Merge pull request #497 from ryanmerolle/startup-scripts-2.10+
user, group, & permissions fix
This commit is contained in:
commit
fd55ec220c
@ -1,35 +1,9 @@
|
|||||||
## To list all permissions, run:
|
|
||||||
##
|
|
||||||
## docker-compose run --rm --entrypoint /bin/bash netbox
|
|
||||||
## $ ./manage.py migrate
|
|
||||||
## $ ./manage.py shell
|
|
||||||
## > from django.contrib.auth.models import Permission
|
|
||||||
## > print('\n'.join([p.codename for p in Permission.objects.all()]))
|
|
||||||
##
|
|
||||||
## Permission lists support wildcards. See the examples below.
|
|
||||||
##
|
|
||||||
## Examples:
|
|
||||||
|
|
||||||
# applications:
|
# applications:
|
||||||
# users:
|
# users:
|
||||||
# - technical_user
|
# - technical_user
|
||||||
# readers:
|
# readers:
|
||||||
# users:
|
# users:
|
||||||
# - reader
|
# - reader
|
||||||
# writers:
|
# writers:
|
||||||
# users:
|
# users:
|
||||||
# - writer
|
# - writer
|
||||||
# permissions:
|
|
||||||
# - delete_device
|
|
||||||
# - delete_virtualmachine
|
|
||||||
# - add_*
|
|
||||||
# - change_*
|
|
||||||
# vm_managers:
|
|
||||||
# permissions:
|
|
||||||
# - '*_virtualmachine'
|
|
||||||
# device_managers:
|
|
||||||
# permissions:
|
|
||||||
# - '*device*'
|
|
||||||
# creators:
|
|
||||||
# permissions:
|
|
||||||
# - add_*
|
|
||||||
|
48
initializers/object_permissions.yml
Normal file
48
initializers/object_permissions.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
