Improves RBAC role naming conventions and increasing consistency.

[AlexSCorey]

This addresses https://redhat.atlassian.net/browse/AAP-59318 partially. There are some reamining bits regarding rbac roles within awx, and possibly within DAB that would need to be addressed. For this PR the work was to improve the consistency of the RBAC role names.

Tests were also updated/added.

Summary by CodeRabbit

• Bug Fixes

  • Standardized EDA Credential role names from "Eda" to "EDA" for consistent display and access.
  • Added an automated rename to update existing role entries safely, avoiding duplicate conflicts.

• Tests

  • Updated integration tests to assert the new "EDA Credential" role name casing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f0b4e76d-60b8-4a02-9083-ff726387eaad

📥 Commits

Reviewing files that changed from the base of the PR and between f9e928a and ee9f7a1.

📒 Files selected for processing (3)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py
• tests/integration/core/test_create_initial_data.py

✅ Files skipped from review due to trivial changes (1)

• src/aap_eda/core/management/commands/create_initial_data.py

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/integration/core/test_create_initial_data.py

---

📝 Walkthrough

Walkthrough

Role-name generation for EDA credentials now normalizes "Eda " to "EDA " when creating roles; a migration was added to rename existing role records to the new casing; tests were updated to assert the "EDA" casing for credential roles.

Changes

Cohort / File(s)	Summary
Role Naming Logic Update src/aap_eda/core/management/commands/create_initial_data.py	Adjusted Command._create_obj_roles() to replace "Eda " with "EDA " when constructing role names for the edacredential model (affects Admin, Use, and Organization … Admin names).
Data Migration src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py	Added a migration with forward/reverse RunPython callables that rename specific dab_rbac.RoleDefinition records from "Eda" → "EDA" (and reverse), with existence checks and logging.
Test Update tests/integration/core/test_create_initial_data.py	Updated test_create_all_roles to preserve role-name casing and assert EDA Credential Admin and EDA Credential Use exist (in addition to existing lowercase membership checks).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: improving RBAC role naming consistency, which aligns with the primary objective of the pull request.
Description check	✅ Passed	The description includes the issue link, explains what is being changed (RBAC role naming consistency), and notes tests were updated, but lacks detail on how the change works and testing instructions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 59318-PermissionNamingConvention

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py`:
- Around line 55-62: The reverse migration loop over role_mappings
unconditionally renames RoleDefinition entries and can conflict if a role with
the target name already exists; update the loop in the migration that iterates
role_mappings to first check
RoleDefinition.objects.filter(name=new_name).exists() (or try to get new_name
and handle DoesNotExist) and if a target role exists, log a skipping message via
logger and do not perform the rename, otherwise perform the rename and save;
reference the role_mappings dict, the RoleDefinition model, and the existing
logger calls to mirror the forward migration's conflict guard.

In `@tests/integration/core/test_create_initial_data.py`:
- Around line 65-68: The assertions under the obj_name == "eda credential"
branch currently check lowercased names (role_names) so they don't verify the
intended EDA casing; change the test to assert against the original,
case-preserved role names (or stop lowercasing for this branch) and assert the
exact expected strings "EDA Credential Admin" and "EDA Credential Use" instead
of "eda credential admin"/"eda credential use" so the test actually validates
the EDA casing change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 302cc36f-e6b1-4f1e-85b8-b6ec0a29b1bc

📥 Commits

Reviewing files that changed from the base of the PR and between 51a73bf and 63ffb68.

📒 Files selected for processing (3)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py
• tests/integration/core/test_create_initial_data.py

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.00000% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.85%. Comparing base (344ba2b) to head (ee9f7a1).

Files with missing lines	Patch %	Lines
...ore/migrations/0071_rename_eda_credential_roles.py	64.70%	12 Missing ⚠️

@@            Coverage Diff             @@
##             main    #1528      +/-   ##
==========================================
- Coverage   91.93%   91.85%   -0.09%     
==========================================
  Files         239      240       +1     
  Lines       10810    10850      +40     
==========================================
+ Hits         9938     9966      +28     
- Misses        872      884      +12     

Flag	Coverage Δ
unit-int-tests-3.11	91.85% <70.00%> (-0.09%)	⬇️
unit-int-tests-3.12	91.85% <70.00%> (-0.09%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...da/core/management/commands/create_initial_data.py	98.36% <100.00%> (+0.04%)	⬆️
...ore/migrations/0071_rename_eda_credential_roles.py	64.70% <64.70%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py (1)

82-85: Add coverage for migration skip branches (forward + reverse).

This migration’s safety depends on the already exists and not found branches, and coverage indicates those paths are still partially untested. Please add migration tests for both branches in apply and rollback to reduce regression risk. As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py` around lines
82 - 85, Add tests for
src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py that exercise
both conditional branches in rename_eda_credential_roles_forward and
rename_eda_credential_roles_reverse: create one test that sets up the DB state
so the target role already exists before applying the migration to hit the
"already exists" branch on forward and ensure rollback handles it, and a second
test that ensures the source role is missing before apply to hit the "not found"
branch on forward and likewise verify the reverse handles the missing item; use
Django's MigrationTestCase or the migration executor to run apply/rollback and
set up/tear down role rows (or mock query results) to trigger each branch and
assert expected SQL/ORM changes and no exceptions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py`:
- Around line 82-85: Add tests for
src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py that exercise
both conditional branches in rename_eda_credential_roles_forward and
rename_eda_credential_roles_reverse: create one test that sets up the DB state
so the target role already exists before applying the migration to hit the
"already exists" branch on forward and ensure rollback handles it, and a second
test that ensures the source role is missing before apply to hit the "not found"
branch on forward and likewise verify the reverse handles the missing item; use
Django's MigrationTestCase or the migration executor to run apply/rollback and
set up/tear down role rows (or mock query results) to trigger each branch and
assert expected SQL/ORM changes and no exceptions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f089fb3c-7efb-41e8-909e-bb7738f4c15f

📥 Commits

Reviewing files that changed from the base of the PR and between 63ffb68 and f9e928a.

📒 Files selected for processing (3)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/core/migrations/0071_rename_eda_credential_roles.py
• tests/integration/core/test_create_initial_data.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/integration/core/test_create_initial_data.py
• src/aap_eda/core/management/commands/create_initial_data.py

[AlanCoding]

Just to link this:

https://github.com/ansible-automation-platform/aap-gateway/blob/devel/aap_gateway_api/management/commands/migrate_service_data.py#L158-L164

The concern is that RoleDefinition is a synchronized model. On first-install, entries are created by the data loading script here, and then after that aap-gateway-manage migrate_service_data runs and puts a copy of the entries into Gateway.

Customers will upgrade from prior 2.6.z versions to this. It's unclear if that will result in the desired behavior or not. It depends on the behavior of the sync from migrate_service_data, and I do not know this right now.

[AlexSCorey]

Following advice from @AlanCoding I spun up a devel based aap-dev instance and found role names like Organization Eda Credential Admin which is consistent with what's reported in the bug. Then, I spun up aap-dev against this branch. It built just fine, with no problem and saw that Organization EDA Credential Admin was there. Notice that in the original role Eda vs. in the role created by this branch where we have EDA all caps in the name. It seems that this might be safe to merge, and we do get some consistency, where EDA is all caps'd in stead of Eda.

[AlexSCorey]

Linking my conversation with @AlanCoding where he offers suggestions about how to test this pr. https://redhat-internal.slack.com/archives/C06CM09FQSV/p1776094482726909

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud