RedHatInsights · EvanCasey13 · Jan 21, 2025 · Jan 22, 2025 · Jan 30, 2025 · Jan 30, 2025
diff --git a/rbac/api/cross_access/serializer.py b/rbac/api/cross_access/serializer.py
@@ -111,9 +111,8 @@ def get_roles(self, obj):
     def validate_roles(self, roles):
         """Format role list as expected for cross-account-request."""
         public_tenant = Tenant.objects.get(tenant_name="public")
-
         role_display_names = [role["display_name"] for role in roles]
-        roles_queryset = Role.objects.filter(tenant=public_tenant, display_name__in=role_display_names)
+        roles_queryset = Role.objects.filter(display_name__in=role_display_names, tenant=public_tenant)
         role_dict = {role.display_name: role for role in roles_queryset}
 
         system_role_uuids = []

diff --git a/rbac/management/group/definer.py b/rbac/management/group/definer.py
@@ -104,7 +104,6 @@ def clone_default_group_in_public_schema(group, tenant) -> Optional[Group]:
     else:
         group_uuid = uuid4()
 
-    public_tenant = Tenant.objects.get(tenant_name="public")
     tenant_default_policy = group.policies.get(system=True)
     group.name = "Custom default access"
     group.system = False
@@ -118,7 +117,7 @@ def clone_default_group_in_public_schema(group, tenant) -> Optional[Group]:
     if Group.objects.filter(name=group.name, platform_default=group.platform_default, tenant=tenant):
         # TODO: returning none can break other code
         return None
-    public_default_roles = Role.objects.filter(platform_default=True, tenant=public_tenant)
+    public_default_roles = Role.objects.filter(platform_default=True).public_tenant_only()
 
     group.save()
     tenant_default_policy.group = group
@@ -148,8 +147,7 @@ def add_roles(group, roles_or_role_ids, tenant, user=None):
     if system_policy_created:
         logger.info(f"Created new system policy for tenant {tenant.org_id}.")
 
-    system_roles = roles.filter(tenant=Tenant.objects.get(tenant_name="public"))
-
+    system_roles = roles.public_tenant_only()
     # Custom roles are locked to prevent resources from being added/removed concurrently,
     # in the case that the Roles had _no_ resources specified to begin with.
     # This should not be necessary for system roles.

diff --git a/rbac/management/role/serializer.py b/rbac/management/role/serializer.py
@@ -22,7 +22,6 @@
 from management.utils import filter_queryset_by_tenant, get_principal, validate_and_get_key
 from rest_framework import serializers
 
-from api.models import Tenant
 from .model import Access, BindingMapping, Permission, ResourceDefinition, Role
 from ..querysets import ORG_ID_SCOPE, PRINCIPAL_SCOPE, SCOPE_KEY, VALID_SCOPES
 
@@ -359,11 +358,9 @@ def obtain_groups_in(obj, request):
     else:
         assigned_groups = filter_queryset_by_tenant(Group.objects.filter(policies__in=policy_ids), request.tenant)
 
-    public_tenant = Tenant.objects.get(tenant_name="public")
-
     platform_default_groups = Group.platform_default_set().filter(tenant=request.tenant).filter(
         policies__in=policy_ids
-    ) or Group.platform_default_set().filter(tenant=public_tenant).filter(policies__in=policy_ids)
+    ) or Group.platform_default_set().public_tenant_only().filter(policies__in=policy_ids)
 
     if username_param and scope_param != PRINCIPAL_SCOPE:
         is_org_admin = request.user_from_query.admin
@@ -375,7 +372,7 @@ def obtain_groups_in(obj, request):
     if is_org_admin:
         admin_default_groups = Group.admin_default_set().filter(tenant=request.tenant).filter(
             policies__in=policy_ids
-        ) or Group.admin_default_set().filter(tenant=public_tenant).filter(policies__in=policy_ids)
+        ) or Group.admin_default_set().public_tenant_only().filter(policies__in=policy_ids)
 
         qs = qs | admin_default_groups