starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Storing authentication metadata against services #1785

New Issue
Closed
opened 2025-12-29 17:19:04 +01:00 by adam · 3 comments
adam commented 2025-12-29 17:19:04 +01:00
Owner
Copy Link

Originally created by @wrouesnel on GitHub (Jun 14, 2018).

Issue type

[x] Feature request

Environment

  • Python version: 3.6
  • NetBox version: 2.3.3

Description

Netbox already implements the concept of tracking notable network connected services on a device, an idea which I built out (in a flat file format) for tracking applications in our local environment. It is however missing a related concept which is storing a record of "how to authenticate" to that application on that device, presuming the user is the current one.

Against each application on devices (internally) we store structured data which describes in a loose-fashion what type of authentication system is being used for that application, and how the details should be acquired by the user (these are generally termed as "lookups").

By way of example this is a sample application structure for a server:

      "application_services": [
        {
          "name": "sssd",
          "authentication": [
            {
              "type": "federated-password",
              "id": "ad-domain",
            },
            {
              "type": "local-password",
              "user_lookup": {
                "type": "literal",
                "value": "root"
              },
              "password_lookup": {
                "type": "vault",
                "uri": "https://vault.internal",
                "path": "/secret/apps/static/admins/production/root_cluster_password",
                "key": "value"
              }
            }
          ]
        },
        {
          "name": "sudo",
          "authentication": [
          {
              "type": "federated-password",
              "id": "ad-domain"
          },
          {
          "name": "ssh",
          "authentication": [
            {
              "type": "shared-authenticator",
              "authenticators": [
                "sssd"
              ]
            }
          ],
          "listens": [
            {
              "ip": "0.0.0.0",
              "port": 22,
              "protocol": "tcp"
            }
          ]
        }
      ]

Without being overly specific, this attaches some institutionally-specific authentication knowledge which can be stored in other systems - specifically the "type" of authentication implemented (local-password or federated-password are common for us, since simple systems like KVMs may not support or not be configured with LDAP/Kerberos auth) and an ID - again, institutionally specific - which allows client applications to pick a profile to use to authenticate - i.e. the federated-password is not specifically LDAP, it's just a coding that the password is not managed by the device itself.

Originally created by @wrouesnel on GitHub (Jun 14, 2018). <!-- Before opening a new issue, please search through the existing issues to see if your topic has already been addressed. Note that you may need to remove the "is:open" filter from the search bar to include closed issues. Check the appropriate type for your issue below by placing an x between the brackets. For assistance with installation issues, or for any other issues other than those listed below, please raise your topic for discussion on our mailing list: https://groups.google.com/forum/#!forum/netbox-discuss Please note that issues which do not fall under any of the below categories will be closed. Due to an excessive backlog of feature requests, we are not currently accepting any proposals which extend NetBox's feature scope. Do not prepend any sort of tag to your issue's title. An administrator will review your issue and assign labels as appropriate. ---> ### Issue type [x] Feature request <!-- An enhancement of existing functionality --> <!-- Please describe the environment in which you are running NetBox. (Be sure to verify that you are running the latest stable release of NetBox before submitting a bug report.) If you are submitting a bug report and have made any changes to the code base, please first validate that your bug can be recreated while running an official release. --> ### Environment * Python version: 3.6 * NetBox version: 2.3.3 <!-- BUG REPORTS must include: * A list of the steps needed for someone else to reproduce the bug * A description of the expected and observed behavior * Any relevant error messages (screenshots may also help) FEATURE REQUESTS must include: * A detailed description of the proposed functionality * A use case for the new feature * A rough description of any necessary changes to the database schema * Any relevant third-party libraries which would be needed --> ### Description Netbox already implements the concept of tracking notable network connected services on a device, an idea which I built out (in a flat file format) for tracking applications in our local environment. It is however missing a related concept which is storing a record of "how to authenticate" to that application on that device, presuming the user is the current one. Against each application on devices (internally) we store structured data which describes in a loose-fashion what type of authentication system is being used for that application, and how the details should be acquired by the user (these are generally termed as "lookups"). By way of example this is a sample application structure for a server: ```json "application_services": [ { "name": "sssd", "authentication": [ { "type": "federated-password", "id": "ad-domain", }, { "type": "local-password", "user_lookup": { "type": "literal", "value": "root" }, "password_lookup": { "type": "vault", "uri": "https://vault.internal", "path": "/secret/apps/static/admins/production/root_cluster_password", "key": "value" } } ] }, { "name": "sudo", "authentication": [ { "type": "federated-password", "id": "ad-domain" }, { "name": "ssh", "authentication": [ { "type": "shared-authenticator", "authenticators": [ "sssd" ] } ], "listens": [ { "ip": "0.0.0.0", "port": 22, "protocol": "tcp" } ] } ] ``` Without being overly specific, this attaches some institutionally-specific authentication knowledge which can be stored in other systems - specifically the "type" of authentication implemented (local-password or federated-password are common for us, since simple systems like KVMs may not support or not be configured with LDAP/Kerberos auth) and an ID - again, institutionally specific - which allows client applications to pick a profile to use to authenticate - i.e. the federated-password is not _specifically_ LDAP, it's just a coding that the password is not managed by the device itself.
adam closed this issue 2025-12-29 17:19:04 +01:00
adam commented 2025-12-29 17:19:04 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jun 14, 2018):

IMO this is out of scope for NetBox but I'll leave this open for discussion.

@jeremystretch commented on GitHub (Jun 14, 2018): IMO this is out of scope for NetBox but I'll leave this open for discussion.
adam commented 2025-12-29 17:19:05 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Jun 15, 2018):

Custom Fields on Service?

@candlerb commented on GitHub (Jun 15, 2018): Custom Fields on Service?
adam commented 2025-12-29 17:19:05 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jun 21, 2018):

Custom Fields on Service?

Sure. #1687

@jeremystretch commented on GitHub (Jun 21, 2018): > Custom Fields on Service? Sure. #1687
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#1785
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?