[AAP-64062] Enforce JWT-only authentication for Controller when deployed as part of AAP#16283
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…yed as part of AAP After all settings are loaded, override DEFAULT_AUTHENTICATION_CLASSES to only allow Gateway JWT authentication when RESOURCE_SERVER__URL is set. This makes the lockdown immutable — no configuration file or environment variable can re-enable legacy auth methods (Basic, Session, OAuth2, Token). This is the same pattern used by Hub (galaxy_ng) and EDA (eda-server) for ANSTRAT-1840. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TheRealHaoLiu
force-pushed
the
AAP-64062/enforce-jwt-only-auth
branch
from
68738be to
ab6fd45
Compare
|
| # When deployed as part of AAP (RESOURCE_SERVER__URL is set), enforce JWT-only | ||
| # authentication. This ensures all requests go through the gateway and prevents | ||
| # direct API access to Controller bypassing the platform's authentication. | ||
| if DYNACONF.get('RESOURCE_SERVER__URL', None): |
There was a problem hiding this comment.
I really don't like switches (if) for settings. It creates entanglements around load order.
Lines 365 to 369 in 7ccc14d
I would prefer that the defaults don't contain the 2nd two (what you're doing right here), and then those are only added back for development, tests, and perhaps add a standalone module or something?
2 participants
Summary
RESOURCE_SERVER__URLis set (i.e., deployed as part of AAP with Gateway), overrideDEFAULT_AUTHENTICATION_CLASSESto only allowAwxJWTAuthenticationJira
Test plan
RESOURCE_SERVER__URL) retains all auth methods🤖 Generated with Claude Code
Note
High Risk
Changes authentication behavior for all API requests in AAP deployments; misconfiguration or unexpected dependencies on other auth mechanisms could block access or integrations.
Overview
When
RESOURCE_SERVER__URLis present (AAP/Gateway deployments), AWX now forces DRFDEFAULT_AUTHENTICATION_CLASSESto onlyAwxJWTAuthentication, preventing direct non-gateway access methods (e.g., basic/session/token) from being accepted.This override is applied after settings files and environment variables are loaded, making the JWT-only behavior effectively mandatory in that deployment mode.
Written by Cursor Bugbot for commit ab6fd45. This will update automatically on new commits. Configure here.