examine them post-run. If you are missing data there, run ``kubectl logs <job-pod-name>`` and provide the logs in a issue report.
+
+.. image:: ../common/images/troubleshooting_options.png
+
+Click **Edit** to modify the settings. Use the toggle to enable and disable the appropriate settings.
+
 .. _admin_troubleshooting_extra_settings:
 
 Error logging and extra settings
@@ -220,3 +235,4 @@ If you receive the message "Skipping: No Hosts Matched" when you are trying to r
 - Make sure that if you have specified a Limit in the Job Template that it is a valid limit value and still matches something in your inventory. The Limit field takes a pattern argument, described here: http://docs.ansible.com/intro_patterns.html
 
 Please file a support ticket if you still run into issues after checking these options.
+

docs/docsite/rst/common/logos_branding.rst

@@ -18,7 +18,7 @@ For example, if you uploaded a specific logo, and added the following text:
 	:alt: Edit User Interface Settings form populated with custom text and logo.
 
 
-The Tower login dialog would look like this:
+The AWX login dialog would look like this:
 
 .. image:: ../common/images/configure-awx-ui-angry-spud-login.png
 	:alt: AWX login screen with custom text and logo.

docs/docsite/rst/rest_api/authentication.rst

@@ -8,7 +8,7 @@ Authentication Methods Using the API
    pair: OAuth 2 Token; authentication
    pair: SSO; authentication
 
-This chapter describes the numerous enterprise authentication methods, the best use case for each, and examples:
+This chapter describes different authentication methods, the best use case for each, and examples:
 
 .. contents::
     :local:

docs/docsite/rst/rest_api/filtering.rst

@@ -94,7 +94,7 @@ Field lookups may also be used for more advanced queries, by appending the looku
 
 The following field lookups are supported:
 
-- ``exact``: Exact match (default lookup if not specified).
+- ``exact``: Exact match (default lookup if not specified, refer to the following note for more information).
 - ``iexact``: Case-insensitive version of exact.
 - ``contains``: Field contains value.
 - ``icontains``: Case-insensitive version of contains.
@@ -122,3 +122,18 @@ Filtering based on the requesting user's level of access by query string paramet
 
 - ``role_level``: Level of role to filter on, such as ``admin_role``
 
+
+.. note::
+
+    Previous releases of AWX returned queries with **__exact** results by default, but you may find that the latest versions are returning a larger subset instead. As a workaround, set the ``limit`` to ``?limit__exact`` for the default filter. For example, ``/api/v2/jobs/?limit__exact=example.domain.com`` results in:
+
+    ::
+
+        {
+            "count": 1,
+            "next": null,
+            "previous": null,
+            "results": [
+        ... 
+
+.. this note is generically written for AWX. For downstream, the change started in AAP 2.0 so we can be more specific if necessary.

docs/docsite/rst/userguide/inventories.rst

@@ -1,4 +1,4 @@
- .. _ug_inventories:
+.. _ug_inventories:
 
 *******************
 Inventories
@@ -482,6 +482,7 @@ Inventory updates use dynamically-generated YAML files which are parsed by their
 - :ref:`ug_source_rhv`
 - :ref:`ug_source_rhaap`
 - :ref:`ug_source_terraform`
+- :ref:`ug_source_ocpv`
 
 
 Newly created configurations for inventory sources will contain the default plugin configuration values. If you want your newly created inventory sources to match the output of legacy sources, you must apply a specific set of configuration values for that source. To ensure backward compatibility, AWX uses "templates" for each of these sources to force the output of inventory plugins into the legacy format. Refer to :ref:`ir_inv_plugin_templates_reference` section of this guide for each source and their respective templates to help you migrate to the new style inventory plugin output.
@@ -1100,11 +1101,11 @@ This inventory source uses the `terraform_state <https://github.com/ansible-coll
 
 1. To configure this type of sourced inventory, select **Terraform State** from the Source field.
 
-2. The Create new source window expands with the required **Credential** field. Choose from an existing Terraform backend Credential. For more information, refer to :ref:`ug_credentials`.
+2. The Create new source window expands with the required **Credential** field. Choose from an existing Terraform backend credential. For more information, refer to :ref:`ug_credentials_terraform`.
 
 3. You can optionally specify the verbosity, host filter, enabled variable/value, and update options as described in the main procedure for :ref:`adding a source <ug_add_inv_common_fields>`. For Terraform, enable **Overwrite** and **Update on launch** options.  
 
