Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace RBAC internals with lib from django-ansible-base #14735

Closed
wants to merge 23 commits into from
Closed

Replace RBAC internals with lib from django-ansible-base #14735

wants to merge 23 commits into from

Conversation

AlanCoding
Copy link
Member

SUMMARY

This makes use of ansible/django-ansible-base#45

The main points of that RBAC system are to:

  • Natively associate a list of permissions with a role, whereas it tends to be taken as obvious today, like, of course update_role gives update permission and read permission.
  • Allow roles with user-selected permissions, like, allow a user to create and edit a project without being able to update it.
  • Open the door for more fine-grained permissions, specifically the "add" permission right now, which would allow a user to add a project, for example, without also giving the user the ability to edit and update all projects in an organization.
  • Open the door for creating custom roles in the future.
  • Allow using the same RBAC system other apps, aside from AWX.

The last points here will not be exposed through the API until new endpoints are added. That is what I will work on next, but first I want to get tests cleaned up with the ORM layer integration, which is why this is being oped up initially.

ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • API
ADDITIONAL INFORMATION

Initially this is being done in a backward compatible way with the current roles API. I want to formally document the few backward incompatible things.

  • the system admin and auditor role no longer exist. Now it only uses the user flags (we pretty much did anyway)
  • access list is artificial, made from the new models, to look like the old models. Some things will be slightly different.

@github-actions github-actions bot added component:api component:docs dependencies Pull requests that update a dependency file labels Dec 20, 2023
@github-actions github-actions bot added the component:awx_collection issues related to the collection for controlling AWX label Jan 3, 2024
@AlanCoding AlanCoding force-pushed the django_permissions branch 2 times, most recently from 933198b to 34bebdd Compare January 24, 2024 20:45
@AlanCoding AlanCoding force-pushed the django_permissions branch 2 times, most recently from af224bc to d370a3d Compare February 6, 2024 03:17
@AlanCoding AlanCoding changed the title [PoC] Replace RBAC internals with lib from django-ansible-base Replace RBAC internals with lib from django-ansible-base Feb 7, 2024
@AlanCoding AlanCoding mentioned this pull request Feb 13, 2024
Merged
6 tasks
@TheRealHaoLiu TheRealHaoLiu mentioned this pull request Feb 13, 2024
Closed
@AlanCoding
Replace role system with permissions-based DB roles
a0d1c58 
Develop ability to list permissions for existing roles

Create a model registry for RBAC-tracked models

Write the data migration logic for creating
  the preloaded role definitions

Write migration to migrate old Role into ObjectRole model

This loops over the old Role model, knowing it is unique
  on object and role_field

Most of the logic is concerned with identifying the
  needed permissions, and then corresponding role definition

As needed, object roles are created and users then teams
  are assigned

Write re-computation of cache logic for teams
  and then for object role permissions

Migrate new RBAC internals to ansible_base

Migrate tests to ansible_base

Implement solution for visible_roles

Expose URLs for DAB RBAC
@AlanCoding
Make old views as deprecated and update for upstream changes
a86d5fb
@AlanCoding
Update more changed names
37f7f35
@AlanCoding
Fix fat-fingered bug with get_or_create
6de61c4
@AlanCoding
Provide summary fields to DAB views
d1b250e
@AlanCoding
Fix access list failures from type change
c162f5a
@AlanCoding
bump migration
4070511
@AlanCoding
Update to new model names
974926f
@AlanCoding
Rename migration logic to _dab_rbac
cf19cba
@AlanCoding
Update view names in root links
bfd5b36
@AlanCoding
Beyond the translation layer, handle delete permission
0b28695
@AlanCoding
Add test for only giving add permission
8e53e49
@AlanCoding
Do not give permissions to non permission models
3e6e088
@AlanCoding
Connect DAB summary_fields to User model
300ceda
@AlanCoding
Fix v1 used for new endpoints
301fbbc
@AlanCoding
Fix case where org admin_role was duplicated
992f8b1
@AlanCoding AlanCoding mentioned this pull request Feb 20, 2024
Merged
@AlanCoding
Copy link
Member Author

Moved to feature branch

@AlanCoding AlanCoding closed this Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbradberry jbradberry Awaiting requested review from jbradberry

Assignees
No one assigned
Labels
component:api component:awx_collection issues related to the collection for controlling AWX component:docs dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AlanCoding