Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Allow assigning an organization IG to a job template without requiring org admin #4292

Closed
Ompragash opened this issue Jul 9, 2019 · 8 comments
Closed

RFE: Allow assigning an organization IG to a job template without requiring org admin #4292

Ompragash opened this issue Jul 9, 2019 · 8 comments
Assignees
@gamuniz
Labels
component:api component:ui type:enhancement

Comments

@Ompragash
Copy link

ISSUE TYPE
  • Feature Idea
COMPONENT NAME
  • API
  • UI
SUMMARY

Currently in AWX only System Admin/Org Admin can assign Instance Group but needs new role i.e. "Instance Group Admin" role and this role will help a user to assign existing instance group in a Job Template.
@wenottingham
Copy link
Contributor

This seems the wrong way to do this, since the roles would likely be on the IGs, and you're not administrating them.

@ulysses-31
Copy link

It would be great if users could select instance groups assigned to their organization to their job templates (without granting them Org Admin). Perhaps via a new Org/Role or enhancement of Org/Job Template Admins?

@wenottingham
Copy link
Contributor

see also #2785

@wenottingham wenottingham changed the title RFE: Need "Instance Group Admin" Role RFE: Allow assigning an organization IG to a job template without requiring org admin Jul 12, 2019
@wenottingham
Copy link
Contributor

retitled to reflect the problem that needs solved

@mikeycmccarthy
Copy link

Also interested in this one! It seems a funny one in terms of what the permission is on. A job template admin can't assign the instance group, but is that because they can't 'use' the instance group effectively?

@wenottingham wenottingham mentioned this issue Mar 6, 2020
Closed
ryanpetrello pushed a commit to ryanpetrello/awx that referenced this issue May 6, 2020
@shanemcd
Merge pull request ansible#4292 from shanemcd/fix-inventory-plugin-pe…
e9cda0c 
…rmissions

Fix permissions for vendored collections in dev env
@schmandforke
Copy link

+1

1 similar comment
@williamhanseneric
Copy link

+1

This was referenced Jan 21, 2022
Open
Open
@tanganellilore tanganellilore mentioned this issue Dec 21, 2022
Closed
9 tasks
@AlanCoding AlanCoding mentioned this issue Jan 27, 2023
Closed
6 tasks
@AlanCoding
Copy link
Member

The challenge I see here is that the InstanceGroup model is not directly scoped to a single organization. When a resource has admin_role, the standard pattern is that organization.admin_role becomes a parent role for it, assuming it has an organization ForeignKey. Instance groups do not.

Giving permissions via a many-to-many to organizations while also using that for fallback rules introduced some debt that we're going to have to resolve here. Depending on the big-picture direction from @ffirg and others, we may introduce a new ForeignKey organization field. I don't like that idea, because it's an addition to the data model which isn't 100% necessary. The alternative is that we have InstanceGroup.admin_role just have the system admin role as the parent role. This seems expedient to me.

In any case, we will require additional special data migration steps

  1. Any organization admin who used to get permission to an instance group via the many-to-many relationship will probably need to be added to the instance group admin_role explicitly (then the hierarchy rebuilt, standard stuff)
  2. We will need to create roles for the instance groups from before the migration. There are pretty standard patterns for this as well.

@gamuniz gamuniz mentioned this issue Feb 16, 2023
Merged
@youtous youtous mentioned this issue Oct 10, 2023
Closed
11 tasks
@AlanCoding AlanCoding mentioned this issue Oct 11, 2023
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gamuniz gamuniz

Labels
component:api component:ui type:enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests