From bf9c5436a7a0784ab97f9b98cd5d5084c8bd180c Mon Sep 17 00:00:00 2001 From: James Tanner Date: Tue, 24 Sep 2024 21:34:26 -0400 Subject: [PATCH 1/7] Test this. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 0670a65523..12d9cfcb98 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -39,18 +39,28 @@ def split_pulp_roles(apps, schema_editor): GroupRole = apps.get_model('core', 'GroupRole') for corerole in Role.objects.all(): + print(f'ROLE {corerole} {corerole.name}') split_roles = {} for assignment_cls in (UserRole, GroupRole): + print(f'\t{assignment_cls}') for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False): + print(f'\t\t{assignment_cls} {pulp_assignment}') if pulp_assignment.content_type_id not in split_roles: + print(f'\t\t\t{pulp_assignment.content_type_id}') new_data = { 'description': corerole.description, 'name': f'{corerole.name}_{pulp_assignment.content_type.model}' } new_role = Role(**new_data) new_role.save() + + # add the permission back? ... + for perm in pulp_assignment.role.permissions.all(): + new_role.permissions.add(perm) + split_roles[pulp_assignment.content_type_id] = new_role + print(f"\t\tchange .role from {pulp_assignment.role.name} to {split_roles[pulp_assignment.content_type_id].name}") pulp_assignment.role = split_roles[pulp_assignment.content_type_id] pulp_assignment.save(update_fields=['role']) From 218cc244ff84a8f7d96cdb29815cb0f94817bf01 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 10:13:13 -0400 Subject: [PATCH 2/7] Filter permissions to only those applicable to the model. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 12d9cfcb98..866d2c410f 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -1,9 +1,12 @@ import logging from django.apps import apps as global_apps +from django.contrib.contenttypes.models import ContentType from ansible_base.rbac.management import create_dab_permissions from ansible_base.rbac.migrations._utils import give_permissions +from ansible_base.rbac.validators import permissions_allowed_for_role, combine_values + logger = logging.getLogger(__name__) @@ -54,8 +57,12 @@ def split_pulp_roles(apps, schema_editor): new_role = Role(**new_data) new_role.save() - # add the permission back? ... + cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model) + ct_codenames = combine_values(permissions_allowed_for_role(cls)) + for perm in pulp_assignment.role.permissions.all(): + if ct_codenames and perm.codename not in ct_codenames: + continue new_role.permissions.add(perm) split_roles[pulp_assignment.content_type_id] = new_role From 68557eff79c74b83dcf0b53683193b6363c8e445 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 11:24:36 -0400 Subject: [PATCH 3/7] Find the team object a different way. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 866d2c410f..7ca93feb6d 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -104,6 +104,9 @@ def copy_roles_to_role_definitions(apps, schema_editor): def migrate_role_assignments(apps, schema_editor): + + print('MIGRATE ROLE ASSIGNMENTS ...') + UserRole = apps.get_model('core', 'UserRole') GroupRole = apps.get_model('core', 'GroupRole') Group = apps.get_model('auth', 'Group') @@ -125,15 +128,15 @@ def migrate_role_assignments(apps, schema_editor): # Migrate team/group role assignments for group_role in GroupRole.objects.all(): + rd = RoleDefinition.objects.filter(name=group_role.role.name).first() if not rd: continue - # FIXME - why? - if not hasattr(group_role.group, 'team'): + actor = Team.objects.filter(group=group_role.group).first() + if actor is None: continue - actor = group_role.group.team if not group_role.object_id: RoleTeamAssignment.objects.create(role_definition=rd, team=actor) else: From e6e7b6ccb56f64c0740e9211ccec4f3e867d6577 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 15:08:20 -0400 Subject: [PATCH 4/7] Get rid of prints. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 7ca93feb6d..9d5aa78dd6 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -42,14 +42,10 @@ def split_pulp_roles(apps, schema_editor): GroupRole = apps.get_model('core', 'GroupRole') for corerole in Role.objects.all(): - print(f'ROLE {corerole} {corerole.name}') split_roles = {} for assignment_cls in (UserRole, GroupRole): - print(f'\t{assignment_cls}') for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False): - print(f'\t\t{assignment_cls} {pulp_assignment}') if pulp_assignment.content_type_id not in split_roles: - print(f'\t\t\t{pulp_assignment.content_type_id}') new_data = { 'description': corerole.description, 'name': f'{corerole.name}_{pulp_assignment.content_type.model}' @@ -67,7 +63,6 @@ def split_pulp_roles(apps, schema_editor): split_roles[pulp_assignment.content_type_id] = new_role - print(f"\t\tchange .role from {pulp_assignment.role.name} to {split_roles[pulp_assignment.content_type_id].name}") pulp_assignment.role = split_roles[pulp_assignment.content_type_id] pulp_assignment.save(update_fields=['role']) @@ -105,8 +100,6 @@ def copy_roles_to_role_definitions(apps, schema_editor): def migrate_role_assignments(apps, schema_editor): - print('MIGRATE ROLE ASSIGNMENTS ...') - UserRole = apps.get_model('core', 'UserRole') GroupRole = apps.get_model('core', 'GroupRole') Group = apps.get_model('auth', 'Group') From 4eeedc2cbd6329668655609bccd7b6c723a44ccb Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 15:09:34 -0400 Subject: [PATCH 5/7] Extra newlines. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 9d5aa78dd6..92e587679d 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -99,7 +99,6 @@ def copy_roles_to_role_definitions(apps, schema_editor): def migrate_role_assignments(apps, schema_editor): - UserRole = apps.get_model('core', 'UserRole') GroupRole = apps.get_model('core', 'GroupRole') Group = apps.get_model('auth', 'Group') @@ -121,7 +120,6 @@ def migrate_role_assignments(apps, schema_editor): # Migrate team/group role assignments for group_role in GroupRole.objects.all(): - rd = RoleDefinition.objects.filter(name=group_role.role.name).first() if not rd: continue From f0c3d553fd3980837e10bea0a0949ba1a3d025e8 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 16:23:50 -0400 Subject: [PATCH 6/7] Try skipping. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 92e587679d..30aa85d198 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -2,6 +2,7 @@ from django.apps import apps as global_apps from django.contrib.contenttypes.models import ContentType +from rest_framework.exceptions import ValidationError from ansible_base.rbac.management import create_dab_permissions from ansible_base.rbac.migrations._utils import give_permissions @@ -46,6 +47,13 @@ def split_pulp_roles(apps, schema_editor): for assignment_cls in (UserRole, GroupRole): for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False): if pulp_assignment.content_type_id not in split_roles: + + cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model) + try: + ct_codenames = combine_values(permissions_allowed_for_role(cls)) + except ValidationError: + continue + new_data = { 'description': corerole.description, 'name': f'{corerole.name}_{pulp_assignment.content_type.model}' @@ -53,9 +61,6 @@ def split_pulp_roles(apps, schema_editor): new_role = Role(**new_data) new_role.save() - cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model) - ct_codenames = combine_values(permissions_allowed_for_role(cls)) - for perm in pulp_assignment.role.permissions.all(): if ct_codenames and perm.codename not in ct_codenames: continue From 2a83b25aab386306f56ba2d5f488cdda484e336b Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 25 Sep 2024 16:34:18 -0400 Subject: [PATCH 7/7] Add some code comments. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/_dab_rbac.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py index 30aa85d198..cc95143c44 100644 --- a/galaxy_ng/app/migrations/_dab_rbac.py +++ b/galaxy_ng/app/migrations/_dab_rbac.py @@ -38,6 +38,12 @@ def create_permissions_as_operation(apps, schema_editor): def split_pulp_roles(apps, schema_editor): + ''' + For every user&group role that is tied to a specific content object, + split the role out into a new single content type role with permissions + that are only relevant to that content object. Afterwards, swap the + [User|Group]Role's .role with the new role. + ''' Role = apps.get_model('core', 'Role') UserRole = apps.get_model('core', 'UserRole') GroupRole = apps.get_model('core', 'GroupRole') @@ -48,12 +54,16 @@ def split_pulp_roles(apps, schema_editor): for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False): if pulp_assignment.content_type_id not in split_roles: + # Get all permissions relevant to this content model. + # If any model (like synclist) hasn't been registered in the permission + # system, it should not be split/recreated ... cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model) try: ct_codenames = combine_values(permissions_allowed_for_role(cls)) except ValidationError: continue + # Make a new role for this special content model new_data = { 'description': corerole.description, 'name': f'{corerole.name}_{pulp_assignment.content_type.model}' @@ -61,7 +71,10 @@ def split_pulp_roles(apps, schema_editor): new_role = Role(**new_data) new_role.save() + # Add the necesarry permissions to the new role ... for perm in pulp_assignment.role.permissions.all(): + # The pulp role may have had permissions related to some other + # content model we're not interested in, so we will skip adding those. if ct_codenames and perm.codename not in ct_codenames: continue new_role.permissions.add(perm)