starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Add the ability to Sync netbox user Groups and special Privileges with an Remote (HTTP) Auth Backend #4546

New Issue
Closed
opened 2025-12-29 18:37:20 +01:00 by adam · 13 comments
adam commented 2025-12-29 18:37:20 +01:00
Owner
Copy Link

Originally created by @MaxRink on GitHub (Feb 9, 2021).

Originally assigned to: @MaxRink on GitHub.

Environment

  • Python version: 3.8.x
  • NetBox version: 2.10.4
    altough both n/a

Proposed Functionality

Adding Group sync functionality to the Remote (HTTP) Auth Backend
I have a working implementation under https://github.com/MaxRink/netbox/tree/remote_groups

Use Case

Unlike the LDAP Backend, the RemoteUserBackend wasnt able to Sync Group memberships form the auth Provider.
This brings it up to parity, as the new Settings give you the Option to setup an automatic Group Sync (and revocation) on each User login.
This has been tested with oauth2-proxy
The old behaviopur of just Syncing Users and then manually managing Groups should be unaffected.

Database Changes

No

External Dependencies

No, all Django-internal

Originally created by @MaxRink on GitHub (Feb 9, 2021). Originally assigned to: @MaxRink on GitHub. <!-- NOTE: IF YOUR ISSUE DOES NOT FOLLOW THIS TEMPLATE, IT WILL BE CLOSED. This form is only for proposing specific new features or enhancements. If you have a general idea or question, please start a discussion instead: https://github.com/netbox-community/netbox/discussions NOTE: Due to an excessive backlog of feature requests, we are not currently accepting any proposals which significantly extend NetBox's feature scope. Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report. --> ### Environment * Python version: 3.8.x * NetBox version: 2.10.4 altough both n/a <!-- Describe in detail the new functionality you are proposing. Include any specific changes to work flows, data models, or the user interface. --> ### Proposed Functionality Adding Group sync functionality to the Remote (HTTP) Auth Backend I have a working implementation under https://github.com/MaxRink/netbox/tree/remote_groups <!-- Convey an example use case for your proposed feature. Write from the perspective of a NetBox user who would benefit from the proposed functionality and describe how. ---> ### Use Case Unlike the LDAP Backend, the RemoteUserBackend wasnt able to Sync Group memberships form the auth Provider. This brings it up to parity, as the new Settings give you the Option to setup an automatic Group Sync (and revocation) on each User login. This has been tested with oauth2-proxy The old behaviopur of just Syncing Users and then manually managing Groups should be unaffected. <!-- Note any changes to the database schema necessary to support the new feature. For example, does the proposal require adding a new model or field? (Not all new features require database changes.) ---> ### Database Changes No <!-- List any new dependencies on external libraries or services that this new feature would introduce. For example, does the proposal require the installation of a new Python package? (Not all new features introduce new dependencies.) --> ### External Dependencies No, all Django-internal
adam added the status: acceptedtype: feature labels 2025-12-29 18:37:20 +01:00
adam closed this issue 2025-12-29 18:37:20 +01:00
adam commented 2025-12-29 18:37:21 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Feb 11, 2021):

@MaxRink Are you willing to take ownership of this code (including future bug fixes)?

@DanSheps commented on GitHub (Feb 11, 2021): @MaxRink Are you willing to take ownership of this code (including future bug fixes)?
adam commented 2025-12-29 18:37:21 +01:00
Author
Owner
Copy Link

@MaxRink commented on GitHub (Feb 11, 2021):

Yes, as we are already relying on it for our internal Instance.
@Cellebyte (one of my teamcollegues) would also be willing to take ownership, so thats its not just one person.

@MaxRink commented on GitHub (Feb 11, 2021): Yes, as we are already relying on it for our internal Instance. @Cellebyte (one of my teamcollegues) would also be willing to take ownership, so thats its not just one person.
adam commented 2025-12-29 18:37:21 +01:00
Author
Owner
Copy Link

@Cellebyte commented on GitHub (Feb 11, 2021):

@MaxRink should we also add an example oauth2-proxy configuration?

Here the example configuration for a Kubernetes Installation of oauth2-proxy.