# all.ro:
|
||||||
|
# actions:
|
||||||
|
# - view
|
||||||
|
# description: 'Read Only for All Objects'
|
||||||
|
# enabled: true
|
||||||
|
# groups:
|
||||||
|
# - applications
|
||||||
|
# - readers
|
||||||
|
# object_types: all
|
||||||
|
# users:
|
||||||
|
# - jdoe
|
||||||
|
# all.rw:
|
||||||
|
# actions:
|
||||||
|
# - add
|
||||||
|
# - change
|
||||||
|
# - delete
|
||||||
|
# - view
|
||||||
|
# description: 'Read/Write for All Objects'
|
||||||
|
# enabled: true
|
||||||
|
# groups:
|
||||||
|
# - writers
|
||||||
|
# object_types: all
|
||||||
|
# network_team.rw:
|
||||||
|
# actions:
|
||||||
|
# - add
|
||||||
|
# - change
|
||||||
|
# - delete
|
||||||
|
# - view
|
||||||
|
# description: "Network Team Permissions"
|
||||||
|
# enabled: true
|
||||||
|
# object_types:
|
||||||
|
# circuits:
|
||||||
|
# - circuit
|
||||||
|
# - circuittermination
|
||||||
|
# - circuittype
|
||||||
|
# - provider
|
||||||
|
# dcim: all
|
||||||
|
# ipam:
|
||||||
|
# - aggregate
|
||||||
|
# - ipaddress
|
||||||
|
# - prefix
|
||||||
|
# - rir
|
||||||
|
# - role
|
||||||
|
# - routetarget
|
||||||
|
# - service
|
||||||
|
# - vlan
|
||||||
|
# - vlangroup
|
||||||
|
# - vrf
|
@ -1,23 +1,14 @@
|
|||||||
## To list all permissions, run:
|
|
||||||
##
|
|
||||||
## docker-compose run --rm --entrypoint /bin/bash netbox
|
|
||||||
## $ ./manage.py migrate
|
|
||||||
## $ ./manage.py shell
|
|
||||||
## > from django.contrib.auth.models import Permission
|
|
||||||
## > print('\n'.join([p.codename for p in Permission.objects.all()]))
|
|
||||||
##
|
|
||||||
## Permission lists support wildcards. See the examples below.
|
|
||||||
##
|
|
||||||
## Examples:
|
|
||||||
|
|
||||||
# technical_user:
|
# technical_user:
|
||||||
# api_token: 0123456789technicaluser789abcdef01234567 # must be looooong!
|
# api_token: 0123456789technicaluser789abcdef01234567 # must be looooong!
|
||||||
# reader:
|
# reader:
|
||||||
# password: reader
|
# password: reader
|
||||||
# writer:
|
# writer:
|
||||||
# password: writer
|
# password: writer
|
||||||
# permissions:
|
# jdoe:
|
||||||
# - delete_device
|
# first_name: John
|
||||||
# - delete_virtualmachine
|
# last_name: Doe
|
||||||
# - add_*
|
# api_token: 0123456789jdoe789abcdef01234567jdoe
|
||||||
# - change_*
|
# is_active: True
|
||||||
|
# is_superuser: False
|
||||||
|
# is_staff: False
|
||||||
|
# email: john.doe@example.com
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
import sys
|
import sys
|
||||||
|
|
||||||
from django.contrib.auth.models import User
|
from django.contrib.auth.models import User
|
||||||
from startup_script_utils import load_yaml, set_permissions
|
from startup_script_utils import load_yaml
|
||||||
from users.models import Token
|
from users.models import Token
|
||||||
|
|
||||||
users = load_yaml("/opt/netbox/initializers/users.yml")
|
users = load_yaml("/opt/netbox/initializers/users.yml")
|
||||||
@ -19,6 +19,3 @@ for username, user_details in users.items():
|
|||||||
|
|
||||||
if user_details.get("api_token", 0):
|
if user_details.get("api_token", 0):
|
||||||
Token.objects.create(user=user, key=user_details["api_token"])
|
Token.objects.create(user=user, key=user_details["api_token"])
|
||||||
|
|
||||||
yaml_permissions = user_details.get("permissions", [])
|
|
||||||
set_permissions(user.user_permissions, yaml_permissions)
|
|
||||||
|
@ -1,23 +1,23 @@
|
|||||||
import sys
|
import sys
|
||||||
|
|
||||||
from django.contrib.auth.models import Group, User
|
from startup_script_utils import load_yaml
|
||||||
from startup_script_utils import load_yaml, set_permissions
|
from users.models import AdminGroup, AdminUser
|
||||||
|
|
||||||
groups = load_yaml("/opt/netbox/initializers/groups.yml")
|
groups = load_yaml("/opt/netbox/initializers/groups.yml")
|
||||||
if groups is None:
|
if groups is None:
|
||||||
sys.exit()
|
sys.exit()
|
||||||
|
|
||||||
for groupname, group_details in groups.items():
|
for groupname, group_details in groups.items():
|
||||||
group, created = Group.objects.get_or_create(name=groupname)
|
group, created = AdminGroup.objects.get_or_create(name=groupname)
|
||||||
|
|
||||||
if created:
|
if created:
|
||||||
print("👥 Created group", groupname)
|
print("👥 Created group", groupname)
|
||||||
|
|
||||||
for username in group_details.get("users", []):
|
