External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-21 22:57:48 -02:30
Code Issues Packages Projects Releases Wiki Activity
Files
c8981e321efc73b0c5329022d091cd3dab72429e
awx/awx_collection/plugins/doc_fragments/auth.py
Hao Liu c8981e321e Make aap_token functional for collection token auth (#16498) 
The aap_token parameter was added to the collection argspec and docs
in #16025, but nothing consumed it after token auth was removed in
#15623: modules silently ignored the token and fell back to basic
auth, breaking token authentication through the AAP gateway.

Wire it up so requests authenticate with the provided token (e.g. one
issued by the AAP gateway, which validates it and proxies to the
controller):

- Send "Authorization: Bearer <token>" in make_request when aap_token
  is set, skipping the basic-auth login probe; basic auth is unchanged
  when no token is given
- Accept the token as a string or as the dict set as a fact by the
  ansible.platform.token module ({token: ..., id: ...}), which is the
  documented cross-collection mint/use/delete workflow
- Restore controller_oauthtoken and tower_oauthtoken as aliases for
  back-compat with pre-#15623 playbooks, matching downstream
- Forward aap_token through the controller_api lookup and controller
  inventory plugins via short_params, and add the missing
  CONTROLLER_OAUTH_TOKEN/TOWER_OAUTH_TOKEN env sources to the plugin
  doc fragment (plugins resolve env vars from doc fragments, not
  env_fallback); AAP_TOKEN is no longer marked deprecated there
- Support tokens in the awxkit-based export/import modules
- Add unit tests covering the Bearer header for both token forms, the
  aliases, the bad-dict failure, and the basic-auth fallback

Verified end-to-end against a live gateway-fronted AAP 2.7 deployment:
modules, the lookup plugin, both aliases, all env sources, dict-form
tokens, job launch/wait, and a clean HTTP 401 on an invalid token.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 18:18:25 -04:00

89 lines
3.4 KiB
Python
Raw Blame History

# -*- coding: utf-8 -*-
# Copyright: (c) 2017, Wayne Witzel III <wayne@riotousliving.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
class ModuleDocFragment(object):
# Automation Platform Controller documentation fragment
DOCUMENTATION = r'''
options:
controller_host:
description:
- URL to your Automation Platform Controller instance.
- If value not set, will try environment variable C(CONTROLLER_HOST) and then config files
- If value not specified by any means, the value of C(127.0.0.1) will be used
type: str
aliases: [ tower_host, aap_hostname ]
controller_username:
description:
- Username for your controller instance.
- If value not set, will try environment variable C(CONTROLLER_USERNAME) and then config files
type: str
aliases: [ tower_username, aap_username ]
controller_password:
description:
- Password for your controller instance.
- If value not set, will try environment variable C(CONTROLLER_PASSWORD) and then config files
type: str
aliases: [ tower_password , aap_password ]
aap_token:
description:
- The OAuth token to use, sent as a Bearer token in the Authorization header.
- When connecting through the AAP gateway, use a token issued by the gateway.
- This value can be in one of two formats.
- A string which is the token itself. (i.e. bqV5txm97wqJqtkxlMkhQz0pKhRMMX)
- A dictionary structure as set as a fact by the M(ansible.platform.token) module.
- If value not set, will try environment variable C(CONTROLLER_OAUTH_TOKEN) and then config files
type: raw
version_added: "3.7.0"
aliases: [ controller_oauthtoken, tower_oauthtoken ]
validate_certs:
description:
- Whether to allow insecure connections to AWX.
- If C(no), SSL certificates will not be validated.
- This should only be used on personally controlled sites using self-signed certificates.
- If value not set, will try environment variable C(CONTROLLER_VERIFY_SSL) and then config files
type: bool
aliases: [ tower_verify_ssl, aap_validate_certs ]
request_timeout:
description:
- Specify the timeout Ansible should use in requests to the controller host.
- Defaults to 10s, but this is handled by the shared module_utils code
type: float
aliases: [ aap_request_timeout ]
max_retries:
description:
- Specify the max retries to be used with some connection issues.
- Defaults to 5.
- If value not set, will try environment variable C(AAP_MAX_RETRIES) and then config files.
type: int
aliases: [ aap_max_retries ]
retry_backoff_factor:
description:
- Backoff factor used when retrying connections.
- Defaults to 2.
- If value not set, will try environment variable C(AAP_RETRY_BACKOFF_FACTOR) and then config files.
type: int
aliases: [ aap_retry_backoff_factor ]
controller_config_file:
description:
- Path to the controller config file.
- If provided, the other locations for config files will not be considered.
type: path
aliases: [ tower_config_file ]
notes:
- If no I(config_file) is provided we will attempt to use the tower-cli library
defaults to find your host information.
- I(config_file) should be in the following format
host=hostname
username=username
password=password
'''
Reference in New Issue View Git Blame Copy Permalink