mirror of
https://github.com/ansible/awx.git
synced 2026-06-21 06:37:45 -02:30
c8981e321e
The aap_token parameter was added to the collection argspec and docs in #16025, but nothing consumed it after token auth was removed in #15623: modules silently ignored the token and fell back to basic auth, breaking token authentication through the AAP gateway. Wire it up so requests authenticate with the provided token (e.g. one issued by the AAP gateway, which validates it and proxies to the controller): - Send "Authorization: Bearer <token>" in make_request when aap_token is set, skipping the basic-auth login probe; basic auth is unchanged when no token is given - Accept the token as a string or as the dict set as a fact by the ansible.platform.token module ({token: ..., id: ...}), which is the documented cross-collection mint/use/delete workflow - Restore controller_oauthtoken and tower_oauthtoken as aliases for back-compat with pre-#15623 playbooks, matching downstream - Forward aap_token through the controller_api lookup and controller inventory plugins via short_params, and add the missing CONTROLLER_OAUTH_TOKEN/TOWER_OAUTH_TOKEN env sources to the plugin doc fragment (plugins resolve env vars from doc fragments, not env_fallback); AAP_TOKEN is no longer marked deprecated there - Support tokens in the awxkit-based export/import modules - Add unit tests covering the Bearer header for both token forms, the aliases, the bad-dict failure, and the basic-auth fallback Verified end-to-end against a live gateway-fronted AAP 2.7 deployment: modules, the lookup plugin, both aliases, all env sources, dict-form tokens, job launch/wait, and a clean HTTP 401 on an invalid token. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
115 lines
3.5 KiB
Python
115 lines
3.5 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright: (c) 2020, Ansible by Red Hat, Inc
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
class ModuleDocFragment(object):
|
|
|
|
# Automation Platform Controller documentation fragment
|
|
DOCUMENTATION = r'''
|
|
options:
|
|
host:
|
|
description: The network address of your Automation Platform Controller host.
|
|
env:
|
|
- name: CONTROLLER_HOST
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'TOWER_HOST, AAP_HOSTNAME'
|
|
username:
|
|
description: The user that you plan to use to access inventories on the controller.
|
|
env:
|
|
- name: CONTROLLER_USERNAME
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'TOWER_USERNAME, AAP_USERNAME'
|
|
password:
|
|
description: The password for your controller user.
|
|
env:
|
|
- name: CONTROLLER_PASSWORD
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'TOWER_PASSWORD, AAP_PASSWORD'
|
|
aap_token:
|
|
description:
|
|
- The OAuth token to use, sent as a Bearer token in the Authorization header.
|
|
- When connecting through the AAP gateway, use a token issued by the gateway.
|
|
env:
|
|
- name: CONTROLLER_OAUTH_TOKEN
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'AAP_TOKEN'
|
|
- name: TOWER_OAUTH_TOKEN
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'AAP_TOKEN'
|
|
- name: AAP_TOKEN
|
|
aliases: [ controller_oauthtoken, tower_oauthtoken ]
|
|
verify_ssl:
|
|
description:
|
|
- Specify whether Ansible should verify the SSL certificate of the controller host.
|
|
- Defaults to True, but this is handled by the shared module_utils code
|
|
type: bool
|
|
env:
|
|
- name: CONTROLLER_VERIFY_SSL
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Collection name change
|
|
alternatives: 'TOWER_VERIFY_SSL, AAP_VALIDATE_CERTS'
|
|
aliases: [ validate_certs ]
|
|
request_timeout:
|
|
description:
|
|
- Specify the timeout Ansible should use in requests to the controller host.
|
|
- Defaults to 10 seconds
|
|
- This will not work with the export or import modules.
|
|
type: float
|
|
env:
|
|
- name: CONTROLLER_REQUEST_TIMEOUT
|
|
deprecated:
|
|
collection_name: 'awx.awx'
|
|
version: '4.0.0'
|
|
why: Support for AAP variables
|
|
alternatives: 'AAP_REQUEST_TIMEOUT'
|
|
aliases: [ aap_request_timeout ]
|
|
max_retries:
|
|
description:
|
|
- Specify the max retries to be used with some connection issues.
|
|
- Defaults to 5.
|
|
- This will not work with the export or import modules.
|
|
type: int
|
|
env:
|
|
- name: AAP_MAX_RETRIES
|
|
aliases: [ aap_max_retries ]
|
|
retry_backoff_factor:
|
|
description:
|
|
- Backoff factor used when retrying connections.
|
|
- Defaults to 2.
|
|
- This will not work with the export or import modules.
|
|
type: int
|
|
env:
|
|
- name: AAP_RETRY_BACKOFF_FACTOR
|
|
aliases: [ aap_retry_backoff_factor ]
|
|
notes:
|
|
- If no I(config_file) is provided we will attempt to use the tower-cli library
|
|
defaults to find your host information.
|
|
- I(config_file) should be in the following format
|
|
host=hostname
|
|
username=username
|
|
password=password
|
|
'''
|