Integration with AUTH_LDAP_FIND_GROUP_PERMS does not work
See original GitHub issueEnvironment
- Python version:
- NetBox version: 2.9.10
Steps to Reproduce
- Configure LDAP authentication
- Enable
AUTH_LDAP_FIND_GROUP_PERMS
- Create in the admin panel group that would be returned by LDAP and grant it some permissions (e.g. users.add_token)
- DO NOT add user into the group, this should be done explicitly by the
django-auth-ldap
module
Expected Behavior
User is able to use those permissions.
Observed Behavior
User is getting permission denied on creating api token.
Analyze
I’ve spent many hours trying to find out why users can’t have permissions in our netbox installation but it does seem to me like a bug in Netbox.
What django-auth-ldap is doing:
def _load_group_permissions(self):
"""
Populates self._group_permissions based on LDAP group membership and
Django group permissions.
"""
group_names = self._get_groups().get_group_names()
perms = Permission.objects.filter(group__name__in=group_names)
...
Here it gets empty QuerySet
.
Enabling DEBUG
and inspecting SQL:
SELECT "auth_permission"."id",
"auth_permission"."name",
"auth_permission"."content_type_id",
"auth_permission"."codename"
FROM "auth_permission"
INNER JOIN "auth_group_permissions"
ON ("auth_permission"."id" = "auth_group_permissions"."permission_id")
INNER JOIN "auth_group"
ON ("auth_group_permissions"."group_id" = "auth_group"."id")
INNER JOIN "django_content_type"
ON ("auth_permission"."content_type_id" = "django_content_type"."id")
WHERE "auth_group"."name" IN ('github-private-cloud-elders', 'gapps', 'team-privatecloud', 'github-na-elders', 'mgmt-prod', 'confluence-users', 'github-keyring-elders', 'pagerduty-users', 'ipausers', 'github-tools-s3provision-hackers', 'github-gooddata-hackers', 'jira-gooddata-users', 'role-swdeveloper')
ORDER BY "django_content_type"."app_label" ASC, "django_content_type"."model" ASC, "auth_permission"."codename" ASC
LIMIT 21
It is trying to get info from the auth_group_permissions
, but inspecting the database it shows completely empty table. Even there is some permissions assigned to the group.
netbox=# select * from auth_group;
id | name
----+----------------------------------
3 | ipausers
16 | github-gooddata-hackers
17 | github-keyring-elders
18 | pagerduty-users
19 | gapps
20 | role-swdeveloper
21 | jira-gooddata-users
22 | github-tools-s3provision-hackers
23 | github-na-elders
24 | mgmt-prod
25 | github-private-cloud-elders
26 | team-privatecloud
27 | confluence-users
(13 rows)
netbox=# select * from auth_group_permissions;
id | group_id | permission_id
----+----------+---------------
(0 rows)
netbox=#
Dumping the DB, removing group permission, dumping DB again and comparing shows something interesting:
@@ -5522,6 +5522,7 @@
37 2020-12-11 13:35:00.497982+01 10 lubomir.tomecek 2 [{"changed": {"fields": ["Groups"]}}] 80 3
38 2020-12-11 13:37:53.0537+01 10 lubomir.tomecek 2 [{"changed": {"fields": ["Groups"]}}] 80 3
39 2020-12-11 13:42:45.743739+01 3 Allow managing API tokens 2 [{"changed": {"fields": ["Users"]}}] 81 3
+40 2020-12-11 13:43:36.651894+01 3 Allow managing API tokens 2 [{"changed": {"fields": ["Groups"]}}] 81 3
\.
@@ -6273,7 +6274,6 @@
--
COPY public.users_objectpermission_groups (id, objectpermission_id, group_id) FROM stdin;
-3 3 3
\.
@@ -6667,7 +6667,7 @@
-- Name: django_admin_log_id_seq; Type: SEQUENCE SET; Schema: public; Owner: netbox
--
-SELECT pg_catalog.setval('public.django_admin_log_id_seq', 39, true);
+SELECT pg_catalog.setval('public.django_admin_log_id_seq', 40, true);
So it does change users_objectpermission_groups
and not the auth_permission_groups
. And that’s why django-auth-ldap can’t find any permissions (without explicitly creating group).
Seems that ObjectPermissionBackend
written in netbox is behaving differently than the standard django one.
Issue Analytics
- State:
- Created 3 years ago
- Comments:19 (12 by maintainers)
Top GitHub Comments
If you can wait a couple days I’d be happy to test out the change.
Mirror groups does seem to workaround this issue (and other LDAP issues I’ve had) - however I’d recommend also setting
AUTH_LDAP_MIRROR_GROUPS
(docs) to a list of the groups you want NetBox to mirror, otherwise you’ll get unrelated LDAP groups being created in NetBox. That setting should probably be added to the NetBox docs as well.I’d initially not used the group mirroring since the
django-auth-ldap
docs had described it as less ideal. In the past I’d solely relied onAUTH_LDAP_FIND_GROUP_PERMS
since I was manually creating the NetBox-specific groups in NetBox to line up with the LDAP groups.However - in NetBox’s case ~it~ mirroring does have advantages; API tokens will work for LDAP authenticated users, and as established in this thread, it works with the new permissions model without having to create a custom LDAP handler (though I imagine there will be some users that really don’t want to mirror groups for good reasons and then will need a custom handler).