8000 Deprecate legacy RBAC system by TheRealHaoLiu · Pull Request #16014 · ansible/awx · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Deprecate legacy RBAC system #16014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: devel
Choose a base branch
from
Open

Deprecate legacy RBAC system #16014

wants to merge 6 commits into from
+178 −598

Conversation

TheRealHaoLiu
Copy link
Member

Summary

This PR removes the legacy RBAC system from AWX, completing the migration to the ansible-base RBAC system. The old RBAC system was conditionally activated via the ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting, but since the new system is now stable and fully functional, we can remove the old implementation entirely.

Changes

Core RBAC System Removal

  • Removed RoleAncestorEntry model and all related database relationships
  • Removed ancestors field from the Role model
  • Removed rebuild_role_ancestor_list() and batch_role_ancestor_rebuilding() functions
  • Removed is_ancestor_of() method and custom save() method from Role model
  • Cleaned up role synchronization signals and mixins

API Layer Simplification

  • Removed all ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED conditional checks from API serializers
  • Simplified ResourceAccessList to use only the new RBAC system
  • Removed conditional logic from access control classes in awx/main/access.py
  • Streamlined role permission handling in API generics

Configuration Cleanup

  • Removed ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting from defaults
  • Cleaned up related imports and configuration references

Utility and Migration Code

  • Removed batch_role_ancestor_rebuilding usage from inventory import commands
  • Commented out non-functional rebuild_role_ancestor_list calls in migration helpers
  • Cleaned up data generators and test utilities
  • Fixed indentation and removed unused imports

Impact

  • Net code reduction: 596 lines deleted vs 170 lines added (-426 lines total)
  • 12 files modified across models, API, settings, and utilities
  • No functional changes - the codebase now exclusively uses the ansible-base RBAC system
  • Improved maintainability - eliminates dual code paths and conditional complexity

Testing

The existing test suite should continue to pass as this change only removes the unused legacy code path. The ansible-base RBAC system has been the active system and is thoroughly tested.

Migration Notes

  • Migration files retain historical references but non-functional calls are commented out to prevent runtime errors
  • No database migrations are required as the new RBAC system is already in use
  • This change is backward compatible as it only removes unused code paths

Checklist

  • Removed all conditional RBAC system logic
  • Cleaned up imports and unused functions
  • Maintained migration file integrity
  • Verified no functional changes to active RBAC system
  • Code formatting and linting passes

@Copilot Copilot AI review requested due to automatic review settings June 5, 2025 18:32
Copilot
Copilot AI reviewed Jun 5, 2025
View reviewed changes
Copy link
@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fully deprecates and removes the legacy RBAC system in favor of the ansible‐base RBAC implementation. Key changes include the removal of the batch role ancestor rebuilding functionality, the deletion of legacy database relationships and methods (like rebuild_role_ancestor_list and is_ancestor_of), and the cleanup of configuration, API, and migration logic to eliminate unused code paths.

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tools/data_generators/rbac_dummy_data_generator.py Removed usage of the legacy batch_role_ancestor_rebuilding context manager.
awx/settings/defaults.py Deleted the ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting and comments.
awx/main/signals.py Removed signal handlers related to the legacy RBAC system.
awx/main/models/rbac.py Removed legacy ancestor tracking fields, methods, and context managers.
awx/main/models/mixins.py Updated imports to remove references to legacy RBAC fields.
awx/main/migrations/_rbac.py Commented out legacy rebuild calls in migration code.
awx/main/management/commands/inventory_import.py Eliminated legacy context manager usage from the inventory update flow.
awx/main/fields.py Removed calls to rebuild legacy role ancestor lists after save/delete.
awx/main/access.py, awx/api/serializers.py, awx/api/generics.py Updated permission and access queries to align with the new RBAC system.
Comments suppressed due to low confidence (2)

awx/main/migrations/_rbac.py:251

  • Since the legacy RBAC functionality is fully removed, consider removing the commented legacy code entirely to keep the migration file clean.
    # Role.rebuild_role_ancestor_list(roots, [])  # Removed - no longer needed with new RBAC system

awx/main/fields.py:355

  • Verify that the removal of the rebuild_role_ancestor_list call during the post-save hook maintains the intended role parentage updates under the new RBAC system.
                Role.rebuild_role_ancestor_list(role_ids, [])

@codecov Codecov
Copy link
codecov bot commented Jun 5, 2025
edited
8000 Loading

Codecov Report

Attention: Patch coverage is 87.61905% with 13 lines in your changes missing coverage. Please review.

Project coverage is 75.59%. Comparing base (3db2e04) to head (78fd3ff).

