Replace role system (RBAC) with permissions-based DB roles #14905
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
component:api
component:awx_collection
TheRealHaoLiu
force-pushed
the
feature_dab_rbac
branch
from
edfdebf
to
2470a52
Compare
AlanCoding
changed the title
AlanCoding
force-pushed
the
feature_dab_rbac
branch
2 times, most recently
from
7f6615a
to
e3bc4a0
Compare
fosterseth
reviewed
Mar 12, 2024
AlanCoding
force-pushed
the
feature_dab_rbac
branch
2 times, most recently
from
cb8c873
to
9a18999
Compare
jbradberry
reviewed
Apr 1, 2024
| @@ -536,10 +540,12 @@ class InstanceGroupAccessList(ResourceAccessList): | |||
|
|
|||
|
|
|||
| class InstanceGroupObjectRolesList(SubListAPIView): | |||
| deprecated = True | |||
There was a problem hiding this comment.
Are we really going to deprecate everything? That seems pretty hostile to community users.
(also, this one seems to have deprecated = True twice.)
There was a problem hiding this comment.
Talking about deprecation, if I understood you correctly access_list should be marked as deprecated as well right?
There was a problem hiding this comment.
Put up #15068, which should address the things mentioned in both of the above 2 comments.
And yes, these will be deprecated. Obviously we won't just go break the UI. We will push the new UI to the community somehow and stop maintaining the old UI. Some time after that, yes, we will remove these endpoints, and we will delete the old Role tables that are used for the backward compatibility. Everything you could do with these you can do with the new endpoints.
AlanCoding
force-pushed
the
feature_dab_rbac
branch
from
9a18999
to
ac69c3b
Compare
fosterseth
force-pushed
the
feature_dab_rbac
branch
from
0a10b81
to
bc4b61c
Compare
AlanCoding
force-pushed
the
feature_dab_rbac
branch
from
9183dd2
to
b78d11e
Compare
PabloHiro
force-pushed
the
feature_dab_rbac
branch
2 times, most recently
from
a0e9e83
to
2549a9a
Compare
PabloHiro
approved these changes
Apr 10, 2024
AlanCoding
force-pushed
the
feature_dab_rbac
branch
2 times, most recently
from
ce7db57
to
f56bf6f
Compare
Develop ability to list permissions for existing roles Create a model registry for RBAC-tracked models Write the data migration logic for creating the preloaded role definitions Write migration to migrate old Role into ObjectRole model This loops over the old Role model, knowing it is unique on object and role_field Most of the logic is concerned with identifying the needed permissions, and then corresponding role definition As needed, object roles are created and users then teams are assigned Write re-computation of cache logic for teams and then for object role permissions Migrate new RBAC internals to ansible_base Migrate tests to ansible_base Implement solution for visible_roles Expose URLs for DAB RBAC
…tem (#14963) * Add new enablement settings from DAB RBAC * Initial implementation of system auditor as role without testing * Fix system auditor role, remove duplicate assignments * Make the system auditor role managed * Flake8 fix * Remove another thing from old solution * Fix a few test failures * Add extra setting to disable custom system roles via API * Add test for custom role prohibition
Fix migration for created and modified field changes
Fix server error from delete capability of approvals
* Generalize can_delete solution, use devel DAB * Fix bug where model was used instead of model_name * Linter fixes
* Remove duplicate access_list entries for direct team access * Revert test changes for superuser in access_list
Adds new modules for CRUD operations on the following endpoints: - api/v2/role_definitions - api/v2/role_user_assignments - api/v2/role_team_assignments Note: assignment is Create or Delete only Additional changes: - Currently DAB endpoints do not have "type" field on the resource list items. So this modifies the create_or_update_if_needed to allow manually specifying item type. Signed-off-by: Seth Foster <[email protected]>
Tweaks to reflect what endpoints are deprecated
…15067) * Fix bug where team could not be given read_role to other team * Avoid unwanted triggers of parentage granting * Restructure signal structure * Fix another bug unmasked by team member permission fix * Changes to live with test writing * Use equality as opposed to string "in" from Seth in review comment Co-authored-by: Seth Foster <[email protected]> --------- Co-authored-by: Seth Foster <[email protected]>
…#15087) * Rename managed role definitions, and move migration logic here * Fix naming capitalization
Update related name to reflect upstream DAB change
AlanCoding
force-pushed
the
feature_dab_rbac
branch
from
5f98991
to
0d53381
Compare
TheRealHaoLiu
approved these changes
Apr 11, 2024
fosterseth
approved these changes
Apr 11, 2024
chrismeyersfsu
approved these changes
Apr 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
This replaces #14735 as we have introduced a feature branch for this purpose.
This makes use of ansible/django-ansible-base#45 and the intent is to have that merged before this.
New endpoints are exposed from DAB. These are
The routers/views/serializers for these new endpoints live in DAB, not in this patch. This is mostly concerned with the "translation" layer to make the new roles look kind of like the old roles. Generally this is intended to be a backward-compatible change.
ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION