Info on AWX RBAC changes pending release

AlanCoding · April 23, 2024, 6:40pm

A few heads-up related to backend changes to the Role-based access control system in AWX, this was merged in:

github.com/ansible/awx

Replace role system (RBAC) with permissions-based DB roles

ansible:devel ← ansible:feature_dab_rbac

opened 07:14PM - 20 Feb 24 UTC

AlanCoding

+2267 -625

##### SUMMARY This replaces https://github.com/ansible/awx/pull/14735 as we hav…e introduced a feature branch for this purpose. This makes use of https://github.com/ansible/django-ansible-base/pull/45 and the intent is to have that merged before this. New endpoints are exposed from DAB. These are - role definitions - role user assignments - role team assignments The routers/views/serializers for these new endpoints live in DAB, not in this patch. This is mostly concerned with the "translation" layer to make the new roles look kind of like the old roles. Generally this is intended to be a backward-compatible change. ##### ISSUE TYPE - New or Enhanced Feature ##### COMPONENT NAME - API ##### ADDITIONAL INFORMATION

This was mentioned in some community meetings lately, and I’m excited for it to go out in a release. Key points:

This changes the internals of the system in the backend, but adds a compatibility layer so the “old” roles API still exists temporarily
The updated UI to use the new system isn’t ready yet, so we are basically shipping the new backend system with the old UI, which will relay on the backwards API support
New functionality, specifically custom roles, are possible using direct API clients or the API browser. You can use this, but the presentation in the UI might not be complete.

The main new thing this enables is creating custom roles which can be done via the /api/v2/role_definitions/ endpoint. Then these can only be assigned using the new endpoints, /api/v2/role_user_assignments/ and /api/v2/role_team_assignments/.

If you absolutely don’t want to allow custom roles, you can change the setting ANSIBLE_BASE_ALLOW_CUSTOM_ROLES to False. This is still a file-based setting for now.

The feature I believe will be most useful going forward is the “add” permissions. You could create a custom organization role that allows users to create all (or some) types of resources, and give this for a particular organization. So instead of allowing a user to edit all projects, they can create a new project, and after creating it, they will automatically get admin role just for the objects they created.

