Permission inheritance from site to device related items

[Torstein-Eide]

Hi

I have problem understanding if there is inheritance for related items, and how to use it.

Topology

Site Groupe: A and B
├── Site: A
│   ├── Prefixs: 192.0.2.0/24
│   │   └── Child Prefixes: 
│   │       └── Prefixes:192.0.2.0/29
│   │           ├── Child Ranges: 192.0.2.2-3/29
│   │           └── IP Address:
│   └── Device: something a
│       ├── Interface: Ethernet1
│       │   ├── IP-address: 192.0.2.1/29
│       │   └── Connection: to 
│       └── Virtual Machine: foo
│           └── Interface: Ethernet1
│               └── IP-address: 192.0.2.0/29
├── Site: A+B
├── Site: A.sub
└── VLAN Groups:
    └── name: A+B

What we typing to archive

If give a group permission to view in Site: {"name__icontains":"A"} and Device, Location, Rack, Prefix, VLAN Group, VLAN {"site__name__icontains":"A"} , the group should be able to view related objects to the Site.

How are we able use inheritance in search?

To be able to show related items to:

• Device
  • Ip-addresse
  • Interface Connections
  • Cables
  • Console Connections
  • Modules
  • Virtual Machines
  • Virtual chassis
  • Device components
    • Inventory Items
    • Interface
    • Front ports
    • Rear ports
    • Console port
    • Console server port
    • Power ports
    • Power outlets
    • Module bays
    • Device bays
• Prefix
  • Child Prefixes
  • Child Ranges
  • IP addresses
• Site group (that the site A is part of)
  • VLAN group
    • VLAN

like for Interface

I the GUI I can search with filter:

{
    "site_id": [
        "1"
    ]
}

but with permissions is not a options:

Invalid filter for <class 'dcim.models.device_components.Interface'>: Cannot resolve keyword 'site' into field. Choices are: _name, _path, _path_id, bookmarks, bridge, bridge_id, bridge_interfaces, cable, cable_end, cable_id, cable_terminations, child_interfaces, created, custom_field_data, description, device, device_id, duplex, enabled, fhrp_group_assignments, id, inventory_items, ip_addresses, journal_entries, l2vpn_terminations, label, lag, lag_id, last_updated, mac_address, mark_connected, member_interfaces, mgmt_only, mode, module, module_id, mtu, name, parent, parent_id, poe_mode, poe_type, rf_channel, rf_channel_frequency, rf_channel_width, rf_role, speed, tagged_items, tagged_vlans, tags, tx_power, type, untagged_vlan, untagged_vlan_id, vdcs, vrf, vrf_id, wireless_lans, wireless_link, wireless_link_id, wwn

[candlerb]

Interface is not directly related to Site, but an Interface is always linked to a Device. Therefore for Interface, you should be able to constrain access by device__site__name rather than site__name.

Doing this for IP Address though is very difficult. A Prefix can be linked to a Site, and/or to a VLAN which may also be linked to a Site, and that's fine. However, an IP Address is not linked directly to a parent prefix in the ORM: it's implicit that it falls within the block of one or more ancestor prefixes, and AFAICS there is no ORM object accessor to locate an address' parent prefix. There is a parent filter, but I think this only works if you are starting with a list of IP Addresses, and want to filter it down to only those with a specific parent.

If the IP address has been assigned to an interface then you may be able to do assigned_object__device__site__name (certainly in nbshell, if i is an IPAddress then you can use i.assigned_object.device.site.name). But if it was assigned to a VM interface, instead it would have to be something like j.assigned_object.virtual_machine.cluster.site, and if it's assigned to an FHRP group, well, it gets a lot more difficult :-)

It might be possible use tags. If you explicitly tag every object with one or more tags, you can have user permissions that allow access to certain tags. But then, you have to worry about creating new objects with the right tags, and users not being able to modify these access control tags.

In the end, I think Netbox's access control mechanisms are not flexible enough to do what you require of them. If you need strong isolation between users, it may require setting up separate Netbox instances for them (in this case, a separate Netbox instance per site).

To be able to show related items to:

Device

You just open the device, and there are tabs for the related objects. E.g. the Interfaces tab shows interfaces, cables connected to those interfaces, and IP addresses assigned to those interfaces.

[Torstein-Eide]

Thank you @candlerb for talking the time to replay.

I was unaware of the reverse tree that can be use. I found I hard to find that reverse tree that can be used, and miss a overview, with all the options for 'interface__device__site__name__icontains': '${Site}'

• Is it possible to import permissions?
• Is it possible to use variables like ${Site}, to reuse the permissions-set?

As it will be fun to make 50*10-20 sets for different Sites and subsystems.

Our first roles set for permissions.

