Replace role system (RBAC) with permissions-based DB roles #14905
Commits on Apr 11, 2024
-
Replace role system with permissions-based DB roles
Develop ability to list permissions for existing roles Create a model registry for RBAC-tracked models Write the data migration logic for creating the preloaded role definitions Write migration to migrate old Role into ObjectRole model This loops over the old Role model, knowing it is unique on object and role_field Most of the logic is concerned with identifying the needed permissions, and then corresponding role definition As needed, object roles are created and users then teams are assigned Write re-computation of cache logic for teams and then for object role permissions Migrate new RBAC internals to ansible_base Migrate tests to ansible_base Implement solution for visible_roles Expose URLs for DAB RBAC
-
-
-
-
[DAB RBAC] Re-implement system auditor as a singleton role in new sys…
…tem (#14963) * Add new enablement settings from DAB RBAC * Initial implementation of system auditor as role without testing * Fix system auditor role, remove duplicate assignments * Make the system auditor role managed * Flake8 fix * Remove another thing from old solution * Fix a few test failures * Add extra setting to disable custom system roles via API * Add test for custom role prohibition
-
-
-
-
-
[RBAC] Fix migration for created and modified field changes (#14999)
Fix migration for created and modified field changes
-
[RBAC] Fix server error from delete capability of approvals (#15002)
Fix server error from delete capability of approvals
-
Generalize can_delete solution, use devel DAB (#15009)
* Generalize can_delete solution, use devel DAB * Fix bug where model was used instead of model_name * Linter fixes
-
[RBAC] Fix known issues with backward compatible access_list (#15052)
* Remove duplicate access_list entries for direct team access * Revert test changes for superuser in access_list
-
Adds new modules for CRUD operations on the following endpoints: - api/v2/role_definitions - api/v2/role_user_assignments - api/v2/role_team_assignments Note: assignment is Create or Delete only Additional changes: - Currently DAB endpoints do not have "type" field on the resource list items. So this modifies the create_or_update_if_needed to allow manually specifying item type. Signed-off-by: Seth Foster <[email protected]>
-
[RBAC] Tweaks to reflect what endpoints are deprecated (#15068)
Tweaks to reflect what endpoints are deprecated
-
[RBAC] Fix bug where team could not be given read_role to other team (#…
…15067) * Fix bug where team could not be given read_role to other team * Avoid unwanted triggers of parentage granting * Restructure signal structure * Fix another bug unmasked by team member permission fix * Changes to live with test writing * Use equality as opposed to string "in" from Seth in review comment Co-authored-by: Seth Foster <[email protected]> --------- Co-authored-by: Seth Foster <[email protected]>
-
[RBAC] Rename managed role definitions, and move migration logic here (…
…#15087) * Rename managed role definitions, and move migration logic here * Fix naming capitalization
-
-
[RBAC] Update related name to reflect upstream DAB change (#15093)
Update related name to reflect upstream DAB change
