Add a new setting, DISABLE_LOCAL_AUTH

and expose it in the settings UI.

awx/api/conf.py

@@ -27,6 +27,17 @@ register(
     category=_('Authentication'),
     category_slug='authentication',
 )
+register(
+    'DISABLE_LOCAL_AUTH',
+    field_class=fields.BooleanField,
+    label=_('Disable the built-in authentication system'),
+    help_text=_(
+        "Controls whether users are prevented from using the built-in authentication system. "
+        "You probably want to do this if you are using an LDAP or SAML integration."
+    ),
+    category=_('Authentication'),
+    category_slug='authentication',
+)
 register(
     'AUTH_BASIC_ENABLED',
     field_class=fields.BooleanField,

awx/main/conf.py

@@ -36,7 +36,7 @@ register(
     'ORG_ADMINS_CAN_SEE_ALL_USERS',
     field_class=fields.BooleanField,
     label=_('All Users Visible to Organization Admins'),
-    help_text=_('Controls whether any Organization Admin can view all users and teams, ' 'even those not associated with their Organization.'),
+    help_text=_('Controls whether any Organization Admin can view all users and teams, even those not associated with their Organization.'),
     category=_('System'),
     category_slug='system',
 )
@@ -59,7 +59,7 @@ register(
     schemes=('http', 'https'),
     allow_plain_hostname=True,  # Allow hostname only without TLD.
     label=_('Base URL of the service'),
-    help_text=_('This setting is used by services like notifications to render ' 'a valid url to the service.'),
+    help_text=_('This setting is used by services like notifications to render a valid url to the service.'),
     category=_('System'),
     category_slug='system',
 )
@@ -94,13 +94,12 @@ register(
     category_slug='system',
 )
 
-
 register(
     'LICENSE',
     field_class=fields.DictField,
     default=lambda: {},
     label=_('License'),
-    help_text=_('The license controls which features and functionality are ' 'enabled. Use /api/v2/config/ to update or change ' 'the license.'),
+    help_text=_('The license controls which features and functionality are enabled. Use /api/v2/config/ to update or change the license.'),
     category=_('System'),
     category_slug='system',
 )
@@ -194,7 +193,7 @@ register(
     'CUSTOM_VENV_PATHS',
     field_class=fields.StringListPathField,
     label=_('Custom virtual environment paths'),
-    help_text=_('Paths where Tower will look for custom virtual environments ' '(in addition to /var/lib/awx/venv/). Enter one path per line.'),
+    help_text=_('Paths where Tower will look for custom virtual environments (in addition to /var/lib/awx/venv/). Enter one path per line.'),
     category=_('System'),
     category_slug='system',
     default=[],
@@ -318,7 +317,7 @@ register(
     field_class=fields.BooleanField,
     default=False,
     label=_('Ignore Ansible Galaxy SSL Certificate Verification'),
-    help_text=_('If set to true, certificate validation will not be done when ' 'installing content from any Galaxy server.'),
+    help_text=_('If set to true, certificate validation will not be done when installing content from any Galaxy server.'),
     category=_('Jobs'),
     category_slug='jobs',
 )
@@ -433,7 +432,7 @@ register(
     allow_null=False,
     default=200,
     label=_('Maximum number of forks per job'),
-    help_text=_('Saving a Job Template with more than this number of forks will result in an error. ' 'When set to 0, no limit is applied.'),
+    help_text=_('Saving a Job Template with more than this number of forks will result in an error. When set to 0, no limit is applied.'),
     category=_('Jobs'),
     category_slug='jobs',
 )
@@ -454,7 +453,7 @@ register(
     allow_null=True,
     default=None,
     label=_('Logging Aggregator Port'),
-    help_text=_('Port on Logging Aggregator to send logs to (if required and not' ' provided in Logging Aggregator).'),
+    help_text=_('Port on Logging Aggregator to send logs to (if required and not provided in Logging Aggregator).'),
     category=_('Logging'),
     category_slug='logging',
     required=False,
@@ -561,7 +560,7 @@ register(
     field_class=fields.IntegerField,
     default=5,
     label=_('TCP Connection Timeout'),
-    help_text=_('Number of seconds for a TCP connection to external log ' 'aggregator to timeout. Applies to HTTPS and TCP log ' 'aggregator protocols.'),
+    help_text=_('Number of seconds for a TCP connection to external log aggregator to timeout. Applies to HTTPS and TCP log aggregator protocols.'),
     category=_('Logging'),
     category_slug='logging',
     unit=_('seconds'),
@@ -627,7 +626,7 @@ register(
     field_class=fields.BooleanField,
     default=False,
     label=_('Enable rsyslogd debugging'),
-    help_text=_('Enabled high verbosity debugging for rsyslogd.  ' 'Useful for debugging connection issues for external log aggregation.'),
+    help_text=_('Enabled high verbosity debugging for rsyslogd.  Useful for debugging connection issues for external log aggregation.'),
     category=_('Logging'),
     category_slug='logging',
 )

awx/settings/defaults.py

@@ -716,6 +716,7 @@ CALLBACK_QUEUE = "callback_tasks"
 # Note: This setting may be overridden by database settings.
 ORG_ADMINS_CAN_SEE_ALL_USERS = True
 MANAGE_ORGANIZATION_AUTH = True
+DISABLE_LOCAL_AUTH = False
 
