Skip to content

Commit

Permalink
[RBAC] failed grouprole permission migrations fix (ansible#2274)
Browse files Browse the repository at this point in the history
Newly created roles during migrations we not getting permissions assigned, and that made it appear
that no user owned any resources. This change re-adds the relevant model permissions to preserve
the "ownership" the API would evaluation and display.

No-Issue

Signed-off-by: James Tanner <[email protected]>
  • Loading branch information
jctanner authored Sep 26, 2024
1 parent 0a45a9d commit f2262c6
Showing 1 changed file with 32 additions and 3 deletions.
35 changes: 32 additions & 3 deletions galaxy_ng/app/migrations/_dab_rbac.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
import logging

from django.apps import apps as global_apps
from django.contrib.contenttypes.models import ContentType
from rest_framework.exceptions import ValidationError

from ansible_base.rbac.management import create_dab_permissions
from ansible_base.rbac.migrations._utils import give_permissions
from ansible_base.rbac.validators import permissions_allowed_for_role, combine_values


logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -34,6 +38,12 @@ def create_permissions_as_operation(apps, schema_editor):


def split_pulp_roles(apps, schema_editor):
'''
For every user&group role that is tied to a specific content object,
split the role out into a new single content type role with permissions
that are only relevant to that content object. Afterwards, swap the
[User|Group]Role's .role with the new role.
'''
Role = apps.get_model('core', 'Role')
UserRole = apps.get_model('core', 'UserRole')
GroupRole = apps.get_model('core', 'GroupRole')
Expand All @@ -43,12 +53,32 @@ def split_pulp_roles(apps, schema_editor):
for assignment_cls in (UserRole, GroupRole):
for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False):
if pulp_assignment.content_type_id not in split_roles:

# Get all permissions relevant to this content model.
# If any model (like synclist) hasn't been registered in the permission
# system, it should not be split/recreated ...
cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model)
try:
ct_codenames = combine_values(permissions_allowed_for_role(cls))
except ValidationError:
continue

# Make a new role for this special content model
new_data = {
'description': corerole.description,
'name': f'{corerole.name}_{pulp_assignment.content_type.model}'
}
new_role = Role(**new_data)
new_role.save()

# Add the necesarry permissions to the new role ...
for perm in pulp_assignment.role.permissions.all():
# The pulp role may have had permissions related to some other
# content model we're not interested in, so we will skip adding those.
if ct_codenames and perm.codename not in ct_codenames:
continue
new_role.permissions.add(perm)

split_roles[pulp_assignment.content_type_id] = new_role

pulp_assignment.role = split_roles[pulp_assignment.content_type_id]
Expand Down Expand Up @@ -112,11 +142,10 @@ def migrate_role_assignments(apps, schema_editor):
if not rd:
continue

# FIXME - why?
if not hasattr(group_role.group, 'team'):
actor = Team.objects.filter(group=group_role.group).first()
if actor is None:
continue

actor = group_role.group.team
if not group_role.object_id:
RoleTeamAssignment.objects.create(role_definition=rd, team=actor)
else:
Expand Down

0 comments on commit f2262c6

Please sign in to comment.