Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve API Access Control in AWX #15656

Open
5 of 9 tasks
krivenkoa opened this issue Nov 22, 2024 · 0 comments
Open
5 of 9 tasks

Improve API Access Control in AWX #15656

krivenkoa opened this issue Nov 22, 2024 · 0 comments
Labels
community component:api component:docs needs_triage type:enhancement

Comments

@krivenkoa
Copy link

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

To meet security requirements, there is sometimes a need to restrict unauthorized access to the AWX API, including the root endpoint and documentation. By default, some endpoints are accessible without authentication, which may pose a risk of information leakage.

Proposal:
Introduce a new configuration parameter (API_RESTRICT_ANONYMOUS_ACCESS) that allows administrators to control unauthorized access to the API.

Select the relevant components

  • UI
  • API
  • Docs
  • Collection
  • CLI
  • Other

Steps to reproduce

  1. Deploy AWX with default settings.
  2. Navigate to the root API endpoint (/api/) or documentation endpoint (/api/doc/) without authentication.
  3. Observe that certain information is accessible without requiring authentication.

Current results

Some API endpoints, including the root and documentation endpoints, are accessible to unauthenticated users by default. This may lead to potential information exposure in environments with heightened security requirements.

Sugested feature result

  • Introduce a configuration parameter: API_RESTRICT_ANONYMOUS_ACCESS.
  • When enabled:
    • Require authentication for all API endpoints except those essential for login.
    • Restrict access to /api/ and /api/doc/ for unauthorized users.
  • By default, this parameter should be disabled to maintain the current behavior and ensure compatibility with existing installations.

Additional information

  • This feature would allow organizations with strict security policies to use AWX without the need for custom modifications.
  • Administrators can enable or disable the feature based on their specific security needs.
  • The default settings ensure seamless upgrades for current installations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community component:api component:docs needs_triage type:enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@krivenkoa