AAP-72039 Introduce partial-recomputation of team permissions

[AlanCoding]

Description

This is created in response to a particularly server error observed from tests.

"14/Apr/2026:22:29:23 +0000" client=3.88.60.90 x_forwarded_for=3.88.60.90 realip=- method=DELETE request="DELETE /api/controller/v2/service-index/resources/0d2714bf-466b-4840-991d-576da783ec61/ HTTP/1.1" request_length=1986 status=204 bytes_sent=627 body_bytes_sent=0 referer=- user_agent="python-requests/2.32.3" upstream_addr=127.0.0.1:8050 upstream_status=204 request_time=0.174 upstream_response_time=0.174 upstream_connect_time=0.000 upstream_header_time=0.174 request_id="7372abe8-6950-4b7d-8966-b8a2428d8e24" trusted_proxy=trusted-proxy dab_jwt=dab-jwt
[pid: 265|app: -|req: -/-] 3.88.60.90 (-) {54 vars in 2393 bytes} [Tue Apr 14 22:29:22 2026] DELETE /api/controller/v2/service-index/resources/0d2714bf-466b-4840-991d-576da783ec61/ => generated 0 bytes in 174 msecs (HTTP/1.1 204) 11 headers in 413 bytes (1 switches on core 0) x-request-id: 7372abe8-6950-4b7d-8966-b8a2428d8e24
2026-04-14 22:29:23,107 ERROR    [cf3b32387b0d44fe9d183483accd5d53] django.request Internal Server Error: /api/controller/v2/teams/
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 303, in _commit
    return self.connection.commit()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 274, in commit
    self.wait(self._commit_gen())
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 453, in wait
    return waiting.wait(gen, self.pgconn.socket, interval=interval)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/waiting.py", line 354, in wait_poll
    s = gen.send(ready)
        ^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 581, in _commit_gen
    yield from self._exec_command(b"COMMIT")
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 479, in _exec_command
    raise e.error_from_result(result, encoding=self.pgconn._encoding)
psycopg.errors.ForeignKeyViolation: insert or update on table "dab_rbac_objectrole_provides_teams" violates foreign key constraint "dab_rbac_objectrole__objectrole_id_406b577e_fk_dab_rbac_"
DETAIL:  Key (objectrole_id)=(1772) is not present in table "dab_rbac_objectrole".
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/contextlib.py", line 80, in inner
    with self._recreate_cm():
         ^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/transaction.py", line 263, in __exit__
    connection.commit()
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 327, in commit
    self._commit()
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 302, in _commit
    with debug_transaction(self, "COMMIT"), self.wrap_database_errors:
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/utils.py", line 91, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 303, in _commit
    return self.connection.commit()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 274, in commit
    self.wait(self._commit_gen())
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 453, in wait
    return waiting.wait(gen, self.pgconn.socket, interval=interval)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/waiting.py", line 354, in wait_poll
    s = gen.send(ready)
        ^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 581, in _commit_gen
    yield from self._exec_command(b"COMMIT")
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 479, in _exec_command
    raise e.error_from_result(result, encoding=self.pgconn._encoding)
django.db.utils.IntegrityError: insert or update on table "dab_rbac_objectrole_provides_teams" violates foreign key constraint "dab_rbac_objectrole__objectrole_id_406b577e_fk_dab_rbac_"
DETAIL:  Key (objectrole_id)=(1772) is not present in table "dab_rbac_objectrole".
2026-04-14 22:29:23,107 ERROR    [cf3b32387b0d44fe9d183483accd5d53] django.request Internal Server Error: /api/controller/v2/teams/
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 303, in _commit
    return self.connection.commit()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 274, in commit
    self.wait(self._commit_gen())
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 453, in wait
    return waiting.wait(gen, self.pgconn.socket, interval=interval)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/waiting.py", line 354, in wait_poll
    s = gen.send(ready)
        ^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 581, in _commit_gen
    yield from self._exec_command(b"COMMIT")
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 479, in _exec_command
    raise e.error_from_result(result, encoding=self.pgconn._encoding)
psycopg.errors.ForeignKeyViolation: insert or update on table "dab_rbac_objectrole_provides_teams" violates foreign key constraint "dab_rbac_objectrole__objectrole_id_406b577e_fk_dab_rbac_"
DETAIL:  Key (objectrole_id)=(1772) is not present in table "dab_rbac_objectrole".
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/contextlib.py", line 80, in inner
    with self._recreate_cm():
         ^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/transaction.py", line 263, in __exit__
    connection.commit()
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 327, in commit
    self._commit()
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 302, in _commit
    with debug_transaction(self, "COMMIT"), self.wrap_database_errors:
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/utils.py", line 91, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/django/db/backends/base/base.py", line 303, in _commit
    return self.connection.commit()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 274, in commit
    self.wait(self._commit_gen())
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/connection.py", line 453, in wait
    return waiting.wait(gen, self.pgconn.socket, interval=interval)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/waiting.py", line 354, in wait_poll
    s = gen.send(ready)
        ^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 581, in _commit_gen
    yield from self._exec_command(b"COMMIT")
  File "/var/lib/awx/venv/awx/lib64/python3.12/site-packages/psycopg/_connection_base.py", line 479, in _exec_command
    raise e.error_from_result(result, encoding=self.pgconn._encoding)
django.db.utils.IntegrityError: insert or update on table "dab_rbac_objectrole_provides_teams" violates foreign key constraint "dab_rbac_objectrole__objectrole_id_406b577e_fk_dab_rbac_"
DETAIL:  Key (objectrole_id)=(1772) is not present in table "dab_rbac_objectrole".

