Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ExecutionEnvironment model so object-level roles work with DAB RBAC system #15289

Merged
merged 5 commits into from
Jun 28, 2024

Conversation

AlanCoding
Copy link
Member

@AlanCoding AlanCoding commented Jun 20, 2024

SUMMARY

Depends on ansible/django-ansible-base#490

RECAP:

  • Created a draft PR initially to get intended migration failure
  • Confirmed new migration test is failing ✔️
  • Added a migration step to remove the old permission (view_executionenvironment), and checks confirmed this fixed the prior test ✔️
  • Continued with development of the object-role special cases ✔️
  • Hit a snag where I thought user_capabilities was giving the wrong answer... it wasn't. My fixture was wrong, and the API was right. ✔️

AAP-25268

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • API

@AlanCoding
Copy link
Member Author

AlanCoding commented Jun 20, 2024

Shoot, I need ansible/django-ansible-base#475 first

@AlanCoding
Copy link
Member Author

Test got me the intended failure
=================================== FAILURES ===================================
___________________ TestMigrationSmoke.test_migrate_DAB_RBAC ___________________
[gw1] linux -- Python 3.11.9 /var/lib/awx/venv/awx/bin/python3.11
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 341, in from_call
    result: Optional[TResult] = func()
                                ^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 241, in <lambda>
    lambda: runtest_hook(item=item, **kwds), when=when, reraise=reraise
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_hooks.py", line 513, in __call__
    return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_manager.py", line 120, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 182, in _multicall
    return outcome.get_result()
           ^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_result.py", line 100, in get_result
    raise exc.with_traceback(exc.__traceback__)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/threadexception.py", line 87, in pytest_runtest_call
    yield from thread_exception_runtest_hook()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/threadexception.py", line 63, in thread_exception_runtest_hook
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/unraisableexception.py", line 90, in pytest_runtest_call
    yield from unraisable_exception_runtest_hook()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/unraisableexception.py", line 65, in unraisable_exception_runtest_hook
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/logging.py", line 850, in pytest_runtest_call
    yield from self._runtest_for(item, "call")
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/logging.py", line 833, in _runtest_for
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/capture.py", line 878, in pytest_runtest_call
    return (yield)
            ^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/skipping.py", line 257, in pytest_runtest_call
    return (yield)
            ^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 103, in _multicall
    res = hook_impl.function(*args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 183, in pytest_runtest_call
    raise e
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 173, in pytest_runtest_call
    item.runtest()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/python.py", line 1632, in runtest
    self.ihook.pytest_pyfunc_call(pyfuncitem=self)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_hooks.py", line 513, in __call__
    return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_manager.py", line 120, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 182, in _multicall
    return outcome.get_result()
           ^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_result.py", line 100, in get_result
    raise exc.with_traceback(exc.__traceback__)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 103, in _multicall
    res = hook_impl.function(*args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/python.py", line 162, in pytest_pyfunc_call
    result = testfunction(**testargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/awx_devel/awx/main/tests/functional/test_migrations.py", line 101, in test_migrate_DAB_RBAC
    assert not DABPermission.objects.filter(codename='view_executionenvironment').exists()
AssertionError: assert not True
 +  where True = <bound method QuerySet.exists of <QuerySet [<DABPermission: DABPermission object (50)>]>>()
 +    where <bound method QuerySet.exists of <QuerySet [<DABPermission: DABPermission object (50)>]>> = <QuerySet [<DABPermission: DABPermission object (50)>]>.exists
 +      where <QuerySet [<DABPermission: DABPermission object (50)>]> = <bound method QuerySet.filter of <django.db.models.manager.Manager object at 0x7f9474c78b10>>(codename='view_executionenvironment')
 +        where <bound method QuerySet.filter of <django.db.models.manager.Manager object at 0x7f9474c78b10>> = <django.db.models.manager.Manager object at 0x7f9474c78b10>.filter
 +          where <django.db.models.manager.Manager object at 0x7f9474c78b10> = <class '__fake__.DABPermission'>.objects

moving onto fixing it...

@AlanCoding
Copy link
Member Author

Migration tests are now giving:

=========================== short test summary info ============================
ERROR awx/main/tests/functional/test_licenses.py - pip._vendor.distlib.Distli...
ERROR awx/main/tests/functional/test_licenses.py - pip._vendor.distlib.Distli...
=========== 3 passed, 22065 warnings, 2 errors in 403.96s (0:06:43) ============

Which is what I wanted. So removing the view permission for the EE model is now done.