Global_view

Field	value
Enabled	True
Object Types	circuits.circuittype dcim.consoleporttemplate dcim.consoleserverporttemplate dcim.devicebaytemplate dcim.devicerole dcim.devicetype dcim.frontporttemplate dcim.interfacetemplate dcim.manufacturer dcim.platform dcim.poweroutlettemplate dcim.powerporttemplate dcim.rackrole dcim.rearporttemplate dcim.region dcim.site dcim.sitegroup dcim.moduletype dcim.modulebaytemplate dcim.inventoryitemrole dcim.inventoryitemtemplate ipam.role ipam.servicetemplate extras.tag extras.customfield extras.bookmark extras.customfieldchoiceset tenancy.contactrole tenancy.contactgroup virtualization.clustergroup virtualization.clustertype wireless.wirelesslangroup netbox_topology_views.individualoptions
Can View	True
Can Add	False
Can Change	False
Can Delete	False
Description	Need for view, add roles etc to devices.
Groups	All
Constraints	null
Custom Actions

${Site}-001_Site_Gobal

Field	value
Enabled	True
Object Types	dcim.site tenancy.tenantgroup
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	{'name__icontains': '${Site}'}
Custom Actions

${Site}_002_tenant

Field	value
Enabled	True
Object Types	tenancy.tenant
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	[ { 'name__icontains': '${Site}' }, {'group__name__icontains': '${Site}' } ]
Custom Actions

${Site}_003_device__site

Field	value
Enabled	True
Object Types	dcim.consoleport, dcim.consoleserverport, dcim.devicebay, dcim.frontport, dcim.interface, dcim.inventoryitem, dcim.poweroutlet, dcim.powerport, dcim.rearport, dcim.modulebay, dcim.module
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	{'device__site__name__icontains': '${Site}'}
Custom Actions

${Site}-004_DCIM-device

Field	value
Enabled	True
Object Types	dcim.device, dcim.location, dcim.rack, ipam.prefix, ipam.vlangroup, ipam.vlan, virtualization.cluster, virtualization.virtualmachine
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	[ { "site__name__icontains": "sleipner" }, { "site__group__name__icontains": "Sleipner" } ]
Custom Actions

${Site}-005_device-interface

Field	value
Enabled	True
Object Types	ipam.ipaddress
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description	All IP address
Groups	${Site}-Gobal-admin
Constraints	[ { 'interface__device__site__name__icontains': '${Site}' }, { 'vminterface__virtual_machine__site__name__icontains': '${Site}' } ]
Custom Actions

${Site}-006-Tenants-admin

Field	value
Enabled	True
Object Types	dcim.cable, dcim.device, dcim.location, dcim.rack, dcim.rackreservation, dcim.site, dcim.virtualdevicecontext, ipam.ipaddress, ipam.prefix, ipam.vrf, ipam.vlan, ipam.iprange, virtualization.virtualmachine
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	[ { 'tenant__name__icontains': '${Site}' }, { 'tenant__group__name__icontains': '${Site}' } ]
Custom Actions

${Site}-006-Tenants-admin

Field	value
Enabled	True
Object Types	dcim.cable, dcim.device, dcim.location, dcim.rack, dcim.rackreservation, dcim.site, dcim.virtualdevicecontext, ipam.ipaddress, ipam.prefix, ipam.vrf, ipam.vlan, ipam.iprange, virtualization.virtualmachine
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	[ { 'tenant__name__icontains': '${Site}' }, { 'tenant__group__name__icontains': '${Site}' } ]
Custom Actions

${Site}-007-Vlan-group

Field	value
Enabled	True
Object Types	ipam.vlangroup
Can View	True
Can Add	True
Can Change	True
Can Delete	True
Description
Groups	${Site}-Gobal-admin
Constraints	[ { "site_group__name__icontains": "Sleipner" }]
Custom Actions

[candlerb]

I was unaware of the reverse tree that can be use. I found I hard to find that reverse tree that can be used, and miss a overview, with all the options for 'interface__device__site__name__icontains': '${Site}'

Most of these are accessors on model objects in the Django ORM. You can explore the Django data model interactively with nbshell.

(I think you should be wary of using icontains so much, otherwise you risk matching multiple things which just happen to share the same substring. Simple equality may be better.)

• Is it possible to import permissions?

Doesn't look like it (Netbox 3.6.4)

It might be possible via REST API, and/or via the Django ORM (e.g. custom script)

• Is it possible to use variables like ${Site}, to reuse the permissions-set?

No, and it's unclear what ${Site} would expand to for any given request.

In the documentation you'll see that only $user is supported, and that's unambiguously the user making the request.

As it will be fun to make 50*10-20 sets for different Sites and subsystems.

It will indeed.

[Torstein-Eide]

Most of these are accessors on model objects in the Django ORM. You can explore the Django data model interactively with nbshell.

Do you have example of how I can show the full list of filters for example, IPAddress.objects.filter()?
As I was only able to find information about QuerySet. not how to find for example IPAddress.objects.filter(interface__device__site__region__slug="north-america")

(I think you should be wary of using icontains so much, otherwise you risk matching multiple things which just happen to share the same substring. Simple equality may be better.)

All site like Ringhorne are all unique, and we need to use ${Site} - ${Tenant} for tenants/system within a site. We also have some objects that are shared between sites, so need to use ${SiteA} and ${SiteB} for some objects.

• Is it possible to use variables like ${Site}, to reuse the permissions-set?

No, and it's unclear what ${Site} would expand to for any given request.

I would use it is part of group "SiteA Global", and group "SiteA Global" has a variable named site=SiteA, when it would it loop over all groups.