Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove oauth provider #15588

Closed
wants to merge 6 commits into from
Closed

Conversation

gravesm
Copy link
Member

@gravesm gravesm commented Oct 17, 2024

SUMMARY

This removes the oauth provider functionality from awx. The oauth2_provider app and all references to it have been removed. Migrations to delete the two tables that locally overwrote oauth2_provider tables are included. This change does not include migrations to delete the tables provided by the oauth2_provider app.

ISSUE TYPE
  • Breaking Change
COMPONENT NAME
  • API
  • Docs
AWX VERSION

ADDITIONAL INFORMATION

@adrisala
Copy link
Contributor

Shouldn't we also modify references of OAuth usage inside the awx_collection directory? The default login method for the collections right now seems to be OAuth.
cc @tvo318
https://github.com/ansible/awx/blob/devel/awx_collection/README.md#running
https://github.com/ansible/awx/blob/devel/awx_collection/TESTING.md

@gravesm
Copy link
Member Author

gravesm commented Oct 21, 2024

Shouldn't we also modify references of OAuth usage inside the awx_collection directory? The default login method for the collections right now seems to be OAuth.

Docs will definitely need to be changed. #15554 should have fixed the collection to allow basic auth. I'm still working through test failures, though, so there may be further changes needed.

@tvo318
Copy link
Member

tvo318 commented Oct 21, 2024

@adrisala @gravesm Yes I agree, the docs in the awx_collection need to be updated as well. Thanks for working on this!

@gravesm gravesm force-pushed the remove-oauth-provider branch from f847bdc to adcf3bd Compare October 24, 2024 13:57
@github-actions github-actions bot added component:awx_collection issues related to the collection for controlling AWX component:cli labels Oct 24, 2024
@adrisala adrisala force-pushed the remove-oauth-provider branch from 4bfc6a3 to 37ecb0a Compare November 8, 2024 10:34
@adrisala adrisala self-assigned this Nov 12, 2024
@adrisala adrisala force-pushed the remove-oauth-provider branch 4 times, most recently from b1f2579 to 8d91fe6 Compare November 18, 2024 08:11
@chrismeyersfsu
Copy link
Member

I reviewed with an eye towards migrations. If we missed some code to delete or deleted too much we can fix that easily. An error is in the data is harder to retroactivity fix.

I found changes in the activity stream entries. I don't think I care.

Activity Stream

Steps to Recreate

  • docker volume rm tools_awx_db_15 <-- blow away your db and start the dev env from the devel branch
  • Make an application via the API
  • Make a token for the application ^^
  • Edit the token
  • Edit the application
  • now swap to this branch and start the dev env (this will run the migrations)
  • You now have some activity stream entries

I'll note how those activity stream entries change because of this PR.

