External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 01:17:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6224 from jangsutsr/6169_create_tacacs_n_radius_users_with_password_disabled

Browse Source 
Create tacacs and radius users with password disabled
This commit is contained in:
Aaron Tan
2017-05-10 15:26:36 -04:00
committed by GitHub
parent 3065d0a935 f5e58922ab
commit ecd87e07c6
2 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/sso/backends.py
View File

@@ -146,9 +146,8 @@ class RADIUSBackend(BaseRADIUSBackend):
try: try:
user = User.objects.get(username=username) user = User.objects.get(username=username)
except User.DoesNotExist: except User.DoesNotExist:
logger.debug("Created RADIUS user %s" % (username,))
user = User(username=username) user = User(username=username)
if password is not None:
user.set_unusable_password() user.set_unusable_password()
user.save() user.save()
@@ -166,7 +165,6 @@ class TACACSPlusBackend(object):
) )
if created: if created:
logger.debug("Created TACACS+ user %s" % (username,)) logger.debug("Created TACACS+ user %s" % (username,))
if password is not None:
user.set_unusable_password() user.set_unusable_password()
user.save() user.save()
return user return user
@@ -195,8 +193,6 @@ class TACACSPlusBackend(object):
user = self._get_or_set_user(username, password) user = self._get_or_set_user(username, password)
if not user.has_usable_password(): if not user.has_usable_password():
return user return user
else:
return None
return None return None
def get_user(self, user_id): def get_user(self, user_id):

3
docs/auth/README.md
View File

@@ -14,3 +14,6 @@ On the other hand, the rest of authentication methods use the same types of logi
* SAML * SAML
Tower will try authenticating against each enabled authentication method *in the specified order*, meaning if the same username and password is valid in multiple enabled auth methods (For example, both LDAP and TACACS+), Tower will only use the first positive match (In the above example, log a user in via LDAP and skip TACACS+). Tower will try authenticating against each enabled authentication method *in the specified order*, meaning if the same username and password is valid in multiple enabled auth methods (For example, both LDAP and TACACS+), Tower will only use the first positive match (In the above example, log a user in via LDAP and skip TACACS+).
## Notes:
* TACACS+/RADIUS users and normal Tower users are strictly separated. For example, suppose there is a TACACS+ user with username 'Alice' which is known to TACACS+ backend but not Tower. If a user record with the same username 'Alice' is created in Tower before any log in attempt, Tower will always use its own authentication backend to authenticate Alice, even if TACACS+ backend is also available. On the other hand, if a successful log in attempt is conducted before any explicit user creation in Tower, a TACACS+ user 'Alice' is automatically created and Tower will always use TACACS+ backend for authenticating 'Alice'.