NAPALM Login credentials static?

[Simon Lindermann]

I've successfully connected to Juniper switches using NAPALM with netbox. However, it only seems to work when I store a static user and password in the configuration.py NAPALM_USER and NAPALM_PASSWORD variables. Since netbox allows to store login credentials per device I was under the impression that I could use these for logging into devices, as I won't be able to use a single user/passwd combination for all of them.

Am I wrong with this?

Can I make use of the stored credentials somehow?

[Jeremy Stretch]

Currently NetBox can only use the statically defined NAPALM_USERNAME and NAPALM_PASSWORD configuration parameters when connecting to devices using NAPALM.

> Since netbox allows to store login credentials per device I was under the impression that I could use these for logging into devices

This is harder than it sounds. Secrets are stored encrypted in the database; recovering one requires the user to provide a valid secret key in the API request. This means that any system which needs to leverage NetBox's NAPALM API must store that secret key locally and transmit it with each request.

Further, there's no concise way to implicitly identify which secret credentials to use, since secret roles are entirely arbitrary. It's also likely that users will generally prefer to define authentication credentials per site or device role rather for each device independently, as most will use some form of centralized authentication.

I'm open to suggestions.

Jeremy

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to netbox-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/3f591821-6231-4626-80fe-a0c1fc407484%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[bellwood]

Perhaps have an option when storing a secret to use a reversible hash vs one-way encryption, that way that specific credential could still be stored "safely" (versus plain text in the config) and be used for NAPALM or other device interactions.

You'd obviously want these credential to have as limited access as possible (on the user)

[Jeremy Stretch]

I'm not sure I follow. The credentials need to be readable by NetBox; a hash would not suffice. A key is needed to implement any form of encryption, and if you store the key on the same system you might as well forgo encryption anyway.

I'd like to abstract the matter of authentication from the user entirely with regard to the NAPALM API. Ideally, so long as the user has properly authenticated to NetBox itself, they shouldn't have to worry about passing device credentials as well.

On Tue, Feb 6, 2018 at 10:02 AM, bellwood <brian....@gmail.com> wrote:

Perhaps have an option when storing a secret to use a reversible hash vs one-way encryption, that way that specific credential could still be stored "safely" (versus plain text in the config) and be used for NAPALM or other device interactions.

You'd obviously want these credential to have as limited access as possible (on the user)

--

You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to netbox-discuss@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/ae27abd1-417e-448d-a895-e074e4ce47e7%40googlegroups.com.