RFE: Add toggle for "Disable Local User Log-in" setting #4553
Assignees
Labels
Comments
|
This feature would alleviate security concerns in highly regulated environments. |
|
The simplest way to do this is (right now, without code changes) to remove the local users. |
|
@one-t hoping you can take lead on testing this one |
|
Just a UI note, we can't take away the username and password entry with LDAP and RADIUS. |
10 tasks
softwarefactory-project-zuul bot
added a commit
that referenced
this issue
May 27, 2021
Add the ability to disable local authentication SUMMARY When an external authentication system is enabled, users would like the ability to disable local authentication for enhanced security. related #4553 TODO create a configure-Tower-in-Tower setting, DISABLE_LOCAL_AUTH expose the setting in the settings UI be able to query out all local-only users User.objects.filter(Q(profile__isnull=True) | Q(profile__ldap_dn=''), enterprise_auth__isnull=True, social_auth__isnull=True) see: awx/main/utils/common.py, get_external_account write a thin wrapper around the Django model-based auth backend update the UI tests to include the new setting be able to trigger a side-effect when this setting changes revoke all OAuth2 tokens for users that do not have a remote auth backend associated with them revoke sessions for local-only users ultimately I did this by adding a new middleware that checks the value of this new setting and force-logouts any local-only user making a request after it is enabled settings API endpoint raises a validation error if there are no external users or auth sources configured The remote user existence validation has been removed, since ultimately we can't know for sure if a sysadmin-level user will still have access to the UI. This is being dealt with by using a confirmation modal, see below. add a modal asking the user to confirm that they want to turn this setting on ISSUE TYPE Feature Pull Request COMPONENT NAME API UI AWX VERSION Reviewed-by: Jeff Bradberry <None> Reviewed-by: Bianca Henderson <[email protected]> Reviewed-by: Mat Wilson <[email protected]> Reviewed-by: Michael Abashian <None> Reviewed-by: Chris Meyers <None>
|
@one-t this issue can be closed? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ISSUE TYPE
SUMMARY
When the external authentication (LDAP/SAML/OAuth etc.) is enabled, there is a use-case to turn off the authentication for local users for security reason.
It would be great if there is a toggle switch to turn on/off authentication for local users. When the local auth is disabled, it is not able to log in via local users but Tower can use built-in admin user in backup/restore process.
The text was updated successfully, but these errors were encountered: