RFE: NOTIFICATIONS through HTTP/HTTPS proxy

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Other

14k stars 3.42k forks source link

RFE: NOTIFICATIONS through HTTP/HTTPS proxy #3072

Open sugitk opened 5 years ago

sugitk commented 5 years ago

ISSUE TYPE

Feature Idea

COMPONENT NAME

SUMMARY

NOTIFICATIONS needs HTTP/HTTPS proxy settings for each notification type

ADDITIONAL INFORMATION

From support team. Customer wants to specify http_proxy, https_proxy and no_proxy settings from NOTIFICATIONS > CREATE NOTIFICATION TEMPLATE UI. They use the proxy settings only for notification.

wenottingham commented 5 years ago

This is unlikely to happen in the near future. Global proxy settings are done via AWX_TASK_ENV.

Why would you need separate settings only for notifications?

sugitk commented 5 years ago

The customer said;

I would like to submit a feature request/suggestion to Redhat, for adding an option for specifying proxy
details under Tower notification tab. We cannot set proxy environment variables globally just for
notification purpose and it's not practical to add all the network information under no_proxy variable to 
bypass the proxy.

I agree with Bill, but AWX_TASK_ENV is for jobs. I think this setting should be separated from JOBS screen to SYSTEM. The proxy settings may be used not only jobs but also notifications and external logging.

otdouglasm commented 5 years ago

(I'm a colleague of the customer requesting this RFE via Support.) The problem with setting a proxy globally is that it can change the behavior of modules or Python packages that honor proxy-related environment variables.

For example, WinRM. If a proxy is set, we can't connect to any Windows hosts. WinRM fails since it attempts to go through the proxy, which refuses the connection. Even if the proxy accepted WinRM traffic, it would put unnecessary load on the proxy.

JRitterFB commented 5 years ago

Hello,

Our team also has a use case for this feature, as we're experiencing some issues with hitting Slacks webhooks URL from behind a firewall as part of the Slack notification feature within Tower. At a high level, Slack does a fair bit of load balancing and their IP range is non-static, making it difficult to configure firewall rules to allow for outside communication to their hooks URL. Setting a proxy for notifications would solve this in our case, but we don't currently have that ability within the UI.

Thanks

sugitk commented 4 years ago

The another customer desired this feature. Their network is very huge and the no_proxy cannot accept subnet notation, hence they need to specify all of their internal nodes into no_proxy individually however it is not realistic solution.

If AWX/Tower can specify a proxy setting for notifications, it may be easier to solve this situation. And the customer kindly investigated the source codes, they are planning to modify these codes.

https://github.com/ansible/awx/blob/13.0.0/awx/main/notifications/slack_backend.py https://github.com/slackapi/python-slackclient/blob/v1.1.1/slackclient/client.py

yasny commented 4 years ago

I'm working with @sugitk to solve this problem for our environment. As he mentioned, I'm planning on modifying the slack_backend.py to pass our proxy server to the SlackClient in the proxies option. I know it's not a very good solution, but until there is a separate method to define proxy servers for the notification backends, it seems like the only option...

rmauc commented 3 years ago

+1 for this feature. We have experienced similar WINRM problems to above. This has been open for 2 years, is this still unlikely to happen?

yasny commented 3 years ago

@rmauc We're stil on Ansible Tower 3.6 so I can't speak for the later versions, but I "solved" the issue by creating my own proxy server in Node.js, using pac-resolver, to load a PAC file that allows me to control what to proxy. All of Tower's http/https traffic goes through the simple proxy server which runs on the same node as Tower itself. In the PAC file, I have simple rules that allow traffic to Google and Slack to go out via our corporate proxy, while all other requests are handled directly. This allows Google OAuth and Slack notifications to work as well as WinRM connections to internal servers.

It's not ideal, but since editing slack_backend.py could cause us to lose support for Ansible Tower, I decided to go with the external proxy.

sugitk commented 2 years ago

We have received another support case regarding the configuration of proxy settings for notifications.

Sometimes we ask customers to modify the /etc/supervisord.conf as per this KCS article though, I believe more easier way should be provided.

https://access.redhat.com/solutions/3023641

And also, I guess that the implementation of the notifications (awx/main/notifications/*.py) refers to the environment settings for connecting to a proxy. It is hard for us to diagnose the issue. So I will request again:

We can set proxy settings in the Web UI for notifications rather than editing /etc/supervisord.conf. The AWX_TASK_ENV is not effective.
Backends (awx/main/notifications/*.py) can handle proxy settings explicitly. Almost of them transfer using the native libraries for each notification type, so the backend should call them with the proxy settings if the protocol is HTTPS (or HTTP). For example, twilio client (twilio.rest) can be called with proxy parameter.