This happened due to requests dealing with 2 unrelated objects, which becomes a problem because of the global nature of the method here, compute_team_member_roles

This tries to introduce a reduced form of that method so that it can better isolate things and go faster.

This is heavily overlapping with

• AAP-70751 Optimize RBAC evaluation rebuilding by passing obj details for look-ahead #970
• [AAP-70854] Optimize JWT claims reconciliation performance #979

Because I think that 970 isn't hitting the worst inefficiency of the system. This should probably be a higher priority item. And I think 979 doesn't really approach this with clarity of mind. I think this will probably solve the issues that one is wanting to solve.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Test update
• Refactoring (no functional changes)
• Development environment change
• Configuration change

Self-Review Checklist

• I have performed a self-review of my code
• I have added relevant comments to complex code sections
• I have updated documentation where needed
• I have considered the security impact of these changes
• I have considered performance implications
• I have thought about error handling and edge cases
• I have tested the changes in my local environment

Testing Instructions

Prerequisites

Steps to Test

Expected Results

Additional Context

Required Actions

• Requires documentation updates
• Requires downstream repository changes
• Requires infrastructure/deployment changes
• Requires coordination with other teams
• Blocked by PR/MR: #XXX

Screenshots/Logs

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 00a609bf-c538-47bb-98b8-3ec670fa2538

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AlanCoding]

Baby Yolo Results for Build 156 (containerized)

Ran a Baby Yolo with DAB_BRANCH=team_optimization / CONTROLLER_BRANCH=devel (AAP 2.8 / Devel). Result: UNSTABLE, 26 failures.

RBAC Assessment

Excluding known/unrelated failures (AzureAD infra, credential cross-org tests, EDA event streams, hub E2E, notification unicode, host metrics, license config), there are zero RBAC failures in this build.

Candidate Flaky 403 Tests This May Fix

Across 12 recent ansible/devel reference builds, the following RBAC tests each appeared as transient failures — getting an unexpected 403 Forbidden when the test expected a successful status code. All 4 passed in build #156 with this branch:

1. tests.rbac.test_projects.TestControllerProjectsRBAC.test_team_can_view_projects_with_role[Project Use-200-Controller]

   • Error: assert 403 == 200 — {"detail":"You do not have permission to perform this action."}
   • Seen in devel build Use more specific app name for resource registry #126 (1/12 builds)

2. tests.rbac.test_projects.TestControllerProjectsRBAC.test_user_can_delete_projects_with_role[Project Admin-204-Controller]

   • Error: assert 403 == 204 — {"detail":"Related job project_update ... is still processing"}
   • Seen in devel build Fix resource registry migrations #119 (1/12 builds)

3. tests.rbac.test_rbac_notification_templates.TestControllerRBACNotificationTemplates.test_team_can_test_notification_templates_with_role[Organization NotificationTemplate Admin-202-Gateway]

   • Error: assert 403 == 202 — {"detail":"You do not have permission to perform this action."}
   • Seen in devel build Move the local service name into settings #127 (1/12 builds)

4. tests.rbac.test_workflow_job_template_rbac.TestControllerRBACWorkflowJobTemplate.test_team_can_view_workflow_job_templates_with_role[WorkflowJobTemplate Execute-GLOBAL-200-Controller]

   • Error: assert 403 == 200 — {"detail":"You do not have permission to perform this action."}
   • Seen in devel build Allow system user in attribution fields #98 (1/12 builds)

Caveat

Each of these tests only failed in 1 out of 12 reference builds (~8% flake rate), so one passing run doesn't conclusively prove they're fixed. The failure pattern — role-based permission checks returning 403 when they shouldn't — is consistent with the race condition in compute_team_member_roles that this PR addresses (parallel requests interfering with each other's role computations). More runs would be needed to confirm the flake rate has dropped to zero.

[github-actions]

DVCS PR Check Results:

PR appears valid (JIRA key(s) found)

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE