From a17c34f041c0990d999358779f7cabb179e5aa78 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Wed, 21 Apr 2021 11:42:35 -0400 Subject: [PATCH] Remove the isolation-specific settings - AWX_ISOLATED_PUBLIC_KEY - AWX_ISOLATED_PRIVATE_KEY - AWX_ISOLATED_KEY_GENERATION - AWX_ISOLATED_HOST_KEY_CHECKING - AWX_ISOLATED_USERNAME - AWX_ISOLATED_CONNECTION_TIMEOUT - AWX_ISOLATED_LAUNCH_TIMEOUT - AWX_ISOLATED_PERIODIC_CHECK - AWX_ISOLATED_CHECK_INTERVAL --- awx/conf/registry.py | 6 +- awx/conf/serializers.py | 6 +- awx/conf/settings.py | 9 +- awx/main/conf.py | 89 ------------------- .../tests/functional/api/test_settings.py | 56 ------------ awx/settings/defaults.py | 17 ---- awx/settings/development.py | 4 - awx/settings/production.py | 2 - 8 files changed, 5 insertions(+), 184 deletions(-) diff --git a/awx/conf/registry.py b/awx/conf/registry.py index 627099a57a..36f6eba6d2 100644 --- a/awx/conf/registry.py +++ b/awx/conf/registry.py @@ -92,11 +92,7 @@ class SettingsRegistry(object): continue if kwargs.get('category_slug', None) in slugs_to_ignore: continue - if ( - read_only in {True, False} - and kwargs.get('read_only', False) != read_only - and setting not in ('INSTALL_UUID', 'AWX_ISOLATED_PRIVATE_KEY', 'AWX_ISOLATED_PUBLIC_KEY') - ): + if read_only in {True, False} and kwargs.get('read_only', False) != read_only and setting != 'INSTALL_UUID': # Note: Doesn't catch fields that set read_only via __init__; # read-only field kwargs should always include read_only=True. continue diff --git a/awx/conf/serializers.py b/awx/conf/serializers.py index 838a636aaa..03e0f7e714 100644 --- a/awx/conf/serializers.py +++ b/awx/conf/serializers.py @@ -81,10 +81,8 @@ class SettingSingletonSerializer(serializers.Serializer): if self.instance and not hasattr(self.instance, key): continue extra_kwargs = {} - # Make LICENSE and AWX_ISOLATED_KEY_GENERATION read-only here; - # LICENSE is only updated via /api/v2/config/ - # AWX_ISOLATED_KEY_GENERATION is only set/unset via the setup playbook - if key in ('LICENSE', 'AWX_ISOLATED_KEY_GENERATION'): + # Make LICENSE read-only here; LICENSE is only updated via /api/v2/config/ + if key == 'LICENSE': extra_kwargs['read_only'] = True field = settings_registry.get_setting_field(key, mixin_class=SettingFieldMixin, for_user=bool(category_slug == 'user'), **extra_kwargs) fields[key] = field diff --git a/awx/conf/settings.py b/awx/conf/settings.py index 57d3265d72..cd8b2efe16 100644 --- a/awx/conf/settings.py +++ b/awx/conf/settings.py @@ -350,13 +350,8 @@ class SettingsWrapper(UserSettingsHolder): if value is empty: setting = None setting_id = None - if not field.read_only or name in ( - # these values are read-only - however - we *do* want - # to fetch their value from the database - 'INSTALL_UUID', - 'AWX_ISOLATED_PRIVATE_KEY', - 'AWX_ISOLATED_PUBLIC_KEY', - ): + # this value is read-only, however we *do* want to fetch its value from the database + if not field.read_only or name == 'INSTALL_UUID': setting = Setting.objects.filter(key=name, user__isnull=True).order_by('pk').first() if setting: if getattr(field, 'encrypted', False): diff --git a/awx/main/conf.py b/awx/main/conf.py index f50f813533..2644e2cdd7 100644 --- a/awx/main/conf.py +++ b/awx/main/conf.py @@ -250,95 +250,6 @@ register( category_slug='jobs', ) -register( - 'AWX_ISOLATED_CHECK_INTERVAL', - field_class=fields.IntegerField, - min_value=0, - label=_('Isolated status check interval'), - help_text=_('The number of seconds to sleep between status checks for jobs running on isolated instances.'), - category=_('Jobs'), - category_slug='jobs', - unit=_('seconds'), -) - -register( - 'AWX_ISOLATED_LAUNCH_TIMEOUT', - field_class=fields.IntegerField, - min_value=0, - label=_('Isolated launch timeout'), - help_text=_( - 'The timeout (in seconds) for launching jobs on isolated instances. ' - 'This includes the time needed to copy source control files (playbooks) to the isolated instance.' - ), - category=_('Jobs'), - category_slug='jobs', - unit=_('seconds'), -) - -register( - 'AWX_ISOLATED_CONNECTION_TIMEOUT', - field_class=fields.IntegerField, - min_value=0, - default=10, - label=_('Isolated connection timeout'), - help_text=_( - 'Ansible SSH connection timeout (in seconds) to use when communicating with isolated instances. ' - 'Value should be substantially greater than expected network latency.' - ), - category=_('Jobs'), - category_slug='jobs', - unit=_('seconds'), -) - -register( - 'AWX_ISOLATED_HOST_KEY_CHECKING', - field_class=fields.BooleanField, - label=_('Isolated host key checking'), - help_text=_('When set to True, AWX will enforce strict host key checking for communication with isolated nodes.'), - category=_('Jobs'), - category_slug='jobs', - default=False, -) - -register( - 'AWX_ISOLATED_KEY_GENERATION', - field_class=fields.BooleanField, - default=True, - label=_('Generate RSA keys for isolated instances'), - help_text=_( - 'If set, a random RSA key will be generated and distributed to ' - 'isolated instances. To disable this behavior and manage authentication ' - 'for isolated instances outside of Tower, disable this setting.' - ), # noqa - category=_('Jobs'), - category_slug='jobs', -) - -register( - 'AWX_ISOLATED_PRIVATE_KEY', - field_class=fields.CharField, - default='', - allow_blank=True, - encrypted=True, - read_only=True, - label=_('The RSA private key for SSH traffic to isolated instances'), - help_text=_('The RSA private key for SSH traffic to isolated instances'), # noqa - category=_('Jobs'), - category_slug='jobs', -) - -register( - 'AWX_ISOLATED_PUBLIC_KEY', - field_class=fields.CharField, - default='', - allow_blank=True, - read_only=True, - label=_('The RSA public key for SSH traffic to isolated instances'), - help_text=_('The RSA public key for SSH traffic to isolated instances'), # noqa - category=_('Jobs'), - category_slug='jobs', -) - register( 'AWX_TASK_ENV', field_class=fields.KeyValueField, diff --git a/awx/main/tests/functional/api/test_settings.py b/awx/main/tests/functional/api/test_settings.py index 84bfff2d18..a1ae7398a5 100644 --- a/awx/main/tests/functional/api/test_settings.py +++ b/awx/main/tests/functional/api/test_settings.py @@ -5,8 +5,6 @@ # Python import pytest -from django.conf import settings - # AWX from awx.api.versioning import reverse from awx.conf.models import Setting @@ -322,60 +320,6 @@ def test_logging_aggregator_connection_test_valid(put, post, admin): post(url, {}, user=admin, expect=202) -@pytest.mark.django_db -@pytest.mark.parametrize( - 'setting_name', - [ - 'AWX_ISOLATED_CHECK_INTERVAL', - 'AWX_ISOLATED_LAUNCH_TIMEOUT', - 'AWX_ISOLATED_CONNECTION_TIMEOUT', - ], -) -def test_isolated_job_setting_validation(get, patch, admin, setting_name): - url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'jobs'}) - patch(url, user=admin, data={setting_name: -1}, expect=400) - - data = get(url, user=admin).data - assert data[setting_name] != -1 - - -@pytest.mark.django_db -@pytest.mark.parametrize( - 'key, expected', - [ - ['AWX_ISOLATED_PRIVATE_KEY', '$encrypted$'], - ['AWX_ISOLATED_PUBLIC_KEY', 'secret'], - ], -) -def test_isolated_keys_readonly(get, patch, delete, admin, key, expected): - Setting.objects.create(key=key, value='secret').save() - assert getattr(settings, key) == 'secret' - - url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'jobs'}) - resp = get(url, user=admin) - assert resp.data[key] == expected - - patch(url, user=admin, data={key: 'new-secret'}) - assert getattr(settings, key) == 'secret' - - delete(url, user=admin) - assert getattr(settings, key) == 'secret' - - -@pytest.mark.django_db -def test_isolated_key_flag_readonly(get, patch, delete, admin): - settings.AWX_ISOLATED_KEY_GENERATION = True - url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'jobs'}) - resp = get(url, user=admin) - assert resp.data['AWX_ISOLATED_KEY_GENERATION'] is True - - patch(url, user=admin, data={'AWX_ISOLATED_KEY_GENERATION': False}) - assert settings.AWX_ISOLATED_KEY_GENERATION is True - - delete(url, user=admin) - assert settings.AWX_ISOLATED_KEY_GENERATION is True - - @pytest.mark.django_db @pytest.mark.parametrize('headers', [True, False]) def test_saml_x509cert_validation(patch, get, admin, headers): diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 4c758b5ca1..01d572cbe0 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -408,23 +408,6 @@ AUTH_BASIC_ENABLED = True # when trying to access a UI page that requries authentication. LOGIN_REDIRECT_OVERRIDE = '' -# Default to skipping isolated host key checking (the initial connection will -# hang on an interactive "The authenticity of host example.org can't be -# established" message) -AWX_ISOLATED_HOST_KEY_CHECKING = False - -# The number of seconds to sleep between status checks for jobs running on isolated nodes -AWX_ISOLATED_CHECK_INTERVAL = 30 - -# The timeout (in seconds) for launching jobs on isolated nodes -AWX_ISOLATED_LAUNCH_TIMEOUT = 600 - -# Ansible connection timeout (in seconds) for communicating with isolated instances -AWX_ISOLATED_CONNECTION_TIMEOUT = 10 - -# The time (in seconds) between the periodic isolated heartbeat status check -AWX_ISOLATED_PERIODIC_CHECK = 600 - DEVSERVER_DEFAULT_ADDR = '0.0.0.0' DEVSERVER_DEFAULT_PORT = '8013' diff --git a/awx/settings/development.py b/awx/settings/development.py index e836a723f6..12658ed602 100644 --- a/awx/settings/development.py +++ b/awx/settings/development.py @@ -64,10 +64,6 @@ CALLBACK_QUEUE = "callback_tasks" # Note: This setting may be overridden by database settings. AWX_ROLES_ENABLED = True -AWX_ISOLATED_USERNAME = 'root' -AWX_ISOLATED_CHECK_INTERVAL = 1 -AWX_ISOLATED_PERIODIC_CHECK = 30 - # Disable Pendo on the UI for development/test. # Note: This setting may be overridden by database settings. PENDO_TRACKING_STATE = "off" diff --git a/awx/settings/production.py b/awx/settings/production.py index c6511cb5b1..d74f1a4a85 100644 --- a/awx/settings/production.py +++ b/awx/settings/production.py @@ -40,8 +40,6 @@ ANSIBLE_VENV_PATH = os.path.join(BASE_VENV_PATH, "ansible") # Tower base virtualenv paths and enablement AWX_VENV_PATH = os.path.join(BASE_VENV_PATH, "awx") -AWX_ISOLATED_USERNAME = 'awx' - # Store a snapshot of default settings at this point before loading any # customizable config files. DEFAULTS_SNAPSHOT = {}