Remove ANSIBLE_BASE_ROLE_PRECREATE only used by AWX

ansible_base/lib/dynamic_config/dynamic_settings.py

@@ -145,14 +145,6 @@
 
 
 if 'ansible_base.rbac' in INSTALLED_APPS:
-    # Settings for the RBAC system, override as necessary in app
-    ANSIBLE_BASE_ROLE_PRECREATE = {
-        'object_admin': '{cls._meta.model_name}-admin',
-        'org_admin': 'organization-admin',
-        'org_children': 'organization-{cls._meta.model_name}-admin',
-        'special': '{cls._meta.model_name}-{action}',
-    }
-
     # Permissions a user will get when creating a new item
     ANSIBLE_BASE_CREATOR_DEFAULTS = ['add', 'change', 'delete', 'view']
     # Permissions API will check for related items, think PATCH/PUT

ansible_base/rbac/triggers.py

@@ -2,14 +2,11 @@
 from contextlib import contextmanager
 from typing import Optional
 
-from django.apps import apps
-from django.conf import settings
 from django.db.models import Model, Q
 from django.db.models.signals import m2m_changed, post_delete, post_init, post_save, pre_delete, pre_save
 from django.db.utils import ProgrammingError
 
 from ansible_base.rbac.caching import compute_object_role_permissions, compute_team_member_roles
-from ansible_base.rbac.migrations._managed_definitions import setup_managed_role_definitions
 from ansible_base.rbac.models import ObjectRole, RoleDefinition, RoleEvaluation, get_evaluation_model
 from ansible_base.rbac.permission_registry import permission_registry
 from ansible_base.rbac.validators import validate_team_assignment_enabled
@@ -278,9 +275,6 @@ def post_migration_rbac_setup(*args, **kwargs):
     except ProgrammingError:
         return  # this happens when migrating backwards, tables do not exist at prior states
 
-    if settings.ANSIBLE_BASE_ROLE_PRECREATE:
-        setup_managed_role_definitions(apps, None)
-
     compute_team_member_roles()
     compute_object_role_permissions()
 

docs/apps/rbac.md

@@ -317,23 +317,6 @@ ANSIBLE_BASE_ORGANIZATION_MODEL = 'main.Organization'
 
 The organization model is only used for pre-created role definitions.
 
-### Managed Pre-Created Role Definitions
-
-In a post_migrate signal, certain RoleDefinitions are pre-created.
-You can customize that with the following setting.
-
-```
-ANSIBLE_BASE_ROLE_PRECREATE = {
-    'object_admin': '{cls._meta.model_name}-admin',
-    'org_admin': 'organization-admin',
-    'org_children': 'organization-{cls._meta.model_name}-admin',
-    'special': '{cls._meta.model_name}-{action}',
-}
-```
-
-Set this to `{}` if you will create role definitions in your own data migration,
-or if you want all roles to be user-defined.
-
 ### RBAC vs User Flag Responsibilities
 
 With some user flags, like the standard `is_superuser` flag, the RBAC system does not

test_app/settings.py

@@ -154,7 +154,6 @@
 
 SYSTEM_USERNAME = '_system'
 
-ANSIBLE_BASE_ROLE_PRECREATE = {}  # tested in individual tests
 ANSIBLE_BASE_ALLOW_SINGLETON_USER_ROLES = True
 ANSIBLE_BASE_ALLOW_SINGLETON_TEAM_ROLES = True
 

test_app/tests/rbac/test_migrations.py

@@ -1,52 +1,12 @@
 import pytest
 from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
-from django.test.utils import override_settings
 
-from ansible_base.rbac.migrations._managed_definitions import setup_managed_role_definitions
 from ansible_base.rbac.migrations._utils import give_permissions
-from ansible_base.rbac.models import DABPermission, RoleDefinition, RoleTeamAssignment, RoleUserAssignment
+from ansible_base.rbac.models import DABPermission, RoleTeamAssignment, RoleUserAssignment
 from ansible_base.rbac.permission_registry import permission_registry
 from test_app.models import Team, User
 
-INVENTORY_OBJ_PERMISSIONS = ['view_inventory', 'change_inventory', 'delete_inventory', 'update_inventory']
-
-
-@pytest.mark.django_db
-def test_managed_definitions_precreate():
-    with override_settings(
-        ANSIBLE_BASE_ROLE_PRECREATE={
-            'object_admin': '{cls._meta.model_name}-admin',
-            'org_admin': 'organization-admin',
-            'org_children': 'organization-{cls._meta.model_name}-admin',
-            'special': '{cls._meta.model_name}-{action}',
-        }
-    ):
-        setup_managed_role_definitions(apps, None)
-    rd = RoleDefinition.objects.get(name='inventory-admin')
-    assert rd.managed is True
-    # add permissions do not go in the object-level admin
-    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)
-
-    # test org-level object admin permissions
-    rd = RoleDefinition.objects.get(name='organization-inventory-admin')
-    assert rd.managed is True
-    assert set(rd.permissions.values_list('codename', flat=True)) == set(['add_inventory', 'view_organization'] + INVENTORY_OBJ_PERMISSIONS)
-
-
-@pytest.mark.django_db
-def test_managed_definitions_custom_obj_admin_name():
-    with override_settings(
-        ANSIBLE_BASE_ROLE_PRECREATE={
-            'object_admin': 'foo-{cls._meta.model_name}-foo',
-        }
-    ):
-        setup_managed_role_definitions(apps, None)
-    rd = RoleDefinition.objects.get(name='foo-inventory-foo')
-    assert rd.managed is True
-    # add permissions do not go in the object-level admin
-    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)
-
 
 @pytest.mark.django_db
 def test_give_permissions(organization, inventory, inv_rd):