- Updated pe group management command

- Added galaxy.content_admin locked role - Updated integration test Issue: AAH-1093
ansible · Mar 30, 2022 · f853794 · f853794
1 parent d123723
commit f853794
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 41 deletions.
diff --git a/galaxy_ng/app/access_control/statements/roles.py b/galaxy_ng/app/access_control/statements/roles.py
@@ -24,6 +24,9 @@
     },
     "NamespaceViewSet": {
         "LOCKED_ROLES": {
+            "galaxy.content_admin": [
+                "ansible.modify_ansible_repo_content",
+            ],
             "galaxy.namespace_owner": [
                 "galaxy.add_namespace",
                 "galaxy.change_namespace",

diff --git a/galaxy_ng/app/management/commands/maintain-pe-group.py b/galaxy_ng/app/management/commands/maintain-pe-group.py
@@ -1,19 +1,17 @@
-from django.contrib.auth.models import Permission
 from django.core.management import BaseCommand
-from pulpcore.plugin.models.role import Role
+
 from pulpcore.plugin.util import assign_role
 
 from galaxy_ng.app.models.auth import Group
 
 PE_GROUP_NAME = "system:partner-engineers"
-PE_ROLE_NAME = "system:partner-engineers"
 
 
 class Command(BaseCommand):
     """
     This command creates or updates a partner engineering group
-    with a standard set of permissions. Intended to be used for
-    settings.GALAXY_DEPLOYMENT_MODE==insights.
+    with a standard set of permissions via Galaxy locked roles. 
+    Intended to be used for settings.GALAXY_DEPLOYMENT_MODE==insights.
 
     $ django-admin maintain-pe-group
     """
@@ -27,44 +25,17 @@ def handle(self, *args, **options):
         else:
             self.stdout.write(f"Group '{PE_GROUP_NAME}' already exists")
 
-        pe_role, role_created = Role.objects.get_or_create(name=PE_ROLE_NAME)
-        if role_created:
-            self.stdout.write(f"Created role '{PE_ROLE_NAME}'")
-        else:
-            self.stdout.write(f"Role '{PE_ROLE_NAME}' already exists")
-
-        pe_perms = [
-            # groups
-            ("galaxy", "view_group"),
-            ("galaxy", "delete_group"),
-            ("galaxy", "add_group"),
-            ("galaxy", "change_group"),
-            # users
-            ("galaxy", "view_user"),
-            ("galaxy", "delete_user"),
-            ("galaxy", "add_user"),
-            ("galaxy", "change_user"),
-            # collections
-            ("ansible", "modify_ansible_repo_content"),
-            ("ansible", "delete_collection"),
-            # namespaces
-            ("galaxy", "add_namespace"),
-            ("galaxy", "change_namespace"),
-            ("galaxy", "upload_to_namespace"),
-            ("galaxy", "delete_namespace"),
+        pe_roles = [
+            'galaxy.group_admin',
+            'galaxy.user_admin',
+            'galaxy.collection_admin',
+            'galaxy.namespace_owner',
+            'galaxy.content_admin',
         ]
-        for app_label, codename in pe_perms:
-            perm = Permission.objects.filter(
-                content_type__app_label=app_label,
-                codename=codename,
-            ).first()
-            if perm:
-                pe_role.permissions.add(perm)
-            else:
-                self.stdout.write(f"Permission {app_label}.{codename} not found.")
 
-        assign_role(pe_role, pe_group, self)
+        for role in pe_roles:
+            assign_role(rolename=role, entity=pe_group)
 
         self.stdout.write(
-            f"Permissions assigned to '{PE_ROLE_NAME}', Role assigned to '{PE_GROUP_NAME}'"
+            f"Roles assigned to '{PE_GROUP_NAME}'"
         )
diff --git a/galaxy_ng/tests/integration/api/test_locked_roles.py b/galaxy_ng/tests/integration/api/test_locked_roles.py
@@ -18,6 +18,7 @@ def test_locked_roles_exist(ansible_config):
         "galaxy.user_admin",
         "galaxy.namespace_owner",
         "galaxy.synclist_owner",
+        "galaxy.content_admin"
     ]
 
     config = ansible_config("ansible_partner")