External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-24 04:15:02 -02:30
Code Issues Packages Projects Releases Wiki Activity

[AAP-64062] Enforce JWT-only authentication for Controller when deployed as part of AAP (#16283)

Browse Source 
After all settings are loaded, override DEFAULT_AUTHENTICATION_CLASSES
to only allow Gateway JWT authentication when RESOURCE_SERVER__URL is
set. This makes the lockdown immutable — no configuration file or
environment variable can re-enable legacy auth methods (Basic, Session,
OAuth2, Token).

This is the same pattern used by Hub (galaxy_ng) and EDA (eda-server)
for ANSTRAT-1840.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hao Liu
2026-02-17 14:10:47 -05:00
committed by Adrià Sala
parent 36a1121cd8
commit 0d08a4da60
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
awx/settings/__init__.py
View File

@@ -63,6 +63,15 @@ assert_production_settings(DYNACONF, settings_dir, settings_file_path)
# Load envvars at the end to allow them to override everything loaded so far # Load envvars at the end to allow them to override everything loaded so far
load_envvars(DYNACONF) load_envvars(DYNACONF)
# When deployed as part of AAP (RESOURCE_SERVER__URL is set), enforce JWT-only
# authentication. This ensures all requests go through the gateway and prevents
# direct API access to Controller bypassing the platform's authentication.
if DYNACONF.get('RESOURCE_SERVER__URL', None):
DYNACONF.set(
"REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES",
['ansible_base.jwt_consumer.awx.auth.AwxJWTAuthentication'],
)
# This must run after all custom settings are loaded # This must run after all custom settings are loaded
DYNACONF.update( DYNACONF.update(
merge_application_name(DYNACONF), merge_application_name(DYNACONF),