diff --git a/initializers/groups.yml b/initializers/groups.yml index b91ef39..15213a6 100644 --- a/initializers/groups.yml +++ b/initializers/groups.yml @@ -1,35 +1,9 @@ -## To list all permissions, run: -## -## docker-compose run --rm --entrypoint /bin/bash netbox -## $ ./manage.py migrate -## $ ./manage.py shell -## > from django.contrib.auth.models import Permission -## > print('\n'.join([p.codename for p in Permission.objects.all()])) -## -## Permission lists support wildcards. See the examples below. -## -## Examples: - # applications: # users: -# - technical_user +# - technical_user # readers: # users: -# - reader +# - reader # writers: # users: -# - writer -# permissions: -# - delete_device -# - delete_virtualmachine -# - add_* -# - change_* -# vm_managers: -# permissions: -# - '*_virtualmachine' -# device_managers: -# permissions: -# - '*device*' -# creators: -# permissions: -# - add_* +# - writer diff --git a/initializers/object_permissions.yml b/initializers/object_permissions.yml new file mode 100644 index 0000000..332011f --- /dev/null +++ b/initializers/object_permissions.yml @@ -0,0 +1,48 @@ +# all.ro: +# actions: +# - view +# description: 'Read Only for All Objects' +# enabled: true +# groups: +# - applications +# - readers +# object_types: all +# users: +# - jdoe +# all.rw: +# actions: +# - add +# - change +# - delete +# - view +# description: 'Read/Write for All Objects' +# enabled: true +# groups: +# - writers +# object_types: all +# network_team.rw: +# actions: +# - add +# - change +# - delete +# - view +# description: "Network Team Permissions" +# enabled: true +# object_types: +# circuits: +# - circuit +# - circuittermination +# - circuittype +# - provider +# dcim: all +# ipam: +# - aggregate +# - ipaddress +# - prefix +# - rir +# - role +# - routetarget +# - service +# - vlan +# - vlangroup +# - vrf diff --git a/initializers/users.yml b/initializers/users.yml index 2aea62e..c163d50 100644 --- a/initializers/users.yml +++ b/initializers/users.yml @@ -1,23 +1,14 @@ -## To list all permissions, run: -## -## docker-compose run --rm --entrypoint /bin/bash netbox -## $ ./manage.py migrate -## $ ./manage.py shell -## > from django.contrib.auth.models import Permission -## > print('\n'.join([p.codename for p in Permission.objects.all()])) -## -## Permission lists support wildcards. See the examples below. -## -## Examples: - # technical_user: # api_token: 0123456789technicaluser789abcdef01234567 # must be looooong! # reader: # password: reader # writer: # password: writer -# permissions: -# - delete_device -# - delete_virtualmachine -# - add_* -# - change_* +# jdoe: +# first_name: John +# last_name: Doe +# api_token: 0123456789jdoe789abcdef01234567jdoe +# is_active: True +# is_superuser: False +# is_staff: False +# email: john.doe@example.com diff --git a/startup_scripts/000_users.py b/startup_scripts/000_users.py index 66b8519..1435d81 100644 --- a/startup_scripts/000_users.py +++ b/startup_scripts/000_users.py @@ -1,7 +1,7 @@ import sys from django.contrib.auth.models import User -from startup_script_utils import load_yaml, set_permissions +from startup_script_utils import load_yaml from users.models import Token users = load_yaml("/opt/netbox/initializers/users.yml") @@ -19,6 +19,3 @@ for username, user_details in users.items(): if user_details.get("api_token", 0): Token.objects.create(user=user, key=user_details["api_token"]) - - yaml_permissions = user_details.get("permissions", []) - set_permissions(user.user_permissions, yaml_permissions) diff --git a/startup_scripts/010_groups.py b/startup_scripts/010_groups.py index 6726868..39aca53 100644 --- a/startup_scripts/010_groups.py +++ b/startup_scripts/010_groups.py @@ -1,23 +1,23 @@ import sys -from django.contrib.auth.models import Group, User -from startup_script_utils import load_yaml, set_permissions +from startup_script_utils import load_yaml +from users.models import AdminGroup, AdminUser groups = load_yaml("/opt/netbox/initializers/groups.yml") if groups is None: sys.exit() for groupname, group_details in groups.items(): - group, created = Group.objects.get_or_create(name=groupname) + group, created = AdminGroup.objects.get_or_create(name=groupname) if created: print("👥 Created group", groupname) for username in group_details.get("users", []): - user = User.objects.get(username=username) + user = AdminUser.objects.get(username=username) if user: - user.groups.add(group) + group.user_set.add(user) + print(" 👤 Assigned user %s to group %s" % (username, AdminGroup.name)) - yaml_permissions = group_details.get("permissions", []) - set_permissions(group.permissions, yaml_permissions) + group.save() diff --git a/startup_scripts/015_object_permissions.py b/startup_scripts/015_object_permissions.py new file mode 100644 index 0000000..f19b6ae --- /dev/null +++ b/startup_scripts/015_object_permissions.py @@ -0,0 +1,60 @@ +import sys + +from django.contrib.contenttypes.models import ContentType +from startup_script_utils import load_yaml +from users.models import AdminGroup, AdminUser, ObjectPermission + +object_permissions = load_yaml("/opt/netbox/initializers/object_permissions.yml") + +if object_permissions is None: + sys.exit() + + +for permission_name, permission_details in object_permissions.items(): + + object_permission, created = ObjectPermission.objects.get_or_create( + name=permission_name, + description=permission_details["description"], + enabled=permission_details["enabled"], + actions=permission_details["actions"], + ) + + if permission_details.get("object_types", 0): + object_types = permission_details["object_types"] + + if object_types == "all": + object_permission.object_types.set(ContentType.objects.all()) + + else: + for app_label, models in object_types.items(): + if models == "all": + app_models = ContentType.objects.filter(app_label=app_label) + + for app_model in app_models: + object_permission.object_types.add(app_model.id) + else: + # There is + for model in models: + object_permission.object_types.add( + ContentType.objects.get(app_label=app_label, model=model) + ) + + print("🔓 Created object permission", object_permission.name) + + if permission_details.get("groups", 0): + for groupname in permission_details["groups"]: + group = AdminGroup.objects.filter(name=groupname).first() + + if group: + object_permission.groups.add(group) + print(" 👥 Assigned group %s object permission of %s" % (groupname, groupname)) + + if permission_details.get("users", 0): + for username in permission_details["users"]: + user = AdminUser.objects.filter(username=username).first() + + if user: + object_permission.users.add(user) + print(" 👤 Assigned user %s object permission of %s" % (username, groupname)) + + object_permission.save() diff --git a/startup_scripts/startup_script_utils/__init__.py b/startup_scripts/startup_script_utils/__init__.py index 2f92370..290b87b 100644 --- a/startup_scripts/startup_script_utils/__init__.py +++ b/startup_scripts/startup_script_utils/__init__.py @@ -1,3 +1,2 @@ from .custom_fields import pop_custom_fields, set_custom_fields_values from .load_yaml import load_yaml -from .permissions import set_permissions diff --git a/startup_scripts/startup_script_utils/permissions.py b/startup_scripts/startup_script_utils/permissions.py deleted file mode 100644 index 021b0b5..0000000 --- a/startup_scripts/startup_script_utils/permissions.py +++ /dev/null @@ -1,22 +0,0 @@ -from django.contrib.auth.models import Permission - - -def set_permissions(subject, permission_filters): - if subject is None or permission_filters is None: - return - subject.clear() - for permission_filter in permission_filters: - if "*" in permission_filter: - permission_filter_regex = "^" + permission_filter.replace("*", ".*") + "$" - permissions = Permission.objects.filter(codename__iregex=permission_filter_regex) - print( - " ⚿ Granting", - permissions.count(), - "permissions matching '" + permission_filter + "'", - ) - else: - permissions = Permission.objects.filter(codename=permission_filter) - print(" ⚿ Granting permission", permission_filter) - - for permission in permissions: - subject.add(permission)