No permissions to new features on updated NetBox using all_permissions

[bluikko]

This is an old NetBox instance that has been updated from about 2.4.x. New features "Provider Networks", "Site Groups", "Route Targets" are greyed out in the top menu and clicking them gives "Access Denied" page.

The instance uses RemoteUserBackend and since there is no separate authentication and authorization the permissions are set simply as

REMOTE_AUTH_DEFAULT_GROUPS = ['all_permissions']

Apparently this does not work anymore for the new features, is that intentional and it needs to be migrated to the new permission model?

[candlerb]

I am presuming that you have created a group in Netbox called "all_permissions", and have added view/add/change/delete permissions to that group for each object type. If so, you'll need to go and add permissions for the new object types to that group. Look at Admin > Admin > Groups and Admin > Admin > Permissions.

If you want to make all models viewable, then another way is to set

EXEMPT_VIEW_PERMISSIONS = [
    '*',
]

But you'll still need to add permissions for add/change/delete, otherwise only superusers will be able to.

[bluikko]

It was created long time ago before the new permissions model.

I see now the group has a long, long list of objects, object types and actions. The "object" is a drop-down box where there's no "*.*" or similar "default"/wildcard permission that I believe existed before the new permissions model.
So there's no way to set permissions to everything including new features with this new model?

[candlerb]

Yes, you need to add explicit permissions for each model.

A fresh Netbox install has no groups, and there is no migration which creates a group called "all_permissions". So I believe that whoever installed Netbox created this group for you.

Explicit permissions for object create/add/delete have been around forever. Check out the first public commit 27b289e from 2016: the code is full of things like

    if request.user.has_perm('ipam.change_ipaddress') or request.user.has_perm('ipam.delete_ipaddress'):

"View" permissions were tightened up in v2.5/2.6 (before that, all logged in users could view everything); and constraints on permissions were introduced in v2.9 (#554). But that simply limits the scope of a permission.

[bluikko]

Yeah it seems the all_permissions is something created during installation. I am quite sure when using the old permissions there was support for *.* but I may be wrong. I didn't remember putting the group either, initially ;)

The reason for such long list (300+) entries in the permissions is that I think the original permissions were somehow migrated to the new system and each object/permission/... is a single entry. Just a guess though.

[candlerb]

BTW, having just updated another Netbox instance, I do agree that the permissions you get by default from an upgraded Netbox instance can be a complete mess.

I had just two groups - "View all" (read-only access to everything) and "Manage devices / IPs" (permissions to add/create/delete devices and VMs and related objects like interfaces, roles etc), plus some permissions assigned directly to a handful of users. This had resulted in nearly 300 permission objects!

I think at some previous point the permissions model changed, and the permissions that I had assigned to users and groups got exploded into a ton of shapnel: separate "permission" objects for view_xxx, create_xxx, change_xxx, delete_xxx, multiplied by a large number of models.

I took the opportunity to clean this up, and now I have the same two groups with just 4 permissions:

• Group "View all" has a single permission "view_all", which has "view" permissions on all models
• Group "Manage devices / IPs" has one permission "view/add/create/delete" on a number of models; another permission "view" for some other models; and permissions "napalm_read" on dcim-device.

[bluikko]

There were 3 entries at the end of the permissions with "----" as the name and nothing else - after adding a few entries, now it's all mangled up... To be clear I've not once touched the permission system since installation.

[candlerb]

I don't know what you mean by "mangled up". Which of those permissions were the ones that you newly added? What exactly did you click when doing this?

I suggest you show the output of select * from users_objectpermission;

Getting into Postgres SQL shell is sudo -u postgres psql netbox under Ubuntu, maybe different on your system.

[bluikko]

All columns after the first are three rows up from the expected row.

[bluikko]

I clicked "save" and then the query timed out (maybe because of the large number of entries?). After reload it showed up like that.

I just closed the tab and retried.