# The ingress configuration for the netbox
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    meta.helm.sh/release-name: netbox
    meta.helm.sh/release-namespace: netbox
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization,x-auth-request-user,x-auth-request-email,x-auth-request-groups
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;
      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }
  labels:
    app.kubernetes.io/instance: netbox
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: netbox
    app.kubernetes.io/version: v2.9.3
    helm.sh/chart: netbox-2.3.0
  name: netbox
  namespace: netbox
spec:
  rules:
  - host: netbox.local
    http:
      paths:
      - backend:
          serviceName: netbox
          servicePort: http
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - netbox.local
    secretName: netbox-tls

## cat oauth2-proxy-netbox.yaml 
## Full deployment of the oauth2-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: oauth2-proxy
    app.kubernetes.io/instance: oauth2-proxy
    app.kubernetes.io/name: oauth2-proxy
  name: oauth2-proxy
  namespace: netbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/component: oauth2-proxy
      app.kubernetes.io/instance: oauth2-proxy
      app.kubernetes.io/name: oauth2-proxy
  template:
    metadata:
      labels:
        app.kubernetes.io/component: oauth2-proxy
        app.kubernetes.io/instance: oauth2-proxy
        app.kubernetes.io/name: oauth2-proxy
    spec:
      containers:
      - args:
        - --provider=oidc
        - --client-id=netbox
        - --email-domain=example.com
        - --oidc-issuer-url=https://keycloak.example.com/auth/realms/master
        - --http-address=0.0.0.0:4180
        - --keycloak-group=netbox-admin
        - --keycloak-group=netbox-user
        - --keycloak-group=netbox-editor
        - --prefer-email-to-user   # optional
        - --set-xauthrequest=true
        - --skip-provider-button  # optional
        # Register a new application
        # https://github.com/settings/applications/new
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.0
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
        env:
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-secret
              key: client-secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-secret
              key: cookie-secret
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: oauth2-proxy
    app.kubernetes.io/instance: oauth2-proxy
    app.kubernetes.io/name: oauth2-proxy
  name: oauth2-proxy
  namespace: netbox
spec:
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app.kubernetes.io/component: oauth2-proxy
    app.kubernetes.io/instance: oauth2-proxy
    app.kubernetes.io/name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: netbox
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: 256k
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
spec:
  rules:
  - host: netbox.local
    http:
      paths:
      - path: /oauth2
        pathType: ImplementationSpecific
        backend:
          service:
            name: oauth2-proxy
            port:
              number: 4180
      - path: /admin
        pathType: ImplementationSpecific
        backend:
          service:
            name: netbox
            port:
              number: 80
      - path: /api
        pathType: ImplementationSpecific
        backend:
          service:
            name: netbox
            port:
              number: 80
  tls:
  - hosts:
    - netbox.local
    secretName: netbox-tls
@Cellebyte commented on GitHub (Feb 11, 2021): @MaxRink should we also add an example oauth2-proxy configuration? Here the example configuration for a Kubernetes Installation of oauth2-proxy. ```yaml # The ingress configuration for the netbox apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: meta.helm.sh/release-name: netbox meta.helm.sh/release-namespace: netbox nginx.ingress.kubernetes.io/auth-response-headers: Authorization,x-auth-request-user,x-auth-request-email,x-auth-request-groups nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1; access_by_lua_block { if ngx.var.name_upstream_1 ~= "" then ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)") end } labels: app.kubernetes.io/instance: netbox app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: netbox app.kubernetes.io/version: v2.9.3 helm.sh/chart: netbox-2.3.0 name: netbox namespace: netbox spec: rules: - host: netbox.local http: paths: - backend: serviceName: netbox servicePort: http path: / pathType: ImplementationSpecific tls: - hosts: - netbox.local secretName: netbox-tls ``` ```yaml ## cat oauth2-proxy-netbox.yaml ## Full deployment of the oauth2-proxy --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: oauth2-proxy app.kubernetes.io/instance: oauth2-proxy app.kubernetes.io/name: oauth2-proxy name: oauth2-proxy namespace: netbox spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: oauth2-proxy app.kubernetes.io/instance: oauth2-proxy app.kubernetes.io/name: oauth2-proxy template: metadata: labels: app.kubernetes.io/component: oauth2-proxy app.kubernetes.io/instance: oauth2-proxy app.kubernetes.io/name: oauth2-proxy spec: containers: - args: - --provider=oidc - --client-id=netbox - --email-domain=example.com - --oidc-issuer-url=https://keycloak.example.com/auth/realms/master - --http-address=0.0.0.0:4180 - --keycloak-group=netbox-admin - --keycloak-group=netbox-user - --keycloak-group=netbox-editor - --prefer-email-to-user # optional - --set-xauthrequest=true - --skip-provider-button # optional # Register a new application # https://github.com/settings/applications/new image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.0 imagePullPolicy: Always name: oauth2-proxy ports: - containerPort: 4180 protocol: TCP env: - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-secret key: client-secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-secret key: cookie-secret --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: oauth2-proxy app.kubernetes.io/instance: oauth2-proxy app.kubernetes.io/name: oauth2-proxy name: oauth2-proxy namespace: netbox spec: ports: - name: http port: 4180 protocol: TCP targetPort: 4180 selector: app.kubernetes.io/component: oauth2-proxy app.kubernetes.io/instance: oauth2-proxy app.kubernetes.io/name: oauth2-proxy --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: oauth2-proxy namespace: netbox annotations: nginx.ingress.kubernetes.io/proxy-buffer-size: 256k nginx.ingress.kubernetes.io/proxy-buffers-number: "8" spec: rules: - host: netbox.local http: paths: - path: /oauth2 pathType: ImplementationSpecific backend: service: name: oauth2-proxy port: number: 4180 - path: /admin pathType: ImplementationSpecific backend: service: name: netbox port: number: 80 - path: /api pathType: ImplementationSpecific backend: service: name: netbox port: number: 80 tls: - hosts: - netbox.local secretName: netbox-tls ```
adam commented 2025-12-29 18:37:22 +01:00
Author
Owner
Copy Link

