Remove TACACS+ authentication (#15547)

Remove TACACS+ authentication from AWX.

Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>

4 files changed, 1 insertions, 93 deletions

diff --git a/docs/auth/README.md b/docs/auth/README.md
index 62be30a693..92946746f0 100644
--- a/docs/auth/README.md
+++ b/docs/auth/README.md
@@ -12,13 +12,10 @@ When a user wants to log into AWX, she can explicitly choose some of the support
 
 On the other hand, the other authentication methods use the same types of login info (username and password), but authenticate using external auth systems rather than AWX's own database. If some of these methods are enabled, AWX will try authenticating using the enabled methods *before AWX's own authentication method*. The order of precedence is:
 * RADIUS
-* TACACS+
 * SAML
 
-AWX will try authenticating against each enabled authentication method *in the specified order*, meaning if the same username and password is valid in multiple enabled auth methods (*e.g.*, both RADIUS and TACACS+), AWX will only use the first positive match (in the above example, log a user in via RADIUS and skip TACACS+).
-
 ## Notes:
-SAML users, RADIUS users and TACACS+ users are categorized as 'Enterprise' users. The following rules apply to Enterprise users:
+SAML users and RADIUS users are categorized as 'Enterprise' users. The following rules apply to Enterprise users:
 
   * Enterprise users can only be created via the first successful login attempt from remote authentication backend.
   * Enterprise users cannot be created/authenticated if non-enterprise users with the same name has already been created in AWX.
diff --git a/docs/auth/tacacsplus.md b/docs/auth/tacacsplus.md
deleted file mode 100644
index f895ed4aeb..0000000000
--- a/docs/auth/tacacsplus.md
+++ /dev/null
@@ -1,51 +0,0 @@
-# TACACS+
-[Terminal Access Controller Access-Control System Plus (TACACS+)](https://en.wikipedia.org/wiki/TACACS) is a protocol developed by Cisco to handle remote authentication and related services for networked access control through a centralized server. In specific, TACACS+ provides authentication, authorization and accounting (AAA) services. AWX currently utilizes its authentication service.
-
-TACACS+ is configured by settings configuration and is available under `/api/v2/settings/tacacsplus/`. Here is a typical configuration with every configurable field included:
-```
-{
-    "TACACSPLUS_HOST": "127.0.0.1",
-    "TACACSPLUS_PORT": 49,
-    "TACACSPLUS_SECRET": "secret",
-    "TACACSPLUS_SESSION_TIMEOUT": 5,
-    "TACACSPLUS_AUTH_PROTOCOL": "ascii",
-    "TACACSPLUS_REM_ADDR": "false"
-}
-```
-Each field is explained below:
-
-| Field Name                   | Field Value Type    | Field Value Default | Description                                                        |
-|------------------------------|---------------------|---------------------|--------------------------------------------------------------------|
-| `TACACSPLUS_HOST`            | String              | '' (empty string)   | Hostname of TACACS+ server. Empty string disables TACACS+ service. |
-| `TACACSPLUS_PORT`            | Integer             | 49                  | Port number of TACACS+ server.                                     |
-| `TACACSPLUS_SECRET`          | String              | '' (empty string)   | Shared secret for authenticating to TACACS+ server.                |
-| `TACACSPLUS_SESSION_TIMEOUT` | Integer             | 5                   | TACACS+ session timeout value in seconds.                          |
-| `TACACSPLUS_AUTH_PROTOCOL`   | String with choices | 'ascii'             | The authentication protocol used by TACACS+ client (choices are `ascii` and `pap`).                |
-| `TACACSPLUS_REM_ADDR`        | Boolean             | false               | Enable the client address sending by TACACS+ client.               |
-
-Under the hood, AWX uses [open-source TACACS+ python client](https://github.com/ansible/tacacs_plus) to communicate with the remote TACACS+ server. During authentication, AWX passes username and password to TACACS+ client, which packs up auth information and sends it to the TACACS+ server. Based on what the server returns, AWX will invalidate login attempt if authentication fails. If authentication passes, AWX will create a user if she does not exist in database, and log the user in.
-
-## Test Environment Setup
-
-The suggested TACACS+ server for testing is [shrubbery TACACS+ daemon](http://www.shrubbery.net/tac_plus/). It is supposed to run on a CentOS machine. A verified candidate is CentOS 6.3 AMI in AWS EC2 Community AMIs (search for `CentOS 6.3 x86_64 HVM - Minimal with cloud-init aws-cfn-bootstrap and ec2-api-tools`). Note that it is required to keep TCP port 49 open, since it's the default port used by the TACACS+ daemon.
-
-We provide [a playbook](https://github.com/jangsutsr/ansible-role-tacacs) to install a working TACACS+ server. Here is a typical test setup using the provided playbook:
-
-1. In AWS EC2, spawn the CentOS 6 machine.
-2. In Tower, create a test project using the stand-alone playbook inventory.
-3. In Tower, create a test inventory with the only host to be the spawned CentOS machine.
-4. In Tower, create and run a job template using the created project and inventory with parameters setup as below:
-
-![Example tacacs+ setup jt parameters](../img/auth_tacacsplus_1.png?raw=true)
-
-The playbook creates a user named 'tower' with ascii password default to 'login' and modifiable by `extra_var` `ascii_password` and pap password default to 'papme' and modifiable by `extra_var` `pap_password`. In order to configure TACACS+ server to meet custom test needs, we need to modify server-side file `/etc/tac_plus.conf` and `sudo service tac_plus restart` to restart the daemon. Details on how to modify config file can be found [here](http://manpages.ubuntu.com/manpages/xenial/man5/tac_plus.conf.5.html).
-
-
-## Acceptance Criteria
-
-* All specified in configuration fields should be shown and configurable as documented.
-* A user defined by the TACACS+ server should be able to log into AWX.
-* User not defined by TACACS+ server should not be able to log into AWX via TACACS+.
-* A user existing in TACACS+ server but not in AWX should be created after the first successful log in.
-* TACACS+ backend should stop an authentication attempt after configured timeout and should not block the authentication pipeline in any case.
-* If exceptions occur on TACACS+ server side, the exception details should be logged in AWX, and AWX should not authenticate that user via TACACS+.
diff --git a/docs/docsite/rst/administration/configure_awx_authentication.rst b/docs/docsite/rst/administration/configure_awx_authentication.rst
index c56dfc5937..01e610273f 100644
--- a/docs/docsite/rst/administration/configure_awx_authentication.rst
+++ b/docs/docsite/rst/administration/configure_awx_authentication.rst
@@ -7,8 +7,6 @@ Through the AWX user interface, you can set up a simplified login through variou
 - :ref:`ag_auth_azure` 
 - :ref:`ag_auth_github`
 - :ref:`ag_auth_google_oauth2` 
-- :ref:`ag_auth_radius`
-- :ref:`ag_auth_tacacs`
 
 Different authentication types require you to enter different information. Be sure to include all the information as required.
 
diff --git a/docs/docsite/rst/administration/ent_auth.rst b/docs/docsite/rst/administration/ent_auth.rst
index 238893ecee..a31f4d1cad 100644
--- a/docs/docsite/rst/administration/ent_auth.rst
+++ b/docs/docsite/rst/administration/ent_auth.rst
@@ -13,8 +13,6 @@ This section describes setting up authentication for the following enterprise sy
 .. contents::
     :local:
 
-Azure, RADIUS, and TACACS+ users are categorized as 'Enterprise' users. The following rules apply to Enterprise users:
-
 - Enterprise users can only be created via the first successful login attempt from remote authentication backend.
 - Enterprise users cannot be created/authenticated if non-enterprise users with the same name has already been created in AWX.
 - AWX passwords of enterprise users should always be empty and cannot be set by any user if there are enterprise backend-enabled.
@@ -78,37 +76,3 @@ AWX can be configured to centrally use RADIUS as a source for authentication inf
 4. Enter the port and secret information in the next two fields.
 
 5. Click **Save** when done.
-
-
-.. _ag_auth_tacacs:
-
-TACACS+ settings
------------------
-
-.. index::
-    pair: authentication; TACACS+ Authentication Settings
-
-
-Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that handles remote authentication and related services for networked access control through a centralized server. In particular, TACACS+ provides authentication, authorization and accounting (AAA) services, in which you can configure AWX to use as a source for authentication.
-
-.. note::
-
-    This feature is deprecated and will be removed in a future release.
-
-1. Click **Settings** from the left navigation bar.
-
-2. On the left side of the Settings window, click **TACACs+ settings** from the list of Authentication options. 
-
-3. Click **Edit** and enter information in the following fields:
-
-- **TACACS+ Server**: Provide the hostname or IP address of the TACACS+ server with which to authenticate. If this field is left blank, TACACS+ authentication is disabled.
-- **TACACS+ Port**: TACACS+ uses port 49 by default, which is already pre-populated.
-- **TACACS+ Secret**: Secret key for TACACS+ authentication server.
-- **TACACS+ Auth Session Timeout**: Session timeout value in seconds. The default is 5 seconds.
-- **TACACS+ Authentication Protocol**: The protocol used by TACACS+ client. Options are **ascii** or **pap**.
-
-.. image:: ../common/images/configure-awx-auth-tacacs.png
-    :alt: TACACS+ configuration details in AWX settings.
-
-4. Click **Save** when done.
-