@AlanCoding AlanCoding changed the title Add initial test for deletion of stale permission Update ExecutionEnvironment model so object-level roles work with DAB RBAC system Jun 26, 2024
@AlanCoding
Copy link
Member Author

Newer test failures such as this:

___________________ test_org_member_required_for_assignment ____________________
[gw0] linux -- Python 3.11.9 /var/lib/awx/venv/awx/bin/python3.11
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 341, in from_call
    result: Optional[TResult] = func()
                                ^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 241, in <lambda>
    lambda: runtest_hook(item=item, **kwds), when=when, reraise=reraise
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_hooks.py", line 513, in __call__
    return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_manager.py", line 120, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 182, in _multicall
    return outcome.get_result()
           ^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_result.py", line 100, in get_result
    raise exc.with_traceback(exc.__traceback__)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/threadexception.py", line 87, in pytest_runtest_call
    yield from thread_exception_runtest_hook()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/threadexception.py", line 63, in thread_exception_runtest_hook
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/unraisableexception.py", line 90, in pytest_runtest_call
    yield from unraisable_exception_runtest_hook()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/unraisableexception.py", line 65, in unraisable_exception_runtest_hook
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/logging.py", line 850, in pytest_runtest_call
    yield from self._runtest_for(item, "call")
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/logging.py", line 833, in _runtest_for
    yield
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/capture.py", line 878, in pytest_runtest_call
    return (yield)
            ^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 167, in _multicall
    teardown.throw(outcome._exception)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/skipping.py", line 257, in pytest_runtest_call
    return (yield)
            ^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 103, in _multicall
    res = hook_impl.function(*args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 183, in pytest_runtest_call
    raise e
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/runner.py", line 173, in pytest_runtest_call
    item.runtest()
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/python.py", line 1632, in runtest
    self.ihook.pytest_pyfunc_call(pyfuncitem=self)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_hooks.py", line 513, in __call__
    return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_manager.py", line 120, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 182, in _multicall
    return outcome.get_result()
           ^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_result.py", line 100, in get_result
    raise exc.with_traceback(exc.__traceback__)
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/pluggy/_callers.py", line 103, in _multicall
    res = hook_impl.function(*args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/_pytest/python.py", line 162, in pytest_pyfunc_call
    result = testfunction(**testargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/awx_devel/awx/main/tests/functional/test_rbac_execution_environment.py", line 76, in test_org_member_required_for_assignment
    r = post(url, {'role_definition': ee_rd.pk, 'user': rando.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/awx_devel/awx/main/tests/functional/conftest.py", line 651, in rf
    assert response.status_code == expect, 'Response data: {}'.format(getattr(response, 'data', None))
AssertionError: Response data: {'id': '1', 'url': '/api/v2/role_user_assignments/1/', 'related': "{'role_definition': '/api/v2/role_definitions/1/', 'user': '/api/v2/users/1/', 'content_object': '/api/v2/execution_environments/1/'}", 'summary_fields': "{'role_definition': {'id': 1, 'name': 'EE object admin', 'description': '', 'managed': False}, 'user': {'id': 1, 'username': 'rando', 'first_name': '', 'last_name': ''}, 'content_object': {'id': 1, 'name': 'some user ee', 'description': '', 'image': ''}}", 'created': '2024-06-26T19:38:55.380286Z', 'created_by': 'None', 'content_type': 'awx.executionenvironment', 'object_id': '1', 'object_ansible_id': 'None', 'role_definition': '1', 'user': '1', 'user_ansible_id': 'None'}
assert [201](https://github.com/ansible/awx/actions/runs/9685620991/job/26726113551?pr=15289#step:4:202) == 400
 +  where 201 = <Response status_code=201, "text/html; charset=utf-8">.status_code

Are reflecting that the dependent DAB change needs to be merged first.

@AlanCoding
Copy link
Member Author

Schema change is intended. That's the entire point.

--- reference-schema.json	2024-06-28 15:18:21.308231051 +0000
+++ schema.json	2024-06-28 15:18:20.228232017 +0000
@@ -7833,7 +7833,6 @@
               "awx.use_inventory",
               "awx.use_project",
               "awx.view_credential",
-              "awx.view_executionenvironment",
               "awx.view_instancegroup",
               "awx.view_inventory",
               "awx.view_jobtemplate",
@@ -7980,7 +7979,6 @@
               "awx.use_inventory",
               "awx.use_project",
               "awx.view_credential",
-              "awx.view_executionenvironment",
               "awx.view_instancegroup",
               "awx.view_inventory",
               "awx.view_jobtemplate",
make: *** [Makefile:598: detect-schema-change] Error 1

@AlanCoding AlanCoding merged commit b59aff5 into ansible:devel Jun 28, 2024
20 of 21 checks passed
djyasin pushed a commit to djyasin/awx that referenced this pull request Sep 16, 2024
… RBAC system (ansible#15289)

* Add initial test for deletion of stale permission

* Delete existing EE view permission

* Hypothetically complete update of EE model permissions setup

* Tests passing locally

* Issue with user_capabilities was a test bug, fixed
djyasin pushed a commit to djyasin/awx that referenced this pull request Nov 11, 2024
… RBAC system (ansible#15289)

* Add initial test for deletion of stale permission

* Delete existing EE view permission

* Hypothetically complete update of EE model permissions setup

* Tests passing locally

* Issue with user_capabilities was a test bug, fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants