Disconnect logic to fill in role parents

awx/main/fields.py

@@ -14,21 +14,14 @@
 # Django
 from django.core import exceptions as django_exceptions
 from django.core.serializers.json import DjangoJSONEncoder
-from django.db.models.signals import (
- post_save,
- post_delete,
-)
-from django.db.models.signals import m2m_changed
+from django.db.models.signals import m2m_changed, post_save
 from django.db import models
-from django.db.models.fields.related import lazy_related_operation
 from django.db.models.fields.related_descriptors import (
  ReverseOneToOneDescriptor,
  ForwardManyToOneDescriptor,
  ManyToManyDescriptor,
- ReverseManyToOneDescriptor,
  create_forward_many_to_many_manager,
 )
-from django.utils.encoding import smart_str
 from django.db.models import JSONField
 from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
@@ -54,7 +47,6 @@
  'ImplicitRoleField',
  'SmartFilterField',
  'OrderedManyToManyField',
- 'update_role_parentage_for_instance',
  'is_implicit_parent',
 ]
 
@@ -146,34 +138,6 @@ def contribute_to_related_class(self, cls, related):
  setattr(cls, related.get_accessor_name(), AutoSingleRelatedObjectDescriptor(related))
 
 
-def resolve_role_field(obj, field):
- ret = []
-
- field_components = field.split('.', 1)
- if hasattr(obj, field_components[0]):
- obj = getattr(obj, field_components[0])
- else:
- return []
-
- if obj is None:
- return []
-
- if len(field_components) == 1:
- # use extremely generous duck typing to accomidate all possible forms
- # of the model that may be used during various migrations
- if obj._meta.model_name != 'role' or obj._meta.app_label != 'main':
- raise Exception(smart_str('{} refers to a {}, not a Role'.format(field, type(obj))))
- ret.append(obj.id)
- else:
- if type(obj) is ManyToManyDescriptor:
- for o in obj.all():
- ret += resolve_role_field(o, field_components[1])
- else:
- ret += resolve_role_field(obj, field_components[1])
-
- return ret
-
-
 def is_implicit_parent(parent_role, child_role):
  """
  Determine if the parent_role is an implicit parent as defined by
@@ -210,34 +174,6 @@ def is_implicit_parent(parent_role, child_role):
  return False
 
 
-def update_role_parentage_for_instance(instance):
- """update_role_parentage_for_instance
- updates the parents listing for all the roles
- of a given instance if they have changed
- """
- parents_removed = set()
- parents_added = set()
- for implicit_role_field in getattr(instance.__class__, '__implicit_role_fields'):
- cur_role = getattr(instance, implicit_role_field.name)
- original_parents = set(json.loads(cur_role.implicit_parents))
- new_parents = implicit_role_field._resolve_parent_roles(instance)
- removals = original_parents - new_parents
- if removals:
- cur_role.parents.remove(*list(removals))
- parents_removed.add(cur_role.pk)
- additions = new_parents - original_parents
- if additions:
- cur_role.parents.add(*list(additions))
- parents_added.add(cur_role.pk)
- new_parents_list = list(new_parents)
- new_parents_list.sort()
- new_parents_json = json.dumps(new_parents_list)
- if cur_role.implicit_parents != new_parents_json:
- cur_role.implicit_parents = new_parents_json
- cur_role.save(update_fields=['implicit_parents'])
- return (parents_added, parents_removed)
-
-
 class ImplicitRoleDescriptor(ForwardManyToOneDescriptor):
  pass
 
@@ -269,65 +205,6 @@ def contribute_to_class(self, cls, name):
  getattr(cls, '__implicit_role_fields').append(self)
 
