Expose ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES via the settings API#16449
Expose ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES via the settings API#16449snecklifter wants to merge 2 commits into
Conversation
The setting was only defined as a Django default in awx/settings/defaults.py but never registered with the conf system, making it invisible to the /api/v2/settings/ endpoint. This caused a KeyError when attempting to configure it via the Ansible controller collection's settings module. Register the setting as a BooleanField under the system category so it can be read and updated through the API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughA comment block is added to ChangesRBAC Settings Configuration Documentation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
awx/main/conf.py (1)
55-62: ⚡ Quick winAdd an explicit
default=Falseparameter for self-documentation and maintainability.The setting already inherits its default from
awx/settings/defaults.py(where it's set toFalse), but adding it explicitly to the registration improves code clarity and reduces coupling to external configuration files.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@awx/main/conf.py` around lines 55 - 62, The register call for the setting 'ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES' currently omits an explicit default; update the register(...) invocation (the call that registers 'ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES') to include default=False so the setting documents its default value inline (keep all existing arguments: field_class=fields.BooleanField, label, help_text, category, category_slug and add default=False).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@awx/main/conf.py`:
- Around line 55-62: The register call for the setting
'ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES' currently omits an explicit default;
update the register(...) invocation (the call that registers
'ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES') to include default=False so the setting
documents its default value inline (keep all existing arguments:
field_class=fields.BooleanField, label, help_text, category, category_slug and
add default=False).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 2425e8d7-5086-4945-afff-4bc89c400921
📒 Files selected for processing (1)
awx/main/conf.py
|
|
In the first place, I would hesitate to say that changing the value of |
…ile-only Reverts the conf.py registration of ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLES and adds a comment block in defaults.py explaining why these settings must not be exposed via the API: runtime changes create RBAC data that django-ansible-base migrations may not account for, risking migration failures or cross-org permission spillage. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Thanks for the feedback — that's a fair point and well taken. Exposing this via the API would make it too easy to create RBAC data that django-ansible-base data migrations may not be written to handle, and the cross-org permission spillage risks around team roles aren't fully hardened yet. I've updated the PR to revert the API registration and instead add a comment block in Happy to close this if the comment addition isn't useful either — just let me know. |
Summary
ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLESwith the AWX conf system so it is exposed at/api/v2/settings/system/awx/settings/defaults.pybut never registered, making it invisible to the APIKeyErrorwhen configuring it via theansible.controller.settingsAnsible moduleIssue Type
Component Name
Notes
defaultis needed in theregister()call. The conf system'sget_setting_fieldautomatically falls back to_get_default(), which reads the value from Django's settings module (awx/settings/defaults.pywhere it is set toFalse). This matches the pattern used by other registered settings likeACTIVITY_STREAM_ENABLEDandMANAGE_ORGANIZATION_AUTH.Test plan
ANSIBLE_BASE_ALLOW_CUSTOM_TEAM_ROLESappears inGET /api/v2/settings/system/PATCH /api/v2/settings/system/ansible.controller.settingsmodule can set this value withoutKeyError🤖 Generated with Claude Code
Summary by CodeRabbit