Remove LDAP authentication (#15546)

Remove LDAP authentication from AWX
ansible · Oct 2, 2024 · 58e61c6 · 58e61c6
1 parent ece21b1
commit 58e61c6
Show file tree

Hide file tree

Showing 67 changed files with 172 additions and 2,813 deletions.
diff --git a/Makefile b/Makefile
@@ -33,8 +33,6 @@ MAIN_NODE_TYPE ?= hybrid
 PGBOUNCER ?= false
 # If set to true docker-compose will also start a keycloak instance
 KEYCLOAK ?= false
-# If set to true docker-compose will also start an ldap instance
-LDAP ?= false
 # If set to true docker-compose will also start a splunk instance
 SPLUNK ?= false
 # If set to true docker-compose will also start a prometheus instance
@@ -508,7 +506,6 @@ docker-compose-sources: .git/hooks/pre-commit
  -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \
  -e enable_pgbouncer=$(PGBOUNCER) \
  -e enable_keycloak=$(KEYCLOAK) \
- -e enable_ldap=$(LDAP) \
  -e enable_splunk=$(SPLUNK) \
  -e enable_prometheus=$(PROMETHEUS) \
  -e enable_grafana=$(GRAFANA) \
@@ -525,8 +522,7 @@ docker-compose: awx/projects docker-compose-sources
  ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
  $(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
  -e enable_vault=$(VAULT) \
- -e vault_tls=$(VAULT_TLS) \
- -e enable_ldap=$(LDAP); \
+ -e vault_tls=$(VAULT_TLS); \
  $(MAKE) docker-compose-up
 
 docker-compose-up:
@@ -598,7 +594,7 @@ docker-clean:
  -$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)
 
 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
- docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
+ docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
 
 docker-refresh: docker-clean docker-compose
 

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
@@ -961,7 +961,6 @@ def get_types(self):
 
 class UserSerializer(BaseSerializer):
  password = serializers.CharField(required=False, default='', help_text=_('Field used to change the password.'))
- ldap_dn = serializers.CharField(source='profile.ldap_dn', read_only=True)
  external_account = serializers.SerializerMethodField(help_text=_('Set if the account is managed by an external service'))
  is_system_auditor = serializers.BooleanField(default=False)
  show_capabilities = ['edit', 'delete']
@@ -979,7 +978,6 @@ class Meta:
  'is_superuser',
  'is_system_auditor',
  'password',
- 'ldap_dn',
  'last_login',
  'external_account',
  )
@@ -1028,8 +1026,10 @@ def validate_password(self, value):
 
  def _update_password(self, obj, new_password):
  # For now we're not raising an error, just not saving password for
- # users managed by LDAP who already have an unusable password set.
- # Get external password will return something like ldap or enterprise or None if the user isn't external. We only want to allow a password update for a None option
+ # users managed by external authentication services (who already have an unusable password set).
+ # get_external_account function will return something like social or enterprise when the user is external,
+ # and return None when the user isn't external.
+ # We want to allow a password update only for non-external accounts.
  if new_password and new_password != '$encrypted$' and not self.get_external_account(obj):
  obj.set_password(new_password)
  obj.save(update_fields=['password'])
@@ -1085,37 +1085,6 @@ def get_related(self, obj):
  )
  return res
 
- def _validate_ldap_managed_field(self, value, field_name):
- if not getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
- return value
- try:
- is_ldap_user = bool(self.instance and self.instance.profile.ldap_dn)
- except AttributeError:
- is_ldap_user = False
- if is_ldap_user:
- ldap_managed_fields = ['username']
- ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
- ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
- if field_name in ldap_managed_fields:
- if value != getattr(self.instance, field_name):
- raise serializers.ValidationError(_('Unable to change %s on user managed by LDAP.') % field_name)
- return value
-
- def validate_username(self, value):
- return self._validate_ldap_managed_field(value, 'username')
-
- def validate_first_name(self, value):
- return self._validate_ldap_managed_field(value, 'first_name')
-
- def validate_last_name(self, value):
- return self._validate_ldap_managed_field(value, 'last_name')
-
- def validate_email(self, value):
- return self._validate_ldap_managed_field(value, 'email')
-
- def validate_is_superuser(self, value):
- return self._validate_ldap_managed_field(value, 'is_superuser')
-
 
 class UserActivityStreamSerializer(UserSerializer):
  """Changes to system auditor status are shown as separate entries,

diff --git a/awx/api/views/root.py b/awx/api/views/root.py
@@ -295,15 +295,6 @@ def get(self, request, format=None):
  become_methods=PRIVILEGE_ESCALATION_METHODS,
  )
 
- # If LDAP is enabled, user_ldap_fields will return a list of field
- # names that are managed by LDAP and should be read-only for users with
- # a non-empty ldap_dn attribute.
- if getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
- user_ldap_fields = ['username', 'password']
- user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
- user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
- data['user_ldap_fields'] = user_ldap_fields
-
  if (
  request.user.is_superuser
  or request.user.is_system_auditor

diff --git a/awx/conf/migrations/0006_v331_ldap_group_type.py b/awx/conf/migrations/0006_v331_ldap_group_type.py
@@ -1,13 +1,11 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-# AWX
-from awx.conf.migrations._ldap_group_type import fill_ldap_group_type_params
-
 from django.db import migrations
 
 
 class Migration(migrations.Migration):
  dependencies = [('conf', '0005_v330_rename_two_session_settings')]
 
- operations = [migrations.RunPython(fill_ldap_group_type_params)]
+ # this migration is doing nothing, and is here to preserve migrations files integrity
+ operations = []
diff --git a/awx/conf/migrations/0011_remove_ldap_auth_conf.py b/awx/conf/migrations/0011_remove_ldap_auth_conf.py
@@ -0,0 +1,115 @@
+from django.db import migrations
+
+LDAP_AUTH_CONF_KEYS = [
+ 'AUTH_LDAP_SERVER_URI',
+ 'AUTH_LDAP_BIND_DN',
+ 'AUTH_LDAP_BIND_PASSWORD',
+ 'AUTH_LDAP_START_TLS',
+ 'AUTH_LDAP_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_USER_SEARCH',
+ 'AUTH_LDAP_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_USER_ATTR_MAP',
+ 'AUTH_LDAP_GROUP_SEARCH',
+ 'AUTH_LDAP_GROUP_TYPE',
+ 'AUTH_LDAP_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_REQUIRE_GROUP',
+ 'AUTH_LDAP_DENY_GROUP',
+ 'AUTH_LDAP_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_ORGANIZATION_MAP',
+ 'AUTH_LDAP_TEAM_MAP',
+ 'AUTH_LDAP_1_SERVER_URI',
+ 'AUTH_LDAP_1_BIND_DN',
+ 'AUTH_LDAP_1_BIND_PASSWORD',
+ 'AUTH_LDAP_1_START_TLS',
+ 'AUTH_LDAP_1_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_1_USER_SEARCH',
+ 'AUTH_LDAP_1_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_1_USER_ATTR_MAP',
+ 'AUTH_LDAP_1_GROUP_SEARCH',
+ 'AUTH_LDAP_1_GROUP_TYPE',
+ 'AUTH_LDAP_1_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_1_REQUIRE_GROUP',
+ 'AUTH_LDAP_1_DENY_GROUP',
+ 'AUTH_LDAP_1_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_1_ORGANIZATION_MAP',
+ 'AUTH_LDAP_1_TEAM_MAP',
+ 'AUTH_LDAP_2_SERVER_URI',
+ 'AUTH_LDAP_2_BIND_DN',
+ 'AUTH_LDAP_2_BIND_PASSWORD',
+ 'AUTH_LDAP_2_START_TLS',
+ 'AUTH_LDAP_2_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_2_USER_SEARCH',
+ 'AUTH_LDAP_2_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_2_USER_ATTR_MAP',
+ 'AUTH_LDAP_2_GROUP_SEARCH',
+ 'AUTH_LDAP_2_GROUP_TYPE',
+ 'AUTH_LDAP_2_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_2_REQUIRE_GROUP',
+ 'AUTH_LDAP_2_DENY_GROUP',
+ 'AUTH_LDAP_2_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_2_ORGANIZATION_MAP',
+ 'AUTH_LDAP_2_TEAM_MAP',
+ 'AUTH_LDAP_3_SERVER_URI',
+ 'AUTH_LDAP_3_BIND_DN',
+ 'AUTH_LDAP_3_BIND_PASSWORD',
+ 'AUTH_LDAP_3_START_TLS',
+ 'AUTH_LDAP_3_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_3_USER_SEARCH',
+ 'AUTH_LDAP_3_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_3_USER_ATTR_MAP',
+ 'AUTH_LDAP_3_GROUP_SEARCH',
+ 'AUTH_LDAP_3_GROUP_TYPE',
+ 'AUTH_LDAP_3_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_3_REQUIRE_GROUP',
+ 'AUTH_LDAP_3_DENY_GROUP',
+ 'AUTH_LDAP_3_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_3_ORGANIZATION_MAP',
+ 'AUTH_LDAP_3_TEAM_MAP',
+ 'AUTH_LDAP_4_SERVER_URI',
+ 'AUTH_LDAP_4_BIND_DN',
+ 'AUTH_LDAP_4_BIND_PASSWORD',
+ 'AUTH_LDAP_4_START_TLS',
+ 'AUTH_LDAP_4_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_4_USER_SEARCH',
+ 'AUTH_LDAP_4_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_4_USER_ATTR_MAP',
+ 'AUTH_LDAP_4_GROUP_SEARCH',
+ 'AUTH_LDAP_4_GROUP_TYPE',
+ 'AUTH_LDAP_4_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_4_REQUIRE_GROUP',
+ 'AUTH_LDAP_4_DENY_GROUP',
+ 'AUTH_LDAP_4_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_4_ORGANIZATION_MAP',
+ 'AUTH_LDAP_4_TEAM_MAP',
+ 'AUTH_LDAP_5_SERVER_URI',
+ 'AUTH_LDAP_5_BIND_DN',
+ 'AUTH_LDAP_5_BIND_PASSWORD',
+ 'AUTH_LDAP_5_START_TLS',
+ 'AUTH_LDAP_5_CONNECTION_OPTIONS',
+ 'AUTH_LDAP_5_USER_SEARCH',
+ 'AUTH_LDAP_5_USER_DN_TEMPLATE',
+ 'AUTH_LDAP_5_USER_ATTR_MAP',
+ 'AUTH_LDAP_5_GROUP_SEARCH',
+ 'AUTH_LDAP_5_GROUP_TYPE',
+ 'AUTH_LDAP_5_GROUP_TYPE_PARAMS',
+ 'AUTH_LDAP_5_REQUIRE_GROUP',
+ 'AUTH_LDAP_5_DENY_GROUP',
+ 'AUTH_LDAP_5_USER_FLAGS_BY_GROUP',
+ 'AUTH_LDAP_5_ORGANIZATION_MAP',
+ 'AUTH_LDAP_5_TEAM_MAP',
+]
+
+
+def remove_ldap_auth_conf(apps, scheme_editor):
+ setting = apps.get_model('conf', 'Setting')
+ setting.objects.filter(key__in=LDAP_AUTH_CONF_KEYS).delete()
+
+
+class Migration(migrations.Migration):
+ dependencies = [
+ ('conf', '0010_change_to_JSONField'),
+ ]
+
+ operations = [
+ migrations.RunPython(remove_ldap_auth_conf),
+ ]
diff --git a/awx/conf/migrations/_ldap_group_type.py b/awx/conf/migrations/_ldap_group_type.py
diff --git a/awx/conf/signals.py b/awx/conf/signals.py
@@ -73,6 +73,6 @@ def disable_local_auth(**kwargs):
 
  logger.warning("Triggering token invalidation for local users.")
 
- qs = User.objects.filter(profile__ldap_dn='', enterprise_auth__isnull=True, social_auth__isnull=True)
+ qs = User.objects.filter(enterprise_auth__isnull=True, social_auth__isnull=True)
  revoke_tokens(RefreshToken.objects.filter(revoked=None, user__in=qs))
  revoke_tokens(OAuth2AccessToken.objects.filter(user__in=qs))
diff --git a/awx/conf/tests/functional/test_migrations.py b/awx/conf/tests/functional/test_migrations.py
diff --git a/awx/main/access.py b/awx/main/access.py
@@ -642,10 +642,7 @@ class UserAccess(BaseAccess):
  """
 
  model = User
- prefetch_related = (
- 'profile',
- 'resource',
- )
+ prefetch_related = ('resource',)
 
  def filtered_queryset(self):
  if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):