@devon-mar commented on GitHub (Feb 23, 2021):

@Cellebyte
How are you handling API access with oauth2-proxy?
Are you bypassing auth_request for /api?

@devon-mar commented on GitHub (Feb 23, 2021): @Cellebyte How are you handling API access with oauth2-proxy? Are you bypassing auth_request for `/api`?
adam commented 2025-12-29 18:37:22 +01:00
Author
Owner
Copy Link

@Cellebyte commented on GitHub (Feb 23, 2021):

@devon-mar yep

@Cellebyte commented on GitHub (Feb 23, 2021): @devon-mar yep
adam commented 2025-12-29 18:37:22 +01:00
Author
Owner
Copy Link

@MaxRink commented on GitHub (Mar 29, 2021):

Just to reiterate, we arte still willing to maintain this code :D

@MaxRink commented on GitHub (Mar 29, 2021): Just to reiterate, we arte still willing to maintain this code :D
adam commented 2025-12-29 18:37:22 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 29, 2021):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (May 29, 2021): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 18:37:23 +01:00
Author
Owner
Copy Link

@davama commented on GitHub (Jun 19, 2021):

Is there a PR for this?

@davama commented on GitHub (Jun 19, 2021): Is there a PR for this?
adam commented 2025-12-29 18:37:23 +01:00
Author
Owner
Copy Link

@MaxRink commented on GitHub (Jun 19, 2021):

there was, and i can reopen it
https://github.com/netbox-community/netbox/pull/5771

@MaxRink commented on GitHub (Jun 19, 2021): there was, and i can reopen it https://github.com/netbox-community/netbox/pull/5771
adam commented 2025-12-29 18:37:23 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jul 6, 2021):

@MaxRink looks like this fell through the cracks. Sorry about that. I've marked it as accepted and assigned you if you'd like to re-open the pull request.

@jeremystretch commented on GitHub (Jul 6, 2021): @MaxRink looks like this fell through the cracks. Sorry about that. I've marked it as accepted and assigned you if you'd like to re-open the pull request.
adam commented 2025-12-29 18:37:24 +01:00
Author
Owner
Copy Link

@mackaybe commented on GitHub (Jul 20, 2021):

It would be nice if this auto-created groups(specified as super-users or staff groups). Is there any reason not to? In my testing at least the groups must exist before permissions are assigned.

@mackaybe commented on GitHub (Jul 20, 2021): It would be nice if this auto-created groups(specified as super-users or staff groups). Is there any reason not to? In my testing at least the groups must exist before permissions are assigned.
adam commented 2025-12-29 18:37:24 +01:00
Author
Owner
Copy Link

@davama commented on GitHub (Aug 30, 2021):

Would also be nice if REMOTE-EMAIL and REMOTE-NAME were included.
Basically expanding proxy auth

@davama commented on GitHub (Aug 30, 2021): Would also be nice if `REMOTE-EMAIL` and `REMOTE-NAME` were included. Basically expanding proxy auth
adam commented 2025-12-29 18:37:24 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 30, 2021):

@MaxRink's PR #6730 for this is still waiting for reviews and feedback. Given the degree of interest in this issue I'd expect to see at least a few people trying it and providing feedback.

@jeremystretch commented on GitHub (Aug 30, 2021): @MaxRink's PR #6730 for this is still waiting for reviews and feedback. Given the degree of interest in this issue I'd expect to see at least a few people trying it and providing feedback.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#4546
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?