cognifloyd
diff --git a/‎scripts/travis/install-requirements.sh
+1-1 b/‎scripts/travis/install-requirements.sh
+1-1
diff --git a/‎st2api/st2api/controllers/base.py
+2-1 b/‎st2api/st2api/controllers/base.py
+2-1
diff --git a/‎st2api/st2api/controllers/resource.py
+6-1 b/‎st2api/st2api/controllers/resource.py
+6-1
diff --git a/‎st2api/st2api/controllers/v1/action_views.py
+3-1 b/‎st2api/st2api/controllers/v1/action_views.py
+3-1
diff --git a/‎st2api/st2api/controllers/v1/actionalias.py
+4-2 b/‎st2api/st2api/controllers/v1/actionalias.py
+4-2
diff --git a/‎st2api/st2api/controllers/v1/actionexecutions.py
+10-8 b/‎st2api/st2api/controllers/v1/actionexecutions.py
+10-8
diff --git a/‎st2api/st2api/controllers/v1/actions.py
+4-1 b/‎st2api/st2api/controllers/v1/actions.py
+4-1
diff --git a/‎st2api/st2api/controllers/v1/aliasexecution.py
+7-5 b/‎st2api/st2api/controllers/v1/aliasexecution.py
+7-5
diff --git a/‎st2api/st2api/controllers/v1/auth.py
+5-1 b/‎st2api/st2api/controllers/v1/auth.py
+5-1
diff --git a/‎st2api/st2api/controllers/v1/inquiries.py
+2-1 b/‎st2api/st2api/controllers/v1/inquiries.py
+2-1
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 if [ "${TASK}" = 'compilepy3 ci-py3-unit' ] || [ "${TASK}" = 'ci-py3-integration' ]; then
-    pip install "tox==3.5.2"
+    pip install "tox==3.7.0"
 
     # Install runners
     . virtualenv/bin/activate
 
@@ -18,7 +18,7 @@
 from six.moves.urllib import parse as urlparse  # pylint: disable=import-error
 
 from st2api.controllers.controller_transforms import transform_to_bool
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 
 __all__ = [
     'BaseRestControllerMixin'
@@ -77,6 +77,7 @@ def _get_mask_secrets(self, requester_user, show_secrets=None):
         """
         mask_secrets = cfg.CONF.api.mask_secrets
 
+        rbac_utils = get_rbac_backend().get_utils_class()
         if show_secrets and rbac_utils.user_is_admin(user_db=requester_user):
             mask_secrets = False
 
 
@@ -27,7 +27,7 @@
 from st2common.models.system.common import ResourceReference
 from st2common.exceptions.db import StackStormDBObjectNotFoundError
 from st2common.exceptions.rbac import ResourceAccessDeniedPermissionIsolationError
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 from st2common.exceptions.rbac import AccessDeniedError
 from st2common.util import schema as util_schema
 from st2common.router import abort
@@ -277,6 +277,7 @@ def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=Non
                                    include_fields=include_fields)
 
         if permission_type:
+            rbac_utils = get_rbac_backend().get_utils_class()
             rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                               resource_db=instance,
                                                               permission_type=permission_type)
@@ -314,6 +315,7 @@ def _get_one_by_name_or_id(self, name_or_id, requester_user, permission_type,
                                            include_fields=include_fields)
 
         if permission_type:
+            rbac_utils = get_rbac_backend().get_utils_class()
             rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                               resource_db=instance,
                                                               permission_type=permission_type)
@@ -485,6 +487,7 @@ def resource_model_filter(self, model, instance, requester_user=None, **from_mod
 
             return result
 
+        rbac_utils = get_rbac_backend().get_utils_class()
         user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
         user_is_system_user = (requester_user.name == cfg.CONF.system_user.user)
 
@@ -524,6 +527,7 @@ def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=No
             return
 
         if permission_type:
+            rbac_utils = get_rbac_backend().get_utils_class()
             rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                               resource_db=instance,
                                                               permission_type=permission_type)
@@ -617,6 +621,7 @@ def validate_limit_query_param(limit, requester_user=None):
     Note: We only perform max_page_size check for non-admin users. Admin users
     can provide arbitrary limit value.
     """
+    rbac_utils = get_rbac_backend().get_utils_class()
     user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
 
     if limit:
 
@@ -29,7 +29,7 @@
 from st2common.persistence.action import Action
 from st2common.persistence.runner import RunnerType
 from st2common.rbac.types import PermissionType
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 from st2common.router import abort
 from st2common.router import Response
 
@@ -90,6 +90,7 @@ def _get_one(action_id, requester_user):
         action_db = LookupUtils._get_action_by_id(action_id)
 
         permission_type = PermissionType.ACTION_VIEW
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_db,
                                                           permission_type=permission_type)
@@ -210,6 +211,7 @@ def get_one(self, ref_or_id, requester_user):
         action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
 
         permission_type = PermissionType.ACTION_VIEW
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_db,
                                                           permission_type=permission_type)
 
@@ -23,8 +23,7 @@
 from st2common.models.api.action import ActionAliasAPI
 from st2common.persistence.actionalias import ActionAlias
 from st2common.rbac.types import PermissionType
-from st2common.rbac import utils as rbac_utils
-
+from st2common.rbac.backends import get_rbac_backend
 from st2common.router import abort
 from st2common.router import Response
 from st2common.util.actionalias_matching import get_matching_alias
@@ -119,6 +118,7 @@ def post(self, action_alias, requester_user):
         """
 
         permission_type = PermissionType.ACTION_ALIAS_CREATE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user,
                                                            resource_api=action_alias,
                                                            permission_type=permission_type)
@@ -151,6 +151,7 @@ def put(self, action_alias, ref_or_id, requester_user):
                   action_alias_db)
 
         permission_type = PermissionType.ACTION_ALIAS_MODIFY
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_alias_db,
                                                           permission_type=permission_type)
@@ -190,6 +191,7 @@ def delete(self, ref_or_id, requester_user):
                   action_alias_db)
 
         permission_type = PermissionType.ACTION_ALIAS_DELETE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_alias_db,
                                                           permission_type=permission_type)
 
@@ -47,15 +47,12 @@
 from st2common.services import action as action_service
 from st2common.services import executions as execution_service
 from st2common.services import trace as trace_service
-from st2common.services import rbac as rbac_service
 from st2common.util import isotime
 from st2common.util import action_db as action_utils
 from st2common.util import param as param_utils
 from st2common.util.jsonify import try_loads
 from st2common.rbac.types import PermissionType
-from st2common.rbac import utils as rbac_utils
-from st2common.rbac.utils import assert_user_has_resource_db_permission
-from st2common.rbac.utils import assert_user_is_admin_if_user_query_param_is_provided
+from st2common.rbac.backends import get_rbac_backend
 
 __all__ = [
     'ActionExecutionsController'
@@ -118,13 +115,16 @@ def _handle_schedule_execution(self, liveaction_api, requester_user, context_str
             abort(http_client.BAD_REQUEST, message)
 
         # Assert the permissions
-        assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db,
-                                               permission_type=PermissionType.ACTION_EXECUTE)
+        permission_type = PermissionType.ACTION_EXECUTE
+        rbac_utils = get_rbac_backend().get_utils_class()
+        rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
+                                                          resource_db=action_db,
+                                                          permission_type=permission_type)
 
         # Validate that the authenticated user is admin if user query param is provided
         user = liveaction_api.user or requester_user.name
-        assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
-                                                             user=user)
+        rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
+                                                                        user=user)
 
         try:
             return self._schedule_execution(liveaction=liveaction_api,
@@ -169,6 +169,7 @@ def _schedule_execution(self, liveaction, requester_user, action_db, user=None,
         # Include RBAC context (if RBAC is available and enabled)
         if cfg.CONF.rbac.enable:
             user_db = UserDB(name=user)
+            rbac_service = get_rbac_backend().get_service_class()
             role_dbs = rbac_service.get_roles_for_user(user_db=user_db, include_remote=True)
             roles = [role_db.name for role_db in role_dbs]
             liveaction.context['rbac'] = {
@@ -299,6 +300,7 @@ def get(self, id, attribute, requester_user):
         action_exec_db = self.access.impl.model.objects.filter(id=id).only(*fields).get()
 
         permission_type = PermissionType.EXECUTION_VIEW
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_exec_db,
                                                           permission_type=permission_type)
 
