API User impersonation #6207

New Issue

Closed

opened 2025-12-29 19:38:01 +01:00 by adam · 4 comments

adam commented 2025-12-29 19:38:01 +01:00

Owner

Copy Link

Originally created by @steffenschumacher on GitHub (Mar 14, 2022).

NetBox version

v3.1.9

Feature type

New functionality

Proposed functionality

(This is a second attempt at arguing for this feature - can't help thinking of a particular Einstein quote, but here goes 😏..)
Allow user impersonation for api requests with authorisation override.
Using an http header attribute, eg. “impersonate”=“some-user" and api token, then if the user of the api token is authorised to impersonate users, then the request is authenticated as “some-user”, if this user exists.
Furthermore, if this request has http attribute “impersonate_authorisation”=“false”, then the authorisation privileges of this request will be those of the api token owner instead of the impersonated user - otherwise it will be of the impersonated user.

Use case

We have a homegrown middleware on top of netbox, which enable users to modify assets in netbox in an assisted fashion, and we would prefer if write operations in netbox were done on behalf of users, whom we don’t want to grant direct write access to netbox. Users are sync'ed into netbox via LDAP
While it is possible fetch automatically provisioned tokens from preexisting users and use those, then this option would require netbox write privileges for the users. Privileges we prefer to be read only, so we ensure that only valid modifications are done in netbox (via the assisting middleware and directly by a few netbox admins).
To achieve this, I believe it is required to both be able to impersonate some specific user, and then also to indicate whether authorisation should be done using the impersonated user, or the actual 'system' user who is doing the impersonation.

We could merely use the system user, but then we loose out on most of the brilliant change log functionality in netbox, since all changes will be done by the system user.

Database changes

None

External dependencies

None

Originally created by @steffenschumacher on GitHub (Mar 14, 2022). ### NetBox version v3.1.9 ### Feature type New functionality ### Proposed functionality _(This is a second attempt at arguing for this feature - can't help thinking of a particular Einstein quote, but here goes 😏..)_ **Allow user impersonation for api requests with authorisation override.** Using an http header attribute, eg. `“impersonate”=“some-user"` and api token, then if the user of the api token is authorised to impersonate users, then the request is authenticated as “some-user”, if this user exists. Furthermore, if this request has http attribute `“impersonate_authorisation”=“false”`, then the authorisation privileges of this request will be those of the api token owner instead of the impersonated user - otherwise it will be of the impersonated user. ### Use case We have a homegrown middleware on top of netbox, which enable users to modify assets in netbox in an assisted fashion, and we would prefer if write operations in netbox were done on behalf of users, whom we **don’t want to grant direct write access to netbox**. Users are sync'ed into netbox via LDAP While it is possible fetch automatically provisioned tokens from preexisting users and use those, then this option would require netbox write privileges for the users. Privileges we prefer to be read only, so we ensure that only valid modifications are done in netbox (via the assisting middleware and directly by a few netbox admins). To achieve this, I believe it is required to both be able to impersonate some specific user, and then also to indicate whether authorisation should be done using the impersonated user, or the actual 'system' user who is doing the impersonation. We could merely use the system user, but then we loose out on most of the brilliant change log functionality in netbox, since all changes will be done by the system user. ### Database changes None ### External dependencies None

adam added the type: featurepending closure labels 2025-12-29 19:38:01 +01:00

adam closed this issue 2025-12-29 19:38:01 +01:00

adam commented 2025-12-29 19:38:01 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Mar 14, 2022):

An idea is to add a 'user group' of users that that token is allowed to impersonate ?
That group can be ldap synced, so no extra maintenance there.
Also if no 'impersonate' user is provided, then the token will use the regular assigned user.
The only caveat I see, is that this one token will get a lot of rights to a lot if users. and that might not be something we want..
The FR #8233 might help securing that token, so that it can only be used from specific source ips

@PieterL75 commented on GitHub (Mar 14, 2022): An idea is to add a 'user group' of users that that token is allowed to impersonate ? That group can be ldap synced, so no extra maintenance there. Also if no 'impersonate' user is provided, then the token will use the regular assigned user. The only caveat I see, is that this one token will get a lot of rights to a lot if users. and that might not be something we want.. The FR #8233 might help securing that token, so that it can only be used from specific source ips

adam commented 2025-12-29 19:38:02 +01:00

Author

Owner

Copy Link

@steffenschumacher commented on GitHub (Mar 14, 2022):

Sure - I think fencing in which users that are allowed to be impersonated is a good thing.
The token allowed to impersonate would have privileges to do pretty much anything even without this feature, so that caveat is not specific to this FR..

@steffenschumacher commented on GitHub (Mar 14, 2022): Sure - I think fencing in which users that are allowed to be impersonated is a good thing. The token allowed to impersonate would have privileges to do pretty much anything even without this feature, so that caveat is not specific to this FR..

adam commented 2025-12-29 19:38:02 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (May 14, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (May 14, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam commented 2025-12-29 19:38:02 +01:00

Author

Owner

Copy Link

@steffenschumacher commented on GitHub (May 14, 2022):

Closing as this proved too complex and niche..

@steffenschumacher commented on GitHub (May 14, 2022): Closing as this proved too complex and niche..

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label pending closure type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#6207