✅ All tests successful. No failed tests found.

❌ Your patch check has failed because the patch coverage (87.61%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

TheRealHaoLiu and others added 6 commits June 17, 2025 07:36
@TheRealHaoLiu @AlanCoding
Remove old RBAC system core components
cd69380 
- Remove RoleAncestorEntry model and ancestors field from Role model
- Remove rebuild_role_ancestor_list and batch_role_ancestor_rebuilding functions
- Remove is_ancestor_of method and save method from Role model
- Clean up role synchronization signals and mixins
- Simplify RBAC models to use only ansible-base RBAC system

This commit removes the core components of the legacy RBAC system that
was conditionally activated via ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting.
The codebase now exclusively uses the new ansible-base RBAC system.
@TheRealHaoLiu @AlanCoding
Remove RBAC system conditionals from API layer
326002c 
- Remove ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED checks from API serializers
- Simplify ResourceAccessList to use only new RBAC system
- Remove conditional logic from access control classes
- Clean up role permission handling in API generics
- Remove legacy role ancestor and member management code

This commit removes all conditional logic that would fall back to the
old RBAC system, ensuring the API layer exclusively uses the new
ansible-base RBAC system for all permission checks and role management.
@TheRealHaoLiu @AlanCoding
Remove ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting
8e177d2 
- Remove ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED setting from defaults
- Clean up batch_role_ancestor_rebuilding import from models
- Remove configuration that enabled conditional RBAC system usage

This setting was used to conditionally enable the new ansible-base RBAC
system while maintaining backward compatibility with the old system.
Since the old system has been removed, this setting is no longer needed.
@TheRealHaoLiu @AlanCoding
Clean up legacy RBAC utilities and migration helpers
eefd7ac 
- Remove batch_role_ancestor_rebuilding usage from inventory import
- Clean up ImplicitRoleField to remove ancestor rebuilding calls
- Comment out rebuild_role_ancestor_list calls in migration helpers
- Remove legacy RBAC context managers from data generators
- Fix indentation and remove unused imports

This commit cleans up utility functions, management commands, and
migration helpers that were using the old RBAC system components.
Migration files retain historical references but non-functional
calls are commented out to prevent runtime errors.
@TheRealHaoLiu @AlanCoding
Remove remaining commented references to old RBAC functions
92de481 
- Clean up commented-out rebuild_role_ancestor_list calls in migration helpers
- Replace with generic comments about legacy RBAC system removal
- Ensure no traces of old RBAC function names remain in codebase

This completes the cleanup of all references to the old RBAC system
functions, ensuring a clean codebase with no remnants of the legacy
implementation.
@AlanCoding
Update to schema changes
78fd3ff
@AlanCoding AlanCoding force-pushed the deprecate-legacy-rbac-system branch from 6ab697c to 78fd3ff Compare June 17, 2025 11:38
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
D Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@AlanCoding
Copy link
Member

Checks actually look okay here.

Baby YOLO 199

@AlanCoding
Copy link
Member

Discovered 2 new failures

tests.api.rbac.test_job_templates_rbac.Test_Cross_Org_Job_Template_RBAC.test_users_of_project_org[admin]

awxkit.exceptions.BadRequest: Bad Request (400) received - {'detail': "Cannot resolve keyword 'descendents' into field. Choices are: activitystream, children, content_object, content_type, content_type_id, id, implicit_parents, members, object_id, parents, role_field, singleton_name"}

tests.api.rbac.test_job_templates_rbac.Test_Cross_Org_Job_Template_RBAC.test_auditor_of_project_org

awxkit.exceptions.BadRequest: Bad Request (400) received - {'detail': "Cannot resolve keyword 'descendents' into field. Choices are: activitystream, children, content_object, content_type, content_type_id, id, implicit_parents, members, object_id, parents, role_field, singleton_name"}

that was coming from a method

def check_read_access(tower_object, expected_forbidden=[], unprivileged=False):
    """Check GET against a Tower resource."""
    # for test scenarios involving unprivileged users
    if unprivileged:
        with pytest.raises(awxkit.exceptions.Forbidden):
            tower_object.get()
    # for test scenarios involving privileged users
    else:
        tower_object.get()
        for related in tower_object.related:
            if related in expected_forbidden:
                with pytest.raises(awxkit.exceptions.Forbidden):
                    tower_object.get_related(related)
            else:
                tower_object.get_related(related)

So I can't say what the related here is. It seems to have looped over all the related endpoints, and one of them presumably hit this bug. We need to find what the endpoint is and hopefully add test coverage here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
component:api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheRealHaoLiu @AlanCoding
0