AlanCoding · April 24, 2024, 7:54pm

github.com/ansible/awx

awx-migration-24.3.0 failing

opened 12:06PM - 24 Apr 24 UTC

adpavlov

type:bug community

### Please confirm the following - [X] I agree to follow this project's [code o…f conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html). - [X] I have checked the [current issues](https://github.com/ansible/awx/issues) for duplicates. - [X] I understand that AWX is open source software provided for free and that I might not receive a timely response. - [X] I am **NOT** reporting a (potential) security vulnerability. (These should be emailed to `security@ansible.com` instead.) ### Bug Summary awx-migration-24.3.0 failing with following error: ``` Operations to perform: Apply all migrations: auth, conf, contenttypes, dab_rbac, dab_resource_registry, main, oauth2_provider, sessions, sites, social_django, sso Running migrations: 2024-04-24 11:57:29,309 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Project Admin pk=RoleDefinition object (156) with 5 permissions 2024-04-24 11:57:29,313 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Project Admin pk=RoleDefinition object (157) with 7 permissions 2024-04-24 11:57:29,317 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Project Use pk=RoleDefinition object (158) with 2 permissions 2024-04-24 11:57:29,321 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Admin pk=RoleDefinition object (159) with 5 permissions 2024-04-24 11:57:29,325 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization WorkflowJobTemplate Admin pk=RoleDefinition object (160) with 7 permissions 2024-04-24 11:57:29,329 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Execute pk=RoleDefinition object (161) with 2 permissions 2024-04-24 11:57:29,333 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Approve pk=RoleDefinition object (162) with 2 permissions 2024-04-24 11:57:29,338 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition JobTemplate Admin pk=RoleDefinition object (163) with 4 permissions 2024-04-24 11:57:29,342 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization JobTemplate Admin pk=RoleDefinition object (164) with 5 permissions 2024-04-24 11:57:29,346 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition JobTemplate Execute pk=RoleDefinition object (165) with 2 permissions 2024-04-24 11:57:29,350 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition NotificationTemplate Admin pk=RoleDefinition object (166) with 3 permissions 2024-04-24 11:57:29,354 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization NotificationTemplate Admin pk=RoleDefinition object (167) with 5 permissions 2024-04-24 11:57:29,358 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Team Admin pk=RoleDefinition object (168) with 4 permissions 2024-04-24 11:57:29,362 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Team Admin pk=RoleDefinition object (169) with 6 permissions 2024-04-24 11:57:29,366 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Team Member pk=RoleDefinition object (170) with 2 permissions 2024-04-24 11:57:29,370 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Admin pk=RoleDefinition object (171) with 5 permissions 2024-04-24 11:57:29,374 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Organization Admin pk=RoleDefinition object (172) with 5 permissions 2024-04-24 11:57:29,378 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Member pk=RoleDefinition object (173) with 2 permissions 2024-04-24 11:57:29,382 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Audit pk=RoleDefinition object (174) with 2 permissions 2024-04-24 11:57:29,386 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Admin pk=RoleDefinition object (175) with 6 permissions 2024-04-24 11:57:29,390 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Inventory Admin pk=RoleDefinition object (176) with 8 permissions 2024-04-24 11:57:29,394 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Use pk=RoleDefinition object (177) with 2 permissions 2024-04-24 11:57:29,398 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Adhoc pk=RoleDefinition object (178) with 2 permissions 2024-04-24 11:57:29,402 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Credential Admin pk=RoleDefinition object (179) with 4 permissions 2024-04-24 11:57:29,406 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Credential Admin pk=RoleDefinition object (180) with 6 permissions 2024-04-24 11:57:29,410 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Credential Use pk=RoleDefinition object (181) with 2 permissions 2024-04-24 11:57:29,414 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition InstanceGroup Admin pk=RoleDefinition object (182) with 4 permissions 2024-04-24 11:57:29,418 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization InstanceGroup Admin pk=RoleDefinition object (183) with 5 permissions 2024-04-24 11:57:29,422 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition InstanceGroup Use pk=RoleDefinition object (184) with 2 permissions 2024-04-24 11:57:29,426 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition ExecutionEnvironment Admin pk=RoleDefinition object (185) with 3 permissions 2024-04-24 11:57:29,430 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization ExecutionEnvironment Admin pk=RoleDefinition object (186) with 5 permissions Traceback (most recent call last): File "/usr/bin/awx-manage", line 8, in <module> sys.exit(manage()) ^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/__init__.py", line 177, in manage execute_from_command_line(sys.argv) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line utility.execute() File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv self.execute(*args, **cmd_options) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 458, in execute output = self.handle(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 106, in wrapper res = handle_func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/commands/migrate.py", line 356, in handle post_migrate_state = executor.migrate( ^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 135, in migrate state = self._migrate_all_forwards( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 167, in _migrate_all_forwards state = self.apply_migration( ^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 252, in apply_migration state = migration.apply(state, schema_editor) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/migration.py", line 132, in apply operation.database_forwards( File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/operations/special.py", line 193, in database_forwards self.code(from_state.apps, schema_editor) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/main/migrations/_dab_rbac.py", line 200, in migrate_to_new_rbac role_definition_name = f'{role.content_type.model_class().__name__} {action.title()}' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'ContentType' object has no attribute 'model_class' Applying main.0192_custom_roles... ``` ### AWX version 24.3.0 ### Select the relevant components - [ ] UI - [ ] UI (tech preview) - [ ] API - [ ] Docs - [ ] Collection - [ ] CLI - [X] Other ### Installation method kubernetes ### Modifications no ### Ansible version _No response_ ### Operating system _No response_ ### Web browser _No response_ ### Steps to reproduce upgrade ax-operator ### Expected results all working ### Actual results migration failed ### Additional information _No response_

We had a major error in the data migration for this. A fix for the issue was merged, and we’ll see about a new release before long.