-4. Use the **Source Variables** field to override variables used by the ``controller`` inventory plugin. Enter variables using either JSON or YAML syntax. Use the radio button to toggle between the two. For more information on these variables, see the `terraform_state <https://github.com/ansible-collections/cloud.terraform/blob/main/docs/cloud.terraform.terraform_state_inventory.rst>`_ file for detail.
+4. Use the **Source Variables** field to override variables used by the ``terraform`` inventory plugin. Enter variables using either JSON or YAML syntax. Use the radio button to toggle between the two. For more information on these variables, see the `terraform_state <https://github.com/ansible-collections/cloud.terraform/blob/main/docs/cloud.terraform.terraform_state_inventory.rst>`_ file for detail.
 
   The ``backend_type`` variable is required by the Terraform state inventory plugin. This should match the remote backend configured in the Terraform backend credential, here is an example for an Amazon S3 backend:
 
@@ -1120,6 +1121,43 @@ This inventory source uses the `terraform_state <https://github.com/ansible-coll
 6. To add hosts for AWS EC2, GCE, and Azure instances, the Terraform state file in the backend must contain state for resources already deployed to EC2, GCE, or Azure. Refer to each of the Terraform providers' respective documentation to provision instances.
 
 
+.. _ug_source_ocpv:
+
+OpenShift Virtualization
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. index::
+   pair: inventories; OpenShift
+   pair: inventories; OCP
+   pair: inventory source; OpenShift virtualization
+
+
+This inventory source uses a cluster that is able to deploy OpenShift (OCP) virtualization. In order to configure an OCP virtualization requires a virtual machine deployed in a specific namespace and an OpenShift or Kubernetes API Bearer Token credential.
+
+1. To configure this type of sourced inventory, select **OpenShift Virtualization** from the Source field.
+2. The Create new source window expands with the required **Credential** field. Choose from an existing Kubernetes API Bearer Token credential. For more information, refer to :ref:`ug_credentials_ocp_k8s`. In this example, the ``cmv2.engineering.redhat.com`` credential is used.
+
+3. You can optionally specify the verbosity, host filter, enabled variable/value, and update options as described in the main procedure for :ref:`adding a source <ug_add_inv_common_fields>`. 
+
+4. Use the **Source Variables** field to override variables used by the ``kubernetes`` inventory plugin. Enter variables using either JSON or YAML syntax. Use the radio button to toggle between the two. For more information on these variables, see the `kubevirt.core.kubevirt inventory source <https://kubevirt.io/kubevirt.core/main/plugins/kubevirt.html#parameters>`_ documentation for detail.
+
+  In the example below, the ``connections`` variable is used to specify access to a particular namespace in a cluster. 
+
+  ::
+
+    ---
+    connections:
+    - namespaces:
+      - hao-test
+
+
+  .. image:: ../common/images/inventories-create-source-ocpvirt-example.png
+
+5. Save the configuration and click the **Sync** button to sync the inventory.
+
+
+
+
 .. _ug_customscripts:
 
 Export old inventory scripts

docs/docsite/rst/userguide/overview.rst

@@ -189,7 +189,7 @@ Authentication Enhancements
    pair: features; authentication
    pair: features; OAuth 2 token
 
-AWX supports LDAP, SAML, token-based authentication. Enhanced LDAP and SAML support allows you to integrate your enterprise account information in a more flexible manner. Token-based Authentication allows for easily authentication of third-party tools and services with AWX via integrated OAuth 2 token support.
+AWX supports LDAP, SAML, token-based authentication. Enhanced LDAP and SAML support allows you to integrate your account information in a more flexible manner. Token-based Authentication allows for easily authentication of third-party tools and services with AWX via integrated OAuth 2 token support.
 
