feat(authorization): release RBAC tables from dojo state to managed=False shells

Migration 0268_release_rbac_state.py flips the seven RBAC models in dojo's
app state to ``managed=False`` via AlterModelOptions. Pairs with
``pro.0049_adopt_rbac_tables`` (Pro creates the same models in its state
via SeparateDatabaseAndState with state_operations only). Together the two
migrations transfer schema ownership from dojo to pro without running any
DDL — the underlying tables are bit-for-bit unchanged, every existing row
stays in place, and constraints / indexes are not touched.

The model class definitions remain in dojo/authorization/models.py as
managed=False shells with related_name="+" on every FK to a dojo-owned
model (suppresses reverse-accessor name clashes against Pro's now-managed
copies). Track B step DefectDojo#13 simplifies the OS callers that still
isinstance-check or import these classes; at that point the shells are
deleted entirely and OS-only deployments stop carrying their dead weight.

Verified end-to-end:
  - ``migrate`` applies pro.0049 → dojo.0268 in correct cross-app order
    (run_before on the pro migration enforces it).
  - ``select count(*) from dojo_role/dojo_global_role/dojo_product_member``
    unchanged after migration; no rows moved or rebuilt.
  - Pro queries ``Role.objects.count()`` returns the same row counts via
    the new pro app state.
  - Reverse accessor ``product.product_member_set.all()`` resolves to
    Pro's Product_Member instances (the canonical owner now).
  - 442 tests across pro/authorization, pro/api/authorization, api_helpers,
    and dashboard/test_views_extended remain green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: devGregA

dojo/authorization/models.py

@@ -1,3 +1,18 @@
+"""
+Legacy backward-compat shells for the seven RBAC model classes.
+
+The canonical owner of these tables is now ``pro.authorization.models``.
+After the paired ``SeparateDatabaseAndState`` migrations land
+(``dojo.0268_release_rbac_state`` + ``pro.000X_adopt_rbac_tables``),
+Pro's state owns the seven RBAC tables and OS's app state no longer
+references them.
+
+The class definitions remain here as ``managed=False`` shells purely so
+the existing OS code that imports / isinstance-checks ``dojo.authorization
+.models.X`` keeps compiling. Track B step #13 simplifies the callers and
+deletes these shells entirely; until that lands, the shells let OS-only
+deployments stay functional with the legacy authorization model.
+"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
@@ -8,61 +23,89 @@ class Role(models.Model):
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_role"
+        managed = False
         ordering = ("name",)
 
     def __str__(self):
         return self.name
 
 
 class Dojo_Group_Member(models.Model):
-    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE)
-    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE, help_text=_("This role determines the permissions of the user to manage the group."), verbose_name=_("Group role"))
+    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE, related_name="+")
+    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(
+        Role,
+        on_delete=models.CASCADE,
+        related_name="+",
+        help_text=_("This role determines the permissions of the user to manage the group."),
+        verbose_name=_("Group role"),
+    )
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_dojo_group_member"
+        managed = False
 
 
 class Global_Role(models.Model):
-    user = models.OneToOneField("dojo.Dojo_User", null=True, blank=True, on_delete=models.CASCADE)
-    group = models.OneToOneField("dojo.Dojo_Group", null=True, blank=True, on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE, null=True, blank=True, help_text=_("The global role will be applied to all product types and products."), verbose_name=_("Global role"))
+    user = models.OneToOneField("dojo.Dojo_User", null=True, blank=True, on_delete=models.CASCADE, related_name="+")
+    group = models.OneToOneField("dojo.Dojo_Group", null=True, blank=True, on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(
+        Role,
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="+",
+        help_text=_("The global role will be applied to all product types and products."),
+        verbose_name=_("Global role"),
+    )
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_global_role"
+        managed = False
 
 
 class Product_Member(models.Model):
-    product = models.ForeignKey("dojo.Product", on_delete=models.CASCADE)
-    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    product = models.ForeignKey("dojo.Product", on_delete=models.CASCADE, related_name="+")
+    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(Role, on_delete=models.CASCADE, related_name="+")
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_product_member"
+        managed = False
 
 
 class Product_Group(models.Model):
-    product = models.ForeignKey("dojo.Product", on_delete=models.CASCADE)
-    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    product = models.ForeignKey("dojo.Product", on_delete=models.CASCADE, related_name="+")
+    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(Role, on_delete=models.CASCADE, related_name="+")
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_product_group"
+        managed = False
 
 
 class Product_Type_Member(models.Model):
-    product_type = models.ForeignKey("dojo.Product_Type", on_delete=models.CASCADE)
-    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    product_type = models.ForeignKey("dojo.Product_Type", on_delete=models.CASCADE, related_name="+")
+    user = models.ForeignKey("dojo.Dojo_User", on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(Role, on_delete=models.CASCADE, related_name="+")
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_product_type_member"
+        managed = False
 
 
 class Product_Type_Group(models.Model):
-    product_type = models.ForeignKey("dojo.Product_Type", on_delete=models.CASCADE)
-    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE)
-    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    product_type = models.ForeignKey("dojo.Product_Type", on_delete=models.CASCADE, related_name="+")
+    group = models.ForeignKey("dojo.Dojo_Group", on_delete=models.CASCADE, related_name="+")
+    role = models.ForeignKey(Role, on_delete=models.CASCADE, related_name="+")
 
     class Meta:
         app_label = "dojo"
+        db_table = "dojo_product_type_group"
+        managed = False

dojo/db_migrations/0268_release_rbac_state.py

@@ -0,0 +1,60 @@
+"""
+Release the RBAC tables from dojo's app state.
+
+Pairs with ``pro.0049_adopt_rbac_tables``: Pro adopts the seven RBAC
+tables (``dojo_role``, ``dojo_global_role``, ``dojo_dojo_group_member``,
+``dojo_product_member``, ``dojo_product_group``, ``dojo_product_type_member``,
+``dojo_product_type_group``) into Pro's app state via a state-only
+``CreateModel`` for each. This migration flips the same seven models in
+dojo's state to ``managed=False`` so dojo never issues DDL for them again.
+
+Together this ownership transfer is bit-for-bit non-destructive: no DDL
+runs, no rows move, no constraints are dropped or rebuilt. The tables
+sit dormant in OS-only deployments (used only by Pro) and continue to
+hold whatever data the customer's deployment had.
+
+The model class definitions in ``dojo/authorization/models.py`` remain as
+``managed=False`` shells until Track B step #13 simplifies the OS callers
+that still ``isinstance``-check / import them; at that point the shells
+go away entirely. Pro's ``apps.ready()`` symbol shadowing keeps the
+RBAC code paths active under Pro deployments regardless.
+"""
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("dojo", "0267_backfill_authorized_users"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="dojo_group_member",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="global_role",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="product_group",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="product_member",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="product_type_group",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="product_type_member",
+            options={"managed": False},
+        ),
+        migrations.AlterModelOptions(
+            name="role",
+            options={"managed": False, "ordering": ("name",)},
+        ),
+    ]