App Creation - Before
{
    "id": 21,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/21/](http://localhost:8013/api/v2/activity_stream/21/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)",
        "o_auth2_application": [
            "[/api/v2/applications/1/](http://localhost:8013/api/v2/applications/1/)"
        ]
    },
    "summary_fields": {
        "o_auth2_application": [
            {
                "id": 1,
                "name": "cmeyers app",
                "description": ""
            }
        ],
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:17:56.321841Z",
    "operation": "create",
    "changes": {
        "name": "cmeyers app",
        "description": "",
        "client_type": "public",
        "redirect_uris": "",
        "authorization_grant_type": "password",
        "skip_authorization": false,
        "organization": "Default-1",
        "id": 1
    },
    "object1": "o_auth2_application",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}
App Creation - After
{
    "id": 21,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/21/](http://localhost:8013/api/v2/activity_stream/21/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)"
    },
    "summary_fields": {
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:17:56.321841Z",
    "operation": "create",
    "changes": {
        "name": "cmeyers app",
        "description": "",
        "client_type": "public",
        "redirect_uris": "",
        "authorization_grant_type": "password",
        "skip_authorization": false,
        "organization": "Default-1",
        "id": 1
    },
    "object1": "o_auth2_application",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}
Token Creation - Before
{
    "id": 22,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/22/](http://localhost:8013/api/v2/activity_stream/22/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)",
        "o_auth2_access_token": [
            "[/api/v2/tokens/1/](http://localhost:8013/api/v2/tokens/1/)"
        ]
    },
    "summary_fields": {
        "o_auth2_access_token": [
            {
                "id": 1,
                "user_id": 1,
                "description": "hello world 2",
                "application_id": 1,
                "scope": "read"
            }
        ],
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:18:22.438100Z",
    "operation": "create",
    "changes": {
        "description": "hello world",
        "application": "cmeyers app",
        "scope": "write",
        "id": 1,
        "token": "************"
    },
    "object1": "o_auth2_access_token",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}
Token Creation - After
{
    "id": 22,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/22/](http://localhost:8013/api/v2/activity_stream/22/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)"
    },
    "summary_fields": {
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:18:22.438100Z",
    "operation": "create",
    "changes": {
        "description": "hello world",
        "application": "cmeyers app",
        "scope": "write",
        "id": 1,
        "token": "************"
    },
    "object1": "o_auth2_access_token",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}
Application Edit - Before
{
    "id": 23,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/23/](http://localhost:8013/api/v2/activity_stream/23/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)",
        "o_auth2_access_token": [
            "[/api/v2/tokens/1/](http://localhost:8013/api/v2/tokens/1/)"
        ]
    },
    "summary_fields": {
        "o_auth2_access_token": [
            {
                "id": 1,
                "user_id": 1,
                "description": "hello world 2",
                "application_id": 1,
                "scope": "read"
            }
        ],
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:18:32.145751Z",
    "operation": "update",
    "changes": {
        "description": [
            "hello world",
            "hello world 2"
        ],
        "scope": [
            "write",
            "read"
        ]
    },
    "object1": "o_auth2_access_token",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}
Application Edit - After
{
    "id": 23,
    "type": "activity_stream",
    "url": "[/api/v2/activity_stream/23/](http://localhost:8013/api/v2/activity_stream/23/)",
    "related": {
        "actor": "[/api/v2/users/1/](http://localhost:8013/api/v2/users/1/)"
    },
    "summary_fields": {
        "actor": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        }
    },
    "timestamp": "2024-11-18T13:18:32.145751Z",
    "operation": "update",
    "changes": {
        "description": [
            "hello world",
            "hello world 2"
        ],
        "scope": [
            "write",
            "read"
        ]
    },
    "object1": "o_auth2_access_token",
    "object2": "",
    "object_association": "",
    "action_node": "awx-1",
    "object_type": ""
}

Token edit before/after is also effected in the same way.

Thoughts

The migrations in this PR change the activity stream entries. Specifically, the deletion of the application and/or token can cause the summary_fields section to change.

We recommend that customers and users hook up external logging to their splunk/grafana-thing/elk to track these sorts of things long-term, so I guess it's OK that our activity stream entries change.

@AlanCoding
Copy link
Member

Unblocked now, because #15647 is merged

This removes the oauth provider functionality from awx. The
oauth2_provider app and all references to it have been removed.
Migrations to delete the two tables that locally overwrote
oauth2_provider tables are included. This change does not include
migrations to delete the tables provided by the oauth2_provider app.

Also not included here are changes to awxkit, awx_collection or the ui.
The changes in ansible#15554 will cause a
few collection tests to fail, depending on what the test configuration
is. This changes the tests to look for a specific warning rather than
counting the number of warnings emitted.
Copy link

@@ -0,0 +1,39 @@
# Generated by Django 4.2.10 on 2024-10-24 14:06
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This migration file should be renamed to the obvious like "remove oauth2 models"

Copy link
Member

@AlanCoding AlanCoding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The attribute oauth_scopes is applied to the user object. You removed the line where that setattr was done, but it appears that 2 cases where this is referenced are not yet removed, in awx/api/generics.py and awx/main/access.py. Without tokens, the requesting scope should no longer matter, and should be removed

@PabloHiro
Copy link
Contributor

Closing this one as a duplicate with conflicts resolved + small patches has been merged already here:
#15666

@PabloHiro PabloHiro closed this Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:api component:awx_collection issues related to the collection for controlling AWX component:docs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants