How to login as admin when REMOTE_AUTH is enabled

[Bo Riis]

Hi all,

I have succeded in enabling Remote Auth in Netbox, but now I can't login as my local admin user on https://netbox/admin/ . 

Is there a way to map remote auth users to be admins?

Conf:

# User Authentication and Authorization

LOGIN_REQUIRED=True

# Disable below to use local user database

REMOTE_AUTH_ENABLED=true

REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend

REMOTE_AUTH_HEADER=HTTP_REMOTE_USER

REMOTE_AUTH_AUTO_CREATE_USER=True

REMOTE_AUTH_DEFAULT_GROUPS=['SSO_USERS']

[Brian Candler]

> Is there a way to map remote auth users to be admins?

Yes, it's done via the regular users table.  For example, if the Remote-User header gives "f...@example.com", then you'll need an entry with username "f...@example.com" and with "Superuser Status" set to True.

You can either do a manual database update via SQL, or you can switch back to local auth temporarily so you can login as "admin".  You should find that user "f...@example.com" was created automatically when you logged in via SSO.

[Bo Riis]

Thank you

A bit cumbersome that one have to redeploy the stack in order to change user permissions, but it works.

[Brian Candler]

On Monday, 1 February 2021 at 11:26:23 UTC bor...@gmail.com wrote:

A bit cumbersome that one have to redeploy the stack in order to change user permissions, but it works.

I don't know what you mean by that. To change permissions, you just go to the Netbox's Admin > Admin link, and then edit Users or Groups as appropriate. There's no need to redeploy anything.

The only thing you'd need to redeploy for is changing the settings in configuration.py, but there's nothing that you'd change there except REMOTE_AUTH_DEFAULT_GROUPS, and that one only affects new users who connect for the first time.  Typically you'd have a group called "default" or "read_only" or something like that, which all the lowest-level users get, and you'd stick with this choice forever.  You can of course change the permissions assigned to this group without redeploying.

[Bo Riis]

I have created a default group as you suggest, and an editor group I can assign to people needing those permissions.

But somehow the  REMOTE_AUTH_DEFAULT_GROUPS don't work. I can see the environment variable in the netbox container but users are not assigned to the group.

Is my syntax wrong?

REMOTE_AUTH_DEFAULT_GROUPS=['SSO_USERS']

REMOTE_AUTH_HEADER=HTTP_REMOTE_USER

REMOTE_AUTH_AUTO_CREATE_USER=True

REMOTE_AUTH_DEFAULT_PERMISSIONS={}

REMOTE_AUