Skip to content

Commit

Permalink
for cisagov#496, getting permissions working in v4.1.6
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Nov 20, 2024
1 parent ee5b3bb commit 9bc75ea
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 119 deletions.
13 changes: 1 addition & 12 deletions config/netbox.env.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,8 @@ CSRF_TRUSTED_ORIGINS=http://* https://*
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend
REMOTE_AUTH_AUTO_CREATE_USER=True
REMOTE_AUTH_AUTO_CREATE_GROUPS=True
REMOTE_AUTH_GROUP_SYNC_ENABLED=True
REMOTE_AUTH_HEADER=HTTP_X_REMOTE_AUTH
REMOTE_AUTH_GROUP_HEADER=HTTP_X_REMOTE_AUTH_GROUP
REMOTE_AUTH_USER_EMAIL=HTTP_X_REMOTE_AUTH_EMAIL
REMOTE_AUTH_USER_FIRST_NAME=HTTP_X_REMOTE_AUTH_FIRST_NAME
REMOTE_AUTH_USER_LAST_NAME=HTTP_X_REMOTE_AUTH_LAST_NAME
REMOTE_AUTH_DEFAULT_GROUPS=standard
REMOTE_AUTH_STAFF_GROUPS=administrator
REMOTE_AUTH_STAFF_USERS=
REMOTE_AUTH_SUPERUSER_GROUPS=administrator
REMOTE_AUTH_SUPERUSERS=
# REMOTE_AUTH_DEFAULT_PERMISSIONS = {} # dicts can't be configured via environment variables, use extra.py instead
# REMOTE_AUTH_DEFAULT_PERMISSIONS is handled in extra.py

DB_HOST=netbox-postgres
DB_NAME=netbox
Expand Down
2 changes: 1 addition & 1 deletion netbox/config/extra.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@


## Remote authentication support
# REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_DEFAULT_PERMISSIONS = {'*': None}


## By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
Expand Down
106 changes: 0 additions & 106 deletions netbox/scripts/netbox_init.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,22 +164,6 @@ def main():
required=False,
help="Site(s) to create",
)
parser.add_argument(
'--default-group',
dest='defaultGroupName',
type=str,
default=os.getenv('REMOTE_AUTH_DEFAULT_GROUPS', 'standard'),
required=False,
help="Name of default group for automatic NetBox user creation",
)
parser.add_argument(
'--staff-group',
dest='staffGroupName',
type=str,
default=os.getenv('REMOTE_AUTH_STAFF_GROUPS', 'administrator'),
required=False,
help="Name of staff group for automatic NetBox user creation",
)
parser.add_argument(
'-m',
'--manufacturer',
Expand Down Expand Up @@ -501,8 +485,6 @@ def main():
threading=True,
)
sites = {}
groups = {}
permissions = {}
prefixes = {}
devices = {}
interfaces = {}
Expand All @@ -522,94 +504,6 @@ def main():
logging.debug("retrying in a few seconds...")
time.sleep(5)

# GROUPS #####################################################################################################
DEFAULT_GROUP_NAMES = (
args.staffGroupName,
args.defaultGroupName,
)

try:
groupsPreExisting = {x.name: x for x in nb.users.groups.all()}
logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }")

# create groups that don't already exist
for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]:
try:
nb.users.groups.create({'name': groupName})
except pynetbox.RequestError as nbe:
logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}")

groups = {x.name: x for x in nb.users.groups.all()}
logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }")
except Exception as e:
logging.error(f"{type(e).__name__} processing groups: {e}")

# PERMISSIONS ##################################################################################################
DEFAULT_PERMISSIONS = {
f'{args.staffGroupName}_permission': {
'name': f'{args.staffGroupName}_permission',
'enabled': True,
'groups': [args.staffGroupName],
'actions': [
'view',
'add',
'change',
'delete',
],
'exclude_objects': [],
},
f'{args.defaultGroupName}_permission': {
'name': f'{args.defaultGroupName}_permission',
'enabled': True,
'groups': [args.defaultGroupName],
'actions': [
'view',
'add',
'change',
'delete',
],
'exclude_objects': [
'admin.logentry',
'auth.group',
'auth.permission',
'auth.user',
'users.admingroup',
'users.adminuser',
'users.objectpermission',
'users.token',
'users.userconfig',
],
},
}

try:
# get all content types (for creating new permissions)
allObjectTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.object_types.all()]

permsPreExisting = {x.name: x for x in nb.users.permissions.all()}
logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }")

# create permissions that don't already exist
for permName, permConfig in {
k: v
for (k, v) in DEFAULT_PERMISSIONS.items()
if v.get('name', None) and v['name'] not in permsPreExisting
}.items():
permConfig['groups'] = [groups[x].id for x in permConfig['groups']]
permConfig['object_types'] = [
ct for ct in allObjectTypeNames if ct not in permConfig['exclude_objects']
]
permConfig.pop('exclude_objects', None)
try:
nb.users.permissions.create(permConfig)
except pynetbox.RequestError as nbe:
logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}")

permissions = {x.name: x for x in nb.users.permissions.all()}
logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }")
except Exception as e:
logging.error(f"{type(e).__name__} processing permissions: {e}")

# ###### MANUFACTURERS #########################################################################################
try:
manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}
Expand Down

0 comments on commit 9bc75ea

Please sign in to comment.