@@ -33,7 +33,7 @@
 from st2common.models.api.action import ActionAPI
 from st2common.persistence.pack import Pack
 from st2common.rbac.types import PermissionType
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 from st2common.router import abort
 from st2common.router import Response
 from st2common.validators.api.misc import validate_not_part_of_system_pack
@@ -100,6 +100,7 @@ def post(self, action, requester_user):
         """
 
         permission_type = PermissionType.ACTION_CREATE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user,
                                                            resource_api=action,
                                                            permission_type=permission_type)
@@ -144,6 +145,7 @@ def put(self, action, ref_or_id, requester_user):
 
         # Assert permissions
         permission_type = PermissionType.ACTION_MODIFY
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_db,
                                                           permission_type=permission_type)
@@ -199,6 +201,7 @@ def delete(self, ref_or_id, requester_user):
         action_id = action_db.id
 
         permission_type = PermissionType.ACTION_DELETE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=action_db,
                                                           permission_type=permission_type)
 
@@ -13,12 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import six
 import jsonschema
 from jinja2.exceptions import UndefinedError
 from oslo_config import cfg
 
-import six
-
 from st2api.controllers.base import BaseRestControllerMixin
 from st2common import log as logging
 from st2common.exceptions.actionalias import ActionAliasAmbiguityException
@@ -39,7 +38,7 @@
 from st2common.util.actionalias_matching import get_matching_alias
 from st2common.util.jinja import render_values as render
 from st2common.rbac.types import PermissionType
-from st2common.rbac.utils import assert_user_has_resource_db_permission
+from st2common.rbac.backends import get_rbac_backend
 from st2common.router import abort
 from st2common.router import Response
 
@@ -220,8 +219,11 @@ def _schedule_execution(self, action_alias_db, params, notify, context, requeste
         if not action_db:
             raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref))
 
-        assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db,
-                                               permission_type=PermissionType.ACTION_EXECUTE)
+        rbac_utils = get_rbac_backend().get_utils_class()
+        permission_type = PermissionType.ACTION_EXECUTE
+        rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
+                                                          resource_db=action_db,
+                                                          permission_type=permission_type)
 
         try:
             # prior to shipping off the params cast them to the right type.
 
@@ -28,7 +28,7 @@
 from st2common.exceptions.db import StackStormDBObjectNotFoundError
 from st2common.persistence.auth import ApiKey, User
 from st2common.rbac.types import PermissionType
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 from st2common.router import abort
 from st2common.router import Response
 from st2common.util import auth as auth_util
@@ -77,6 +77,7 @@ def get_one(self, api_key_id_or_key, requester_user, show_secrets=None):
             abort(http_client.NOT_FOUND, msg)
 
         permission_type = PermissionType.API_KEY_VIEW
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=api_key_db,
                                                           permission_type=permission_type)
@@ -127,6 +128,7 @@ def post(self, api_key_api, requester_user):
         """
 
         permission_type = PermissionType.API_KEY_CREATE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user,
                                                            resource_api=api_key_api,
                                                            permission_type=permission_type)
@@ -175,6 +177,7 @@ def put(self, api_key_api, api_key_id_or_key, requester_user):
         api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
 
         permission_type = PermissionType.API_KEY_MODIFY
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=api_key_db,
                                                           permission_type=permission_type)
@@ -221,6 +224,7 @@ def delete(self, api_key_id_or_key, requester_user):
         api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
 
         permission_type = PermissionType.API_KEY_DELETE
+        rbac_utils = get_rbac_backend().get_utils_class()
         rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
                                                           resource_db=api_key_db,
                                                           permission_type=permission_type)
 
@@ -29,7 +29,7 @@
 from st2common.models.api import inquiry as inqy_api_models
 from st2common.persistence import execution as ex_db_access
 from st2common.rbac import types as rbac_types
-from st2common.rbac import utils as rbac_utils
+from st2common.rbac.backends import get_rbac_backend
 from st2common import router as api_router
 from st2common.services import inquiry as inquiry_service
 
@@ -222,6 +222,7 @@ def _get_one_by_id(self, id, requester_user, permission_type,
         LOG.debug('Checking permission on inquiry "%s".' % id)
 
         if permission_type:
+            rbac_utils = get_rbac_backend().get_utils_class()
             rbac_utils.assert_user_has_resource_db_permission(
                 user_db=requester_user,
                 resource_db=execution_db,