Info on AWX RBAC changes pending release

AlanCoding · April 23, 2024, 6:40pm

A few heads-up related to backend changes to the Role-based access control system in AWX, this was merged in:

github.com/ansible/awx

Replace role system (RBAC) with permissions-based DB roles

ansible:devel ← ansible:feature_dab_rbac

opened 07:14PM - 20 Feb 24 UTC

AlanCoding

+2267 -625

##### SUMMARY This replaces https://github.com/ansible/awx/pull/14735 as we hav…e introduced a feature branch for this purpose. This makes use of https://github.com/ansible/django-ansible-base/pull/45 and the intent is to have that merged before this. New endpoints are exposed from DAB. These are - role definitions - role user assignments - role team assignments The routers/views/serializers for these new endpoints live in DAB, not in this patch. This is mostly concerned with the "translation" layer to make the new roles look kind of like the old roles. Generally this is intended to be a backward-compatible change. ##### ISSUE TYPE - New or Enhanced Feature ##### COMPONENT NAME - API ##### ADDITIONAL INFORMATION

This was mentioned in some community meetings lately, and I’m excited for it to go out in a release. Key points:

This changes the internals of the system in the backend, but adds a compatibility layer so the “old” roles API still exists temporarily
The updated UI to use the new system isn’t ready yet, so we are basically shipping the new backend system with the old UI, which will relay on the backwards API support
New functionality, specifically custom roles, are possible using direct API clients or the API browser. You can use this, but the presentation in the UI might not be complete.

The main new thing this enables is creating custom roles which can be done via the /api/v2/role_definitions/ endpoint. Then these can only be assigned using the new endpoints, /api/v2/role_user_assignments/ and /api/v2/role_team_assignments/.

If you absolutely don’t want to allow custom roles, you can change the setting ANSIBLE_BASE_ALLOW_CUSTOM_ROLES to False. This is still a file-based setting for now.

The feature I believe will be most useful going forward is the “add” permissions. You could create a custom organization role that allows users to create all (or some) types of resources, and give this for a particular organization. So instead of allowing a user to edit all projects, they can create a new project, and after creating it, they will automatically get admin role just for the objects they created.

AlanCoding · April 24, 2024, 7:54pm

github.com/ansible/awx

awx-migration-24.3.0 failing

opened 12:06PM - 24 Apr 24 UTC

adpavlov

type:bug community

### Please confirm the following - [X] I agree to follow this project's [code o…f conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html). - [X] I have checked the [current issues](https://github.com/ansible/awx/issues) for duplicates. - [X] I understand that AWX is open source software provided for free and that I might not receive a timely response. - [X] I am **NOT** reporting a (potential) security vulnerability. (These should be emailed to `security@ansible.com` instead.) ### Bug Summary awx-migration-24.3.0 failing with following error: ``` Operations to perform: Apply all migrations: auth, conf, contenttypes, dab_rbac, dab_resource_registry, main, oauth2_provider, sessions, sites, social_django, sso Running migrations: 2024-04-24 11:57:29,309 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Project Admin pk=RoleDefinition object (156) with 5 permissions 2024-04-24 11:57:29,313 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Project Admin pk=RoleDefinition object (157) with 7 permissions 2024-04-24 11:57:29,317 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Project Use pk=RoleDefinition object (158) with 2 permissions 2024-04-24 11:57:29,321 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Admin pk=RoleDefinition object (159) with 5 permissions 2024-04-24 11:57:29,325 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization WorkflowJobTemplate Admin pk=RoleDefinition object (160) with 7 permissions 2024-04-24 11:57:29,329 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Execute pk=RoleDefinition object (161) with 2 permissions 2024-04-24 11:57:29,333 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition WorkflowJobTemplate Approve pk=RoleDefinition object (162) with 2 permissions 2024-04-24 11:57:29,338 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition JobTemplate Admin pk=RoleDefinition object (163) with 4 permissions 2024-04-24 11:57:29,342 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization JobTemplate Admin pk=RoleDefinition object (164) with 5 permissions 2024-04-24 11:57:29,346 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition JobTemplate Execute pk=RoleDefinition object (165) with 2 permissions 2024-04-24 11:57:29,350 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition NotificationTemplate Admin pk=RoleDefinition object (166) with 3 permissions 2024-04-24 11:57:29,354 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization NotificationTemplate Admin pk=RoleDefinition object (167) with 5 permissions 2024-04-24 11:57:29,358 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Team Admin pk=RoleDefinition object (168) with 4 permissions 2024-04-24 11:57:29,362 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Team Admin pk=RoleDefinition object (169) with 6 permissions 2024-04-24 11:57:29,366 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Team Member pk=RoleDefinition object (170) with 2 permissions 2024-04-24 11:57:29,370 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Admin pk=RoleDefinition object (171) with 5 permissions 2024-04-24 11:57:29,374 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Organization Admin pk=RoleDefinition object (172) with 5 permissions 2024-04-24 11:57:29,378 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Member pk=RoleDefinition object (173) with 2 permissions 2024-04-24 11:57:29,382 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Audit pk=RoleDefinition object (174) with 2 permissions 2024-04-24 11:57:29,386 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Admin pk=RoleDefinition object (175) with 6 permissions 2024-04-24 11:57:29,390 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Inventory Admin pk=RoleDefinition object (176) with 8 permissions 2024-04-24 11:57:29,394 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Use pk=RoleDefinition object (177) with 2 permissions 2024-04-24 11:57:29,398 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Inventory Adhoc pk=RoleDefinition object (178) with 2 permissions 2024-04-24 11:57:29,402 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Credential Admin pk=RoleDefinition object (179) with 4 permissions 2024-04-24 11:57:29,406 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization Credential Admin pk=RoleDefinition object (180) with 6 permissions 2024-04-24 11:57:29,410 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Credential Use pk=RoleDefinition object (181) with 2 permissions 2024-04-24 11:57:29,414 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition InstanceGroup Admin pk=RoleDefinition object (182) with 4 permissions 2024-04-24 11:57:29,418 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization InstanceGroup Admin pk=RoleDefinition object (183) with 5 permissions 2024-04-24 11:57:29,422 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition InstanceGroup Use pk=RoleDefinition object (184) with 2 permissions 2024-04-24 11:57:29,426 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition ExecutionEnvironment Admin pk=RoleDefinition object (185) with 3 permissions 2024-04-24 11:57:29,430 INFO [-] awx.main.migrations._dab_rbac Created RoleDefinition Organization ExecutionEnvironment Admin pk=RoleDefinition object (186) with 5 permissions Traceback (most recent call last): File "/usr/bin/awx-manage", line 8, in <module> sys.exit(manage()) ^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/__init__.py", line 177, in manage execute_from_command_line(sys.argv) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line utility.execute() File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv self.execute(*args, **cmd_options) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 458, in execute output = self.handle(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/base.py", line 106, in wrapper res = handle_func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/management/commands/migrate.py", line 356, in handle post_migrate_state = executor.migrate( ^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 135, in migrate state = self._migrate_all_forwards( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 167, in _migrate_all_forwards state = self.apply_migration( ^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/executor.py", line 252, in apply_migration state = migration.apply(state, schema_editor) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/migration.py", line 132, in apply operation.database_forwards( File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/db/migrations/operations/special.py", line 193, in database_forwards self.code(from_state.apps, schema_editor) File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/main/migrations/_dab_rbac.py", line 200, in migrate_to_new_rbac role_definition_name = f'{role.content_type.model_class().__name__} {action.title()}' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'ContentType' object has no attribute 'model_class' Applying main.0192_custom_roles... ``` ### AWX version 24.3.0 ### Select the relevant components - [ ] UI - [ ] UI (tech preview) - [ ] API - [ ] Docs - [ ] Collection - [ ] CLI - [X] Other ### Installation method kubernetes ### Modifications no ### Ansible version _No response_ ### Operating system _No response_ ### Web browser _No response_ ### Steps to reproduce upgrade ax-operator ### Expected results all working ### Actual results migration failed ### Additional information _No response_

We had a major error in the data migration for this. A fix for the issue was merged, and we’ll see about a new release before long.

cnfrancis · July 8, 2024, 11:48pm

hello, where can we get the full list of permissions? or the logic to follow?
is it something like

awx.<action>.<resource>

where:
<action>: [execute, view, write, delete]
<resource>: [jt, wt, project, organization, inventory, credential] ?

also why using view instead of read?

EXAMPLES = '''
- name: Create Role Definition
  role_definition:
    name: test_view_jt
    permissions:
      - awx.view_jobtemplate
      - awx.execute_jobtemplate
    content_type: awx.jobtemplate
    description: role definition to view and execute jt
    state: present
'''```

bottkars · August 8, 2024, 11:08am

@AlanCoding , banging my head against the wall ATM. I try to either use AWX CLI ( 24.6.1 ), api endpoints from ui , or awx.awx modules to assign role_team_assignments rbac to teams. However i do not get it to work. am i missing a dependency?

I always receive Invalid PK

Error from CLI:

what i can see from when creating an assignment from the UI, the deprecated
/api/v2/roles is used to create a new role, that is visible from cli via deprecated awx roles list
However, i cannot create that from CLI.
I assume this is a bug in api/v2/role_team_assignments ?
or am i missing something ?

yoonmin1030 · October 8, 2024, 3:44am

here is a quick question about the NEW RBAC.
when I looked up “/api/v2/role_definitions/”, there are two permissions for adhoc_inventory.
they seems to have a bit different permissions.
when I add permission for inventory adhoc on awx web UI, the “Inventory Adhoc Compat” is added, not “Inventory Adhoc”.
When I want to give a user to have “Adhoc” for a single inventory, I should give the user “Adhoc” or “Adhoc Compat” ?
if i give “Adhoc”, then the user can run only “Adhoc”, not “View the inventory”?? it does not make sense, thou. please let me clear the new concept.
thank you in advance.

           ...

        { ..
            "permissions": [
                "awx.adhoc_inventory",
                "awx.view_inventory"
            ],
            "content_type": "awx.inventory",
            ...
            "name": "Inventory Adhoc",
            "description": "Has adhoc permissions to a single inventory",
           ...
        }
           ...
        {...
            "permissions": [
                "awx.adhoc_inventory",
                "awx.use_inventory",
                "awx.view_inventory"
            ],
            "content_type": "awx.inventory",
           ...
            "name": "Inventory Adhoc Compat",
            "description": "Has Adhoc permission to Inventory for backwards API compatibility",
           ...
        }

Topic		Replies	Views
Transitioning authentication and authorization (RBAC) to the new AWX architecture Project Discussions awx , mindshare , release , awx-modernization	4	1346	September 20, 2024
Announcing AWX 24.3.0 and AWX-Operator 2.16.0 Ecosystem Releases awx , awx-operator	2	334	April 24, 2024
AWX UI and credential types transitioning to the new pluggable architecture Project Discussions awx , mindshare , community , awx-operator , vmware , aws , release , awx-modernization	7	1629	September 18, 2024
Announcing AWX 24.4.0 and AWX-Operator 2.17.0 Ecosystem Releases awx , awx-operator	0	242	May 29, 2024
Announcing AWX 23.8.0 and AWX-Operator 2.12.0 Ecosystem Releases awx	2	429	February 15, 2024

Info on AWX RBAC changes pending release

Related topics