for username in group_details.get("users", []):
|
||||||
user = User.objects.get(username=username)
|
user = AdminUser.objects.get(username=username)
|
||||||
|
|
||||||
if user:
|
if user:
|
||||||
user.groups.add(group)
|
group.user_set.add(user)
|
||||||
|
print(" 👤 Assigned user %s to group %s" % (username, AdminGroup.name))
|
||||||
|
|
||||||
yaml_permissions = group_details.get("permissions", [])
|
group.save()
|
||||||
set_permissions(group.permissions, yaml_permissions)
|
|
||||||
|
60
startup_scripts/015_object_permissions.py
Normal file
60
startup_scripts/015_object_permissions.py
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
import sys
|
||||||
|
|
||||||
|
from django.contrib.contenttypes.models import ContentType
|
||||||
|
from startup_script_utils import load_yaml
|
||||||
|
from users.models import AdminGroup, AdminUser, ObjectPermission
|
||||||
|
|
||||||
|
object_permissions = load_yaml("/opt/netbox/initializers/object_permissions.yml")
|
||||||
|
|
||||||
|
if object_permissions is None:
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
|
|
||||||
|
for permission_name, permission_details in object_permissions.items():
|
||||||
|
|
||||||
|
object_permission, created = ObjectPermission.objects.get_or_create(
|
||||||
|
name=permission_name,
|
||||||
|
description=permission_details["description"],
|
||||||
|
enabled=permission_details["enabled"],
|
||||||
|
actions=permission_details["actions"],
|
||||||
|
)
|
||||||
|
|
||||||
|
if permission_details.get("object_types", 0):
|
||||||
|
object_types = permission_details["object_types"]
|
||||||
|
|
||||||
|
if object_types == "all":
|
||||||
|
object_permission.object_types.set(ContentType.objects.all())
|
||||||
|
|
||||||
|
else:
|
||||||
|
for app_label, models in object_types.items():
|
||||||
|
if models == "all":
|
||||||
|
app_models = ContentType.objects.filter(app_label=app_label)
|
||||||
|
|
||||||
|
for app_model in app_models:
|
||||||
|
object_permission.object_types.add(app_model.id)
|
||||||
|
else:
|
||||||
|
# There is
|
||||||
|
for model in models:
|
||||||
|
object_permission.object_types.add(
|
||||||
|
ContentType.objects.get(app_label=app_label, model=model)
|
||||||
|
)
|
||||||
|
|
||||||
|
print("🔓 Created object permission", object_permission.name)
|
||||||
|
|
||||||
|
if permission_details.get("groups", 0):
|
||||||
|
for groupname in permission_details["groups"]:
|
||||||
|
group = AdminGroup.objects.filter(name=groupname).first()
|
||||||
|
|
||||||
|
if group:
|
||||||
|
object_permission.groups.add(group)
|
||||||
|
print(" 👥 Assigned group %s object permission of %s" % (groupname, groupname))
|
||||||
|
|
||||||
|
if permission_details.get("users", 0):
|
||||||
|
for username in permission_details["users"]:
|
||||||
|
user = AdminUser.objects.filter(username=username).first()
|
||||||
|
|
||||||
|
if user:
|
||||||
|
object_permission.users.add(user)
|
||||||
|
print(" 👤 Assigned user %s object permission of %s" % (username, groupname))
|
||||||
|
|
||||||
|
object_permission.save()
|
@ -1,3 +1,2 @@
|
|||||||
from .custom_fields import pop_custom_fields, set_custom_fields_values
|
from .custom_fields import pop_custom_fields, set_custom_fields_values
|
||||||
from .load_yaml import load_yaml
|
from .load_yaml import load_yaml
|
||||||
from .permissions import set_permissions
|
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
from django.contrib.auth.models import Permission
|
|
||||||
|
|
||||||
|
|
||||||
def set_permissions(subject, permission_filters):
|
|
||||||
if subject is None or permission_filters is None:
|
|
||||||
return
|
|
||||||
subject.clear()
|
|
||||||
for permission_filter in permission_filters:
|
|
||||||
if "*" in permission_filter:
|
|
||||||
permission_filter_regex = "^" + permission_filter.replace("*", ".*") + "$"
|
|
||||||
permissions = Permission.objects.filter(codename__iregex=permission_filter_regex)
|
|
||||||
print(
|
|
||||||
" ⚿ Granting",
|
|
||||||
permissions.count(),
|
|
||||||
"permissions matching '" + permission_filter + "'",
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
permissions = Permission.objects.filter(codename=permission_filter)
|
|
||||||
print(" ⚿ Granting permission", permission_filter)
|
|
||||||
|
|
||||||
for permission in permissions:
|
|
||||||
subject.add(permission)
|
|
Loading…
Reference in New Issue
Block a user