Remote users (LDAP backend) with limited rights lost ability to use RestAPI #12849
Description
NetBox version
v3.5.3
Python version
3.10
Steps to Reproduce
Perquisite
configuration.py contains:
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
ldap_config.py contains:
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = False
AUTH_LDAP_FIND_GROUP_PERMS = True
can add full files with masked data paths, if needed.
Our config allow us to have users with rights, assigned by AD group membership. But when checking django group membership, there is none (we ok with it, we have no issues before):
If we tun on mirroring, whole bunch 10th thousands groups from AD will be loaded to netbox.
Issue steps
- Add one user (Bob) to admin and staff groups, another (Alice) to access group.
- Create permissions to view anything (or some limited list of objects, we have both scenario) and assign them to Alice.
- Both Bob and Alice can login to UI and view any objects.
- Create 2 (read-only in our case) tokens, one for Alice, other for Bob.
Expected Behavior
Tokens must work anywhere and return any data for both users.
Observed Behavior
Both users can use UI, /api/ and /api/schema/swagger-ui/ endpoints while logged in.
Both of them also receive correct answer in Swager, with token used (it's ignored, likely, coz return correct answer with wrong token).
Outside of Netbox app (from Curl, PoSh, Grafana requests) it returns "You do not have permission to perform this action." error.
Problem not existed in 3.0 and 3.1. I used several accounts in Grafana tests before moving Netbox to production, it worked.
Now I must explicitly define group membership of user for API only.