Add a new setting, DISABLE_LOCAL_AUTH

and expose it in the settings UI.
2026-01-13 02:50:02 -03:30 · 2021-05-04 11:07:48 -04:00 · 2021-05-04 11:07:48 -04:00 · 26b7e9de40
commit 26b7e9de40
parent f2b2e64426
9 changed files with 47 additions and 10 deletions
--- a/awx/api/conf.py
+++ b/awx/api/conf.py
@ -27,6 +27,17 @@ register(
    category=_('Authentication'),
    category_slug='authentication',
 )
+register(
+    'DISABLE_LOCAL_AUTH',
+    field_class=fields.BooleanField,
+    label=_('Disable the built-in authentication system'),
+    help_text=_(
+        "Controls whether users are prevented from using the built-in authentication system. "
+        "You probably want to do this if you are using an LDAP or SAML integration."
+    ),
+    category=_('Authentication'),
+    category_slug='authentication',
+)
 register(
    'AUTH_BASIC_ENABLED',
    field_class=fields.BooleanField,
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@ -36,7 +36,7 @@ register(
    'ORG_ADMINS_CAN_SEE_ALL_USERS',
    field_class=fields.BooleanField,
    label=_('All Users Visible to Organization Admins'),
-    help_text=_('Controls whether any Organization Admin can view all users and teams, ' 'even those not associated with their Organization.'),
+    help_text=_('Controls whether any Organization Admin can view all users and teams, even those not associated with their Organization.'),
    category=_('System'),
    category_slug='system',
 )
@ -59,7 +59,7 @@ register(
    schemes=('http', 'https'),
    allow_plain_hostname=True,  # Allow hostname only without TLD.
    label=_('Base URL of the service'),
-    help_text=_('This setting is used by services like notifications to render ' 'a valid url to the service.'),
+    help_text=_('This setting is used by services like notifications to render a valid url to the service.'),
    category=_('System'),
    category_slug='system',
 )
@ -94,13 +94,12 @@ register(
    category_slug='system',
 )

-
 register(
    'LICENSE',
    field_class=fields.DictField,
    default=lambda: {},
    label=_('License'),
-    help_text=_('The license controls which features and functionality are ' 'enabled. Use /api/v2/config/ to update or change ' 'the license.'),
+    help_text=_('The license controls which features and functionality are enabled. Use /api/v2/config/ to update or change the license.'),
    category=_('System'),
    category_slug='system',
 )
@ -194,7 +193,7 @@ register(
    'CUSTOM_VENV_PATHS',
    field_class=fields.StringListPathField,
    label=_('Custom virtual environment paths'),
-    help_text=_('Paths where Tower will look for custom virtual environments ' '(in addition to /var/lib/awx/venv/). Enter one path per line.'),
+    help_text=_('Paths where Tower will look for custom virtual environments (in addition to /var/lib/awx/venv/). Enter one path per line.'),
    category=_('System'),
    category_slug='system',
    default=[],
@ -318,7 +317,7 @@ register(
    field_class=fields.BooleanField,
    default=False,
    label=_('Ignore Ansible Galaxy SSL Certificate Verification'),
-    help_text=_('If set to true, certificate validation will not be done when ' 'installing content from any Galaxy server.'),
+    help_text=_('If set to true, certificate validation will not be done when installing content from any Galaxy server.'),
    category=_('Jobs'),
    category_slug='jobs',
 )
@ -433,7 +432,7 @@ register(
    allow_null=False,
    default=200,
    label=_('Maximum number of forks per job'),
-    help_text=_('Saving a Job Template with more than this number of forks will result in an error. ' 'When set to 0, no limit is applied.'),
+    help_text=_('Saving a Job Template with more than this number of forks will result in an error. When set to 0, no limit is applied.'),
    category=_('Jobs'),
    category_slug='jobs',
 )
@ -454,7 +453,7 @@ register(
    allow_null=True,
    default=None,
    label=_('Logging Aggregator Port'),
-    help_text=_('Port on Logging Aggregator to send logs to (if required and not' ' provided in Logging Aggregator).'),
+    help_text=_('Port on Logging Aggregator to send logs to (if required and not provided in Logging Aggregator).'),
    category=_('Logging'),
    category_slug='logging',
    required=False,
@ -561,7 +560,7 @@ register(
    field_class=fields.IntegerField,
    default=5,
    label=_('TCP Connection Timeout'),
-    help_text=_('Number of seconds for a TCP connection to external log ' 'aggregator to timeout. Applies to HTTPS and TCP log ' 'aggregator protocols.'),
+    help_text=_('Number of seconds for a TCP connection to external log aggregator to timeout. Applies to HTTPS and TCP log aggregator protocols.'),
    category=_('Logging'),
    category_slug='logging',
    unit=_('seconds'),
@ -627,7 +626,7 @@ register(
    field_class=fields.BooleanField,
    default=False,
    label=_('Enable rsyslogd debugging'),
-    help_text=_('Enabled high verbosity debugging for rsyslogd.  ' 'Useful for debugging connection issues for external log aggregation.'),
+    help_text=_('Enabled high verbosity debugging for rsyslogd.  Useful for debugging connection issues for external log aggregation.'),
    category=_('Logging'),
    category_slug='logging',
 )
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@ -716,6 +716,7 @@ CALLBACK_QUEUE = "callback_tasks"
 # Note: This setting may be overridden by database settings.
 ORG_ADMINS_CAN_SEE_ALL_USERS = True
 MANAGE_ORGANIZATION_AUTH = True
+DISABLE_LOCAL_AUTH = False

 # Note: This setting may be overridden by database settings.
 TOWER_URL_BASE = "https://towerhost"
--- a/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.jsx
+++ b/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.jsx
@ -48,6 +48,7 @@ function MiscSystemDetail() {
        'INSIGHTS_TRACKING_STATE',
        'LOGIN_REDIRECT_OVERRIDE',
        'MANAGE_ORGANIZATION_AUTH',
+        'DISABLE_LOCAL_AUTH',
        'OAUTH2_PROVIDER',
        'ORG_ADMINS_CAN_SEE_ALL_USERS',
        'REDHAT_PASSWORD',
--- a/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.jsx
+++ b/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.jsx
@ -30,6 +30,7 @@ describe('<MiscSystemDetail />', () => {
        INSIGHTS_TRACKING_STATE: false,
        LOGIN_REDIRECT_OVERRIDE: 'https://redirect.com',
        MANAGE_ORGANIZATION_AUTH: true,
+        DISABLE_LOCAL_AUTH: false,
        OAUTH2_PROVIDER: {
          ACCESS_TOKEN_EXPIRE_SECONDS: 1,
          AUTHORIZATION_CODE_EXPIRE_SECONDS: 2,
--- a/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.jsx
+++ b/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.jsx
@ -48,6 +48,7 @@ function MiscSystemEdit() {
        'INSIGHTS_TRACKING_STATE',
        'LOGIN_REDIRECT_OVERRIDE',
        'MANAGE_ORGANIZATION_AUTH',
+        'DISABLE_LOCAL_AUTH',
        'OAUTH2_PROVIDER',
        'ORG_ADMINS_CAN_SEE_ALL_USERS',
        'REDHAT_PASSWORD',
@ -261,6 +262,10 @@ function MiscSystemEdit() {
                    name="MANAGE_ORGANIZATION_AUTH"
                    config={system.MANAGE_ORGANIZATION_AUTH}
                  />
+                  <BooleanField
+                    name="DISABLE_LOCAL_AUTH"
+                    config={system.DISABLE_LOCAL_AUTH}
+                  />
                  <InputField
                    name="SESSION_COOKIE_AGE"
                    config={system.SESSION_COOKIE_AGE}
--- a/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.jsx
+++ b/awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.jsx
@ -31,6 +31,7 @@ const systemData = {
  INSIGHTS_TRACKING_STATE: false,
  LOGIN_REDIRECT_OVERRIDE: '',
  MANAGE_ORGANIZATION_AUTH: true,
+  DISABLE_LOCAL_AUTH: false,
  OAUTH2_PROVIDER: {
    ACCESS_TOKEN_EXPIRE_SECONDS: 31536000000,
    AUTHORIZATION_CODE_EXPIRE_SECONDS: 600,
--- a/awx/ui_next/src/screens/Setting/shared/data.allSettingOptions.json
+++ b/awx/ui_next/src/screens/Setting/shared/data.allSettingOptions.json
@ -34,6 +34,14 @@
              "category_slug": "system",
              "defined_in_file": false
          },
+          "DISABLE_LOCAL_AUTH": {
+              "type": "boolean",
+              "label": "Disable the built-in authentication system",
+              "help_text": "Controls whether users are prevented from using the built-in authentication system. You probably want to do this if you are using an LDAP or SAML integration.",
+              "category": "Authentication",
+              "category_slug": "authentication",
+              "defined_in_file": false
+          },
          "TOWER_URL_BASE": {
              "type": "string",
              "label": "Base URL of the service",
@ -2959,6 +2967,15 @@
              "category_slug": "system",
              "default": true
          },
+          "DISABLE_LOCAL_AUTH": {
+              "type": "boolean",
+              "required": true,
+              "label": "Disable the built-in authentication system",
+              "help_text": "Controls whether users are prevented from using the built-in authentication system. You probably want to do this if you are using an LDAP or SAML integration.",
+              "category": "Authentication",
+              "category_slug": "authentication",
+              "default": false
+          },
          "TOWER_URL_BASE": {
              "type": "string",
              "required": true,
--- a/awx/ui_next/src/screens/Setting/shared/data.allSettings.json
+++ b/awx/ui_next/src/screens/Setting/shared/data.allSettings.json
@ -3,6 +3,7 @@
  "ACTIVITY_STREAM_ENABLED_FOR_INVENTORY_SYNC":false,
  "ORG_ADMINS_CAN_SEE_ALL_USERS":true,
  "MANAGE_ORGANIZATION_AUTH":true,
+  "DISABLE_LOCAL_AUTH":false,
  "TOWER_URL_BASE":"https://localhost:3000",
  "REMOTE_HOST_HEADERS":["REMOTE_ADDR","REMOTE_HOST"],
  "PROXY_IP_ALLOWED_LIST":[],