Skip to content

Remote groups via HTTP Headers #6730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 16, 2021
Merged

Remote groups via HTTP Headers #6730

merged 1 commit into from
Sep 16, 2021

Conversation

@MaxRink
Copy link
Contributor

@MaxRink MaxRink commented Jul 8, 2021
edited by jeremystretch
Loading

Fixes: #5775

Unlike the LDAP Backend, the RemoteUserBackend wasnt able to Sync Group memberships form the auth Provider.
This brings it up to parity, as the new Settings give you the Option to setup an automatic Group Sync (and revocation) on each User login.
This has been tested with oauth2-proxy
The old behaviopur of just Syncing Users and then manually managing Groups should be unaffected.
ToDo:

  • Tests for new Settings

@jeremystretch
Copy link
Member

jeremystretch commented Jul 8, 2021

Thank you for your interest in contributing to NetBox, however it appears there is no accepted issue that correlates to this pull request. Before pull requests are opened, we require an accepted issue as per our contributing guide. Please first open an issue and wait for it to be accepted before further work is done on this pull request.

@MaxRink
Copy link
Contributor Author

MaxRink commented Jul 8, 2021

@jeremystretch there is :D
#5775 (comment)

@jeremystretch
Copy link
Member

jeremystretch commented Jul 8, 2021

Ok, I see that. For future, please be sure to retain the ### Fixes: #ISSUENUMBER header from the PR template. This ensures that issues are correctly correlated with PRs and automatically closed when a PR is merged. It makes my job a lot easier. 🙂

nolta
nolta reviewed Jul 16, 2021
View reviewed changes
@jeremystretch
Copy link
Member

jeremystretch commented Aug 23, 2021

Can we get some remote authentication users to test this and weigh in here?

@jeremystretch jeremystretch added the status: under review Further discussion is needed to determine this issue's scope and/or implementation label Aug 23, 2021
@jeremystretch jeremystretch mentioned this pull request Aug 30, 2021
Closed
@mackaybe
Copy link

mackaybe commented Aug 31, 2021

Successfully tested with oauth2-proxy and keycloak

@MaxRink
Add Remote Group Support to the RemoteUserAuth Backend and Middleware
d5e5cdd 
fix incorrect assumption about when to run the group sync

Add documentation for new Settings

format to autopep8 compliance

add first set of basic testcases

format test to comply with pep8

rename SEPERATOR to SEPARATOR

remove accidentally carried over parameter
@davama
Copy link
Contributor

davama commented Sep 9, 2021

Just noticed this

will test with http header auth
Will update tomorrow 👍👍
Thank you!

@sol1-matt
Copy link

sol1-matt commented Sep 16, 2021
edited
Loading

I've patched the 3.0.2 release tag with this diff on our dev box and SSO login continues to work.
No problems found in the upgrade.

I say continues as we patched the previous version (2.11) as well, not sure if that previous patch was the same as this one or different as the person who did it said it was 'based on it'.

upstream auth is Okta

@jeremystretch
Copy link
Member

jeremystretch commented Sep 16, 2021

@davama were you able to test this? Can you share your findings?

@davama
Copy link
Contributor

davama commented Sep 16, 2021
edited
Loading

@jeremystretch @mackaybe
applied this patch to my v3.0.0 instance ... i would assume it would also work on v3.0.2 as @sol1-matt mentioned

works good 👍
using these settings.
HTTP_REMOTE_GROUPS syncs with netbox.

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = ['netbox']
REMOTE_AUTH_DEFAULT_PERMISSIONS =  { "is_superuser" }
REMOTE_AUTH_GROUP_SYNC_ENABLED = True
REMOTE_AUTH_GROUP_HEADER = 'HTTP_REMOTE_GROUPS'
REMOTE_AUTH_SUPERUSER_GROUPS = ['netbox'] 
REMOTE_AUTH_STAFF_GROUPS = ['netbox']
REMOTE_AUTH_GROUP_SEPARATOR = ','

Would be awesome if email , first_name , last_name would sync too... but outside this PR

@jeremystretch jeremystretch removed the status: under review Further discussion is needed to determine this issue's scope and/or implementation label Sep 16, 2021
@jeremystretch jeremystretch merged commit 8d703ff into netbox-community:develop Sep 16, 2021
@erjac77 erjac77 mentioned this pull request Dec 14, 2021
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@nolta nolta nolta left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add the ability to Sync netbox user Groups and special Privileges with an Remote (HTTP) Auth Backend

6 participants

@MaxRink @jeremystretch @mackaybe @davama @sol1-matt @nolta