Hi everyone
We’re continuing our journey toward a pluggable, services-oriented architecture for AWX and want to make you aware of changes that Red Hat engineering teams plan to make with external authentication and Role-Based Access Control (RBAC).
As we mentioned previously, the new AWX architecture is designed to allow for code reuse across projects. The new pluggable architecture is also intended to minimize existing duplication of effort and decrease complexity for contributors. The changes we are sharing in this post builds on work we previously shared and, hopefully, brings the vision for the new AWX architecture into better focus.
Upcoming changes
Now that the Ansible UI and inventory and credentials plugins have moved to the new architecture, Red Hat Engineering is working on the following components:
- External authentication: All external authentication methods are moving to the ansible/django-ansible-base repository. Legacy external authentication code will be removed from the AWX repository except for basic (username/password) authentication.
- RBAC: Legacy role system RBAC functionality has been replaced by permissions-based Django Ansible Base roles. The API endpoints for the legacy RBAC implementation will be removed from the AWX repository.
Impact to upstream users
It’s important to be clear about how these changes affect AWX. All code for authentication functionality and most code for authorization (RBAC) functionality is moving to a separate repository, ansible/django-ansible-base.
- The AWX repository will contain code for basic (username/password) authentication only.
- When the engineering work is complete, authentication functionality will no longer be integrated directly with AWX. Community projects built from AWX source will need to maintain their own integration if they require authentication functionality.
- Tooling or scripts that depend on these authentication methods will need to be updated to use basic authentication.
- Any custom scripts that use the deprecated RBAC endpoints will also need to be updated.
For the AWX operator, external authentication settings are now deprecated and will soon be removed from source.
Digging deeper on external authentication
Modern services-based architectures typically use a common authentication layer for multiple services, instead of separate authentication mechanisms per service. To achieve this with Ansible projects, Red Hat engineering teams have been working on authentication mechanisms in the ansible/django-ansible-base repository.
Now that the work in that ansible/django-ansible-base repository is ready, it is time to remove the duplicate code from the AWX repository. This means that the source code for most authentication methods will be removed from the ansible/awx repository, including:
- LDAP
- Oauth2
- RADIUS
- SSO (including Azure, GitHub, Google, OIDC, and SAML)
- TACACS+
We will also remove the AWX SSO app that is used for OAuth authentication and the legacy AWX OAuth provider.
Digging deeper on authorization (RBAC)
In the same way that having a set of shared authentication mechanisms for Ansible projects makes sense, so does creating a shared codebase for RBAC capabilities.
Consider Event-Driven Ansible (EDA), where roles with granular permissions are often needed to consume messages from message queues, respond to API calls, or process data from monitoring systems. If RBAC code exists only in the AWX repository, then it increases complexity for the EDA project team. At the same time, having RBAC code exist in both the EDA and AWX repositories creates duplication that increases maintenance overhead. As we’ve been saying all along in this series of posts, these are obstacles that we want to remove.
We have already moved a significant portion of RBAC code to ansible/django-ansible-base. The role system was replaced with permissions-based Django Ansible Base roles, which deprecated the legacy role system. Our next step is to remove the deprecated code and associated endpoints, leaving only the permissions-based RBAC functionality that was implemented alongside the legacy roles system. As noted in the Impact to upstream users section, you will need to update any custom scripts that depend on the deprecated endpoints.
Summary
We’re moving code for all external authentication integration (except for Basic Auth) and RBAC functionality to a new project. These changes will result in a dramatically slimmed down codebase in the AWX repository, which should make it much easier for contributors to navigate. These changes are also another big step towards a more modern, service-based architecture for AWX. However, these changes also mean functionality for authentication and legacy roles authorization will no longer be directly included with the AWX project.
Stay updated by joining the Ansible Forum, following the News & Announcements and awx-modernization tags.
Thank you for your continued support.
Links in this AWX update series
- Blog: Upcoming Changes to the AWX Project
- Streamlining AWX Releases
- Refactoring AWX into a Pluggable, Service-Oriented Architecture 1
- Upcoming changes to AWX Operator installation methods
- AWX UI and credential types transitioning to the new pluggable architecture
Useful links
- The Forum: AWX Topics
- The Forum: Newsletter Category