From 9bc75eac51c551d79fe6bc275af38e9d375db287 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 20 Nov 2024 16:27:24 -0700 Subject: [PATCH] for cisagov/Malcolm#496, getting permissions working in v4.1.6 --- config/netbox.env.example | 13 +---- netbox/config/extra.py | 2 +- netbox/scripts/netbox_init.py | 106 ---------------------------------- 3 files changed, 2 insertions(+), 119 deletions(-) diff --git a/config/netbox.env.example b/config/netbox.env.example index 1c55b5f1e..18763383c 100644 --- a/config/netbox.env.example +++ b/config/netbox.env.example @@ -12,19 +12,8 @@ CSRF_TRUSTED_ORIGINS=http://* https://* REMOTE_AUTH_ENABLED=True REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend REMOTE_AUTH_AUTO_CREATE_USER=True -REMOTE_AUTH_AUTO_CREATE_GROUPS=True -REMOTE_AUTH_GROUP_SYNC_ENABLED=True REMOTE_AUTH_HEADER=HTTP_X_REMOTE_AUTH -REMOTE_AUTH_GROUP_HEADER=HTTP_X_REMOTE_AUTH_GROUP -REMOTE_AUTH_USER_EMAIL=HTTP_X_REMOTE_AUTH_EMAIL -REMOTE_AUTH_USER_FIRST_NAME=HTTP_X_REMOTE_AUTH_FIRST_NAME -REMOTE_AUTH_USER_LAST_NAME=HTTP_X_REMOTE_AUTH_LAST_NAME -REMOTE_AUTH_DEFAULT_GROUPS=standard -REMOTE_AUTH_STAFF_GROUPS=administrator -REMOTE_AUTH_STAFF_USERS= -REMOTE_AUTH_SUPERUSER_GROUPS=administrator -REMOTE_AUTH_SUPERUSERS= -# REMOTE_AUTH_DEFAULT_PERMISSIONS = {} # dicts can't be configured via environment variables, use extra.py instead +# REMOTE_AUTH_DEFAULT_PERMISSIONS is handled in extra.py DB_HOST=netbox-postgres DB_NAME=netbox diff --git a/netbox/config/extra.py b/netbox/config/extra.py index 8bd133716..421e3dbf0 100644 --- a/netbox/config/extra.py +++ b/netbox/config/extra.py @@ -29,7 +29,7 @@ ## Remote authentication support -# REMOTE_AUTH_DEFAULT_PERMISSIONS = {} +REMOTE_AUTH_DEFAULT_PERMISSIONS = {'*': None} ## By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index c9b64af17..8bc3b7576 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -164,22 +164,6 @@ def main(): required=False, help="Site(s) to create", ) - parser.add_argument( - '--default-group', - dest='defaultGroupName', - type=str, - default=os.getenv('REMOTE_AUTH_DEFAULT_GROUPS', 'standard'), - required=False, - help="Name of default group for automatic NetBox user creation", - ) - parser.add_argument( - '--staff-group', - dest='staffGroupName', - type=str, - default=os.getenv('REMOTE_AUTH_STAFF_GROUPS', 'administrator'), - required=False, - help="Name of staff group for automatic NetBox user creation", - ) parser.add_argument( '-m', '--manufacturer', @@ -501,8 +485,6 @@ def main(): threading=True, ) sites = {} - groups = {} - permissions = {} prefixes = {} devices = {} interfaces = {} @@ -522,94 +504,6 @@ def main(): logging.debug("retrying in a few seconds...") time.sleep(5) - # GROUPS ##################################################################################################### - DEFAULT_GROUP_NAMES = ( - args.staffGroupName, - args.defaultGroupName, - ) - - try: - groupsPreExisting = {x.name: x for x in nb.users.groups.all()} - logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }") - - # create groups that don't already exist - for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]: - try: - nb.users.groups.create({'name': groupName}) - except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}") - - groups = {x.name: x for x in nb.users.groups.all()} - logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }") - except Exception as e: - logging.error(f"{type(e).__name__} processing groups: {e}") - - # PERMISSIONS ################################################################################################## - DEFAULT_PERMISSIONS = { - f'{args.staffGroupName}_permission': { - 'name': f'{args.staffGroupName}_permission', - 'enabled': True, - 'groups': [args.staffGroupName], - 'actions': [ - 'view', - 'add', - 'change', - 'delete', - ], - 'exclude_objects': [], - }, - f'{args.defaultGroupName}_permission': { - 'name': f'{args.defaultGroupName}_permission', - 'enabled': True, - 'groups': [args.defaultGroupName], - 'actions': [ - 'view', - 'add', - 'change', - 'delete', - ], - 'exclude_objects': [ - 'admin.logentry', - 'auth.group', - 'auth.permission', - 'auth.user', - 'users.admingroup', - 'users.adminuser', - 'users.objectpermission', - 'users.token', - 'users.userconfig', - ], - }, - } - - try: - # get all content types (for creating new permissions) - allObjectTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.object_types.all()] - - permsPreExisting = {x.name: x for x in nb.users.permissions.all()} - logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }") - - # create permissions that don't already exist - for permName, permConfig in { - k: v - for (k, v) in DEFAULT_PERMISSIONS.items() - if v.get('name', None) and v['name'] not in permsPreExisting - }.items(): - permConfig['groups'] = [groups[x].id for x in permConfig['groups']] - permConfig['object_types'] = [ - ct for ct in allObjectTypeNames if ct not in permConfig['exclude_objects'] - ] - permConfig.pop('exclude_objects', None) - try: - nb.users.permissions.create(permConfig) - except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}") - - permissions = {x.name: x for x in nb.users.permissions.all()} - logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }") - except Exception as e: - logging.error(f"{type(e).__name__} processing permissions: {e}") - # ###### MANUFACTURERS ######################################################################################### try: manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}