Red Hat SummitMandatory platform gateway authentication in Ansible Automation Platform 2.7
In Red Hat Ansible Automation Platform 2.7, platform gateway is the only supported method for external authentication to platform components. Direct API access to automation controller, automation hub, and Event-Driven Ansible has been removed.
Platform components enforce gateway-only authentication through an immutable configuration. This enforcement activates automatically when components are deployed and cannot be bypassed or disabled.
Attempts to authenticate directly to a platform component using legacy methods result in an HTTP 401 Unauthorized error. Legacy methods include:
- Basic authentication
- Session authentication
- Component-level tokens
Authentication changes in platform gateway
In Ansible Automation Platform 2.7, all user authentication and API access is centralized through platform gateway. Third-party provider configuration must also be performed in platform gateway.
- Centralized flow: All user authentication flows through platform gateway.
- API requests: All API requests must use platform gateway URLs and gateway-issued tokens.
- Third-party providers: Configuration for LDAP, SAML, and OAuth, must be performed in platform gateway.
- Disabled methods: Basic and session authentication are no longer available at the component level.
Unaffected internal operations
Internal platform operations continue to function normally using internal JWT-based authentication. The following communications do not go through platform gateway.
- Service-to-service communication: Interactions between components, such as automation controller retrieving images from automation hub.
- Rulebook workers: Event-Driven Ansible worker processes communicating with automation controller through WebSockets.
- Container registry: The automation hub container registry supports authentication using gateway tokens by using
podman loginordocker login. To authenticate, use your platform gateway credentials:$ podman login <platform-host> --username <gateway-username> --passwordFor large container image uploads, you might need to adjust platform gateway route timeout settings.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}