  post_save.connect(self._post_save, cls, True, dispatch_uid='implicit-role-post-save')
- post_delete.connect(self._post_delete, cls, True, dispatch_uid='implicit-role-post-delete')
-
- function = lambda local, related, field: self.bind_m2m_changed(field, related, local)
- lazy_related_operation(function, cls, "self", field=self)
-
- def bind_m2m_changed(self, _self, _role_class, cls):
- if not self.parent_role:
- return
-
- field_names = self.parent_role
- if type(field_names) is not list:
- field_names = [field_names]
-
- for field_name in field_names:
- if field_name.startswith('singleton:'):
- continue
-
- field_name, sep, field_attr = field_name.partition('.')
- # Non existent fields will occur if ever a parent model is
- # moved inside a migration, needed for job_template_organization_field
- # migration in particular
- # consistency is assured by unit test awx.main.tests.functional
- field = getattr(cls, field_name, None)
-
- if field and type(field) is ReverseManyToOneDescriptor or type(field) is ManyToManyDescriptor:
- if '.' in field_attr:
- raise Exception('Referencing deep roles through ManyToMany fields is unsupported.')
-
- if type(field) is ReverseManyToOneDescriptor:
- sender = field.through
- else:
- sender = field.related.through
-
- reverse = type(field) is ManyToManyDescriptor
- m2m_changed.connect(self.m2m_update(field_attr, reverse), sender, weak=False)
-
- def m2m_update(self, field_attr, _reverse):
- def _m2m_update(instance, action, model, pk_set, reverse, **kwargs):
- if action == 'post_add' or action == 'pre_remove':
- if _reverse:
- reverse = not reverse
-
- if reverse:
- for pk in pk_set:
- obj = model.objects.get(pk=pk)
- if action == 'post_add':
- getattr(instance, field_attr).children.add(getattr(obj, self.name))
- if action == 'pre_remove':
- getattr(instance, field_attr).children.remove(getattr(obj, self.name))
-
- else:
- for pk in pk_set:
- obj = model.objects.get(pk=pk)
- if action == 'post_add':
- getattr(instance, self.name).parents.add(getattr(obj, field_attr))
- if action == 'pre_remove':
- getattr(instance, self.name).parents.remove(getattr(obj, field_attr))
-
- return _m2m_update
 
  def _post_save(self, instance, created, *args, **kwargs):
  Role_ = utils.get_current_apps().get_model('main', 'Role')
@@ -337,68 +214,24 @@ def _post_save(self, instance, created, *args, **kwargs):
  Model = utils.get_current_apps().get_model('main', instance.__class__.__name__)
  latest_instance = Model.objects.get(pk=instance.pk)
 
- # Avoid circular import
- from awx.main.models.rbac import batch_role_ancestor_rebuilding, Role
-
- with batch_role_ancestor_rebuilding():
- # Create any missing role objects
- missing_roles = []
- for implicit_role_field in getattr(latest_instance.__class__, '__implicit_role_fields'):
- cur_role = getattr(latest_instance, implicit_role_field.name, None)
- if cur_role is None:
- missing_roles.append(Role_(role_field=implicit_role_field.name, content_type_id=ct_id, object_id=latest_instance.id))
-
- if len(missing_roles) > 0:
- Role_.objects.bulk_create(missing_roles)
- updates = {}
- role_ids = []
- for role in Role_.objects.filter(content_type_id=ct_id, object_id=latest_instance.id):
- setattr(latest_instance, role.role_field, role)
- updates[role.role_field] = role.id
- role_ids.append(role.id)
- type(latest_instance).objects.filter(pk=latest_instance.pk).update(**updates)
- Role.rebuild_role_ancestor_list(role_ids, [])
-
- update_role_parentage_for_instance(latest_instance)
- instance.refresh_from_db()
-
- def _resolve_parent_roles(self, instance):
- if not self.parent_role:
- return set()
-
- paths = self.parent_role if type(self.parent_role) is list else [self.parent_role]
- parent_roles = set()
-
- for path in paths:
- if path.startswith("singleton:"):
- singleton_name = path[10:]
- Role_ = utils.get_current_apps().get_model('main', 'Role')
- qs = Role_.objects.filter(singleton_name=singleton_name)
- if qs.count() >= 1:
- role = qs[0]
- else:
- role = Role_.objects.create(singleton_name=singleton_name, role_field=singleton_name)
- parents = [role.id]
- else:
- parents = resolve_role_field(instance, path)
-
- for parent in parents:
- parent_roles.add(parent)
- return parent_roles
-
- def _post_delete(self, instance, *args, **kwargs):
- role_ids = []
- for implicit_role_field in getattr(instance.__class__, '__implicit_role_fields'):
- role_ids.append(getattr(instance, implicit_role_field.name + '_id'))
-
- Role_ = utils.get_current_apps().get_model('main', 'Role')
- child_ids = [x for x in Role_.parents.through.objects.filter(to_role_id__in=role_ids).distinct().values_list('from_role_id', flat=True)]
- Role_.objects.filter(id__in=role_ids).delete()
-
- # Avoid circular import
- from awx.main.models.rbac import Role
-
- Role.rebuild_role_ancestor_list([], child_ids)
+ # Create any missing role objects
+ missing_roles = []
+ for implicit_role_field in getattr(latest_instance.__class__, '__implicit_role_fields'):
+ cur_role = getattr(latest_instance, implicit_role_field.name, None)
+ if cur_role is None:
+ missing_roles.append(Role_(role_field=implicit_role_field.name, content_type_id=ct_id, object_id=latest_instance.id))
+
+ if len(missing_roles) > 0:
+ Role_.objects.bulk_create(missing_roles)
+ updates = {}
+ role_ids = []
+ for role in Role_.objects.filter(content_type_id=ct_id, object_id=latest_instance.id):
+ setattr(latest_instance, role.role_field, role)
+ updates[role.role_field] = role.id
+ role_ids.append(role.id)
+ type(latest_instance).objects.filter(pk=latest_instance.pk).update(**updates)
+
+ instance.refresh_from_db()
 
 
 class SmartFilterField(models.TextField):

awx/main/migrations/_rbac.py

@@ -3,7 +3,6 @@
 
 from django.db.models import Subquery, OuterRef, F
 
-from awx.main.fields import update_role_parentage_for_instance
 from awx.main.models.rbac import Role, batch_role_ancestor_rebuilding
 
 logger = logging.getLogger('rbac_migrations')
@@ -238,85 +237,10 @@ def restore_inventory_admins_backward(apps, schema_editor):
 
 
 def rebuild_role_hierarchy(apps, schema_editor):
- """
- This should be called in any migration when ownerships are changed.
- Ex. I remove a user from the admin_role of a credential.
- Ancestors are cached from parents for performance, this re-computes ancestors.
- """
- logger.info('Computing role roots..')
- start = time()
- roots = Role.objects.all().values_list('id', flat=True)
- stop = time()
- logger.info('Found %d roots in %f seconds, rebuilding ancestry map' % (len(roots), stop - start))
- start = time()
- Role.rebuild_role_ancestor_list(roots, [])
- stop = time()
- logger.info('Rebuild ancestors completed in %f seconds' % (stop - start))
- logger.info('Done.')
+ """Not used after DAB RBAC migration"""
+ pass
 
 
 def rebuild_role_parentage(apps, schema_editor, models=None):
- """
- This should be called in any migration when any parent_role entry
- is modified so that the cached parent fields will be updated. Ex:
- foo_role = ImplicitRoleField(
- parent_role=['bar_role'] # change to parent_role=['admin_role']
- )
-
- This is like rebuild_role_hierarchy, but that method updates ancestors,
- whereas this method updates parents.
- """
- start = time()
- seen_models = set()
- model_ct = 0
- noop_ct = 0
- ContentType = apps.get_model('contenttypes', "ContentType")
- additions = set()
- removals = set()
-
- role_qs = Role.objects
- if models:
- # update_role_parentage_for_instance is expensive
- # if the models have been downselected, ignore those which are not in the list
- ct_ids = list(ContentType.objects.filter(model__in=[name.lower() for name in models]).values_list('id', flat=True))
- role_qs = role_qs.filter(content_type__in=ct_ids)
-
- for role in role_qs.iterator():
- if not role.object_id:
- continue
- model_tuple = (role.content_type_id, role.object_id)
- if model_tuple in seen_models:
- continue
- seen_models.add(model_tuple)
-
- # The GenericForeignKey does not work right in migrations
- # with the usage as role.content_object
- # so we do the lookup ourselves with current migration models
- ct = role.content_type
- app = ct.app_label
- ct_model = apps.get_model(app, ct.model)
- content_object = ct_model.objects.get(pk=role.object_id)
-
- parents_added, parents_removed = update_role_parentage_for_instance(content_object)
- additions.update(parents_added)
- removals.update(parents_removed)
- if parents_added:
- model_ct += 1
- logger.debug('Added to parents of roles {} of {}'.format(parents_added, content_object))
- if parents_removed:
- model_ct += 1
- logger.debug('Removed from parents of roles {} of {}'.format(parents_removed, content_object))
- else:
- noop_ct += 1
-
- logger.debug('No changes to role parents for {} resources'.format(noop_ct))
- logger.debug('Added parents to {} roles'.format(len(additions)))
- logger.debug('Removed parents from {} roles'.format(len(removals)))
- if model_ct:
- logger.info('Updated implicit parents of {} resources'.format(model_ct))
-
- logger.info('Rebuild parentage completed in %f seconds' % (time() - start))
-
- # this is ran because the ordinary signals for
- # Role.parents.add and Role.parents.remove not called in migration
- Role.rebuild_role_ancestor_list(list(additions), list(removals))
+ """Not used after DAB RBAC migration"""
+ pass