 Cluster Management
 ~~~~~~~~~~~~~~~~~~~~
@@ -240,9 +240,8 @@ Job Distribution
    pair: features; jobs, slicing
    pair: features; jobs, distribution
 
-As automation moves enterprise-wide, the need to automate at scale grows. AWX offer the ability to take a fact gathering or
-configuration job running across thousands of machines and slice it into individual job slices that can be distributed across your AWX cluster for increased reliability, faster job completion, and better cluster utilization. If you need to change a parameter across 15,000 switches at
-scale, or gather information across your multi-thousand-node RHEL estate, you can now do so easily.
+AWX offers the ability to take a fact gathering or configuration job running across thousands of machines and slice it into individual job slices that can be distributed across your AWX cluster for increased reliability, faster job completion, and better cluster utilization.
+If you need to change a parameter across 15,000 switches at scale, or gather information across your multi-thousand-node RHEL estate, you can now do so easily.
 
 
 Support for deployment in a FIPS-enabled environment

docs/docsite/rst/userguide/rbac.rst

@@ -21,7 +21,7 @@ DAB RBAC
    single: roles   
    pair: DAB; RBAC
 
-This section describes the latest changes to RBAC, involving use of the ``django-ansible-base`` (DAB) library, to enhance existing roles, provide a uniformed model that is compatible with platform (enterprise) components, and allow creation of custom roles. However, the internals of the system in the backend have changes implemented, but they are not reflected yet in the AWX UI. The change to the backend maintains a compatibility layer so the “old” roles in the API still exists temporarily, until a fully-functional compatible UI replaces the existing roles. 
+This section describes the latest changes to RBAC, involving use of the ``django-ansible-base`` (DAB) library, to enhance existing roles, and allow creation of custom roles. However, the internals of the system in the backend have changes implemented, but they are not reflected yet in the AWX UI. The change to the backend maintains a compatibility layer so the “old” roles in the API still exists temporarily, until a fully-functional compatible UI replaces the existing roles. 
 
 New functionality, specifically custom roles, are possible through direct API clients or the API browser, but the presentation in the AWX UI might not reflect the changes made in the API.
 

requirements/django-ansible-base-pinned-version.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+set +x
+
+# CONSTANTS
+export REGEX_LEFT='https://github.com/ansible/django-ansible-base@'
+export REGEX_RIGHT='#egg=django-ansible-base'
+
+# GLOBALS
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+REQ_FILE=$SCRIPT_DIR/requirements_git.txt
+
+# Pin Function
+DESIRED_VERSION=''
+Pin()
+{
+    export DESIRED_VERSION
+    perl -p -i -e 's/\Q$ENV{REGEX_LEFT}\E(.*?)\Q$ENV{REGEX_RIGHT}\E/$ENV{REGEX_LEFT}$ENV{DESIRED_VERSION}$ENV{REGEX_RIGHT}/g' $REQ_FILE
+}
+
+# Current Function
+Current()
+{
+    REQUIREMENTS_LINE=$(grep django-ansible-base $REQ_FILE)
+
+    echo "$REQUIREMENTS_LINE" | perl -nE 'say $1 if /\Q$ENV{REGEX_LEFT}\E(.*?)\Q$ENV{REGEX_RIGHT}\E/'
+}
+
+
+Help()
+{
+   # Display Help
+   echo ""
+   echo "Help:"
+   echo ""
+   echo "Interact with django-ansible-base in $REQ_FILE."
+   echo "By default, output the current django-ansible-base pinned version."
+   echo
+   echo "Syntax: scriptTemplate [-s|h|v]"
+   echo "options:"
+   echo "s     Set django-ansible-base version to pin to."
+   echo "h     Print this Help."
+   echo "v     Verbose mode."
+   echo
+}
+
+if [ $# -eq 0 ]; then
+    Current
+    exit
+fi
+
+
+while getopts ":hs:" option; do
+   case $option in
+      h) # display Help
+         Help
+         exit
+         ;;
+      s)
+         DESIRED_VERSION=$OPTARG;;
+      :)
+         echo "Option -${OPTARG} requires an argument."
+         Help
+         exit 1
+         ;;
+     \?) # Invalid option
+         echo "Error: Invalid option"
+         echo ""
+         Help
+         exit;;
+   esac
+done
+
+if [ -n "$DESIRED_VERSION" ]; then
+    Pin
+    Current
+fi
+

requirements/requirements_dev.txt

@@ -24,10 +24,9 @@ gprof2dot
 atomicwrites
 flake8
 yamllint
-pip>=21.3 # PEP 660 – Editable installs for pyproject.toml based builds (wheel based)
+pip>=21.3,<=24.0 # PEP 660 – Editable installs for pyproject.toml based builds (wheel based)
 
 # python debuggers
 debugpy
 remote-pdb
 sdb
-

tools/ansible/roles/dockerfile/templates/Dockerfile.j2

@@ -5,7 +5,7 @@
 ###
 
 # Build container
-FROM quay.io/centos/centos:stream9 as builder
+FROM quay.io/centos/centos:stream9 AS builder
 
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US:en