 # Note: This setting may be overridden by database settings.
 TOWER_URL_BASE = "https://towerhost"

awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.jsx

@@ -48,6 +48,7 @@ function MiscSystemDetail() {
         'INSIGHTS_TRACKING_STATE',
         'LOGIN_REDIRECT_OVERRIDE',
         'MANAGE_ORGANIZATION_AUTH',
+        'DISABLE_LOCAL_AUTH',
         'OAUTH2_PROVIDER',
         'ORG_ADMINS_CAN_SEE_ALL_USERS',
         'REDHAT_PASSWORD',

awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.jsx

@@ -30,6 +30,7 @@ describe('<MiscSystemDetail />', () => {
         INSIGHTS_TRACKING_STATE: false,
         LOGIN_REDIRECT_OVERRIDE: 'https://redirect.com',
         MANAGE_ORGANIZATION_AUTH: true,
+        DISABLE_LOCAL_AUTH: false,
         OAUTH2_PROVIDER: {
           ACCESS_TOKEN_EXPIRE_SECONDS: 1,
           AUTHORIZATION_CODE_EXPIRE_SECONDS: 2,

awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.jsx

@@ -48,6 +48,7 @@ function MiscSystemEdit() {
         'INSIGHTS_TRACKING_STATE',
         'LOGIN_REDIRECT_OVERRIDE',
         'MANAGE_ORGANIZATION_AUTH',
+        'DISABLE_LOCAL_AUTH',
         'OAUTH2_PROVIDER',
         'ORG_ADMINS_CAN_SEE_ALL_USERS',
         'REDHAT_PASSWORD',
@@ -261,6 +262,10 @@ function MiscSystemEdit() {
                     name="MANAGE_ORGANIZATION_AUTH"
                     config={system.MANAGE_ORGANIZATION_AUTH}
                   />
+                  <BooleanField
+                    name="DISABLE_LOCAL_AUTH"
+                    config={system.DISABLE_LOCAL_AUTH}
+                  />
                   <InputField
                     name="SESSION_COOKIE_AGE"
                     config={system.SESSION_COOKIE_AGE}

awx/ui_next/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.jsx

@@ -31,6 +31,7 @@ const systemData = {
   INSIGHTS_TRACKING_STATE: false,
   LOGIN_REDIRECT_OVERRIDE: '',
   MANAGE_ORGANIZATION_AUTH: true,
+  DISABLE_LOCAL_AUTH: false,
   OAUTH2_PROVIDER: {
     ACCESS_TOKEN_EXPIRE_SECONDS: 31536000000,
     AUTHORIZATION_CODE_EXPIRE_SECONDS: 600,

awx/ui_next/src/screens/Setting/shared/data.allSettingOptions.json

@@ -34,6 +34,14 @@
               "category_slug": "system",
               "defined_in_file": false
           },
+          "DISABLE_LOCAL_AUTH": {
+              "type": "boolean",
+              "label": "Disable the built-in authentication system",
+              "help_text": "Controls whether users are prevented from using the built-in authentication system. You probably want to do this if you are using an LDAP or SAML integration.",
+              "category": "Authentication",
+              "category_slug": "authentication",
+              "defined_in_file": false
+          },
           "TOWER_URL_BASE": {
               "type": "string",
               "label": "Base URL of the service",
@@ -2959,6 +2967,15 @@
               "category_slug": "system",
               "default": true
           },
+          "DISABLE_LOCAL_AUTH": {
+              "type": "boolean",
+              "required": true,
+              "label": "Disable the built-in authentication system",
+              "help_text": "Controls whether users are prevented from using the built-in authentication system. You probably want to do this if you are using an LDAP or SAML integration.",
+              "category": "Authentication",
+              "category_slug": "authentication",
+              "default": false
+          },
           "TOWER_URL_BASE": {
               "type": "string",
               "required": true,

awx/ui_next/src/screens/Setting/shared/data.allSettings.json

@@ -3,6 +3,7 @@
   "ACTIVITY_STREAM_ENABLED_FOR_INVENTORY_SYNC":false,
   "ORG_ADMINS_CAN_SEE_ALL_USERS":true,
   "MANAGE_ORGANIZATION_AUTH":true,
+  "DISABLE_LOCAL_AUTH":false,
   "TOWER_URL_BASE":"https://localhost:3000",
   "REMOTE_HOST_HEADERS":["REMOTE_ADDR","REMOTE_HOST"],
   "PROXY_IP_ALLOWED_LIST":[],