mirror of
https://github.com/ansible/awx.git
synced 2026-01-15 11:50:42 -03:30
c29a7ccf8b
Add the ability to disable local authentication SUMMARY When an external authentication system is enabled, users would like the ability to disable local authentication for enhanced security. related #4553 TODO create a configure-Tower-in-Tower setting, DISABLE_LOCAL_AUTH expose the setting in the settings UI be able to query out all local-only users User.objects.filter(Q(profile__isnull=True) | Q(profile__ldap_dn=''), enterprise_auth__isnull=True, social_auth__isnull=True) see: awx/main/utils/common.py, get_external_account write a thin wrapper around the Django model-based auth backend update the UI tests to include the new setting be able to trigger a side-effect when this setting changes revoke all OAuth2 tokens for users that do not have a remote auth backend associated with them revoke sessions for local-only users ultimately I did this by adding a new middleware that checks the value of this new setting and force-logouts any local-only user making a request after it is enabled settings API endpoint raises a validation error if there are no external users or auth sources configured The remote user existence validation has been removed, since ultimately we can't know for sure if a sysadmin-level user will still have access to the UI. This is being dealt with by using a confirmation modal, see below. add a modal asking the user to confirm that they want to turn this setting on ISSUE TYPE Feature Pull Request COMPONENT NAME API UI AWX VERSION Reviewed-by: Jeff Bradberry <None> Reviewed-by: Bianca Henderson <beeankha@gmail.com> Reviewed-by: Mat Wilson <mawilson@redhat.com> Reviewed-by: Michael Abashian <None> Reviewed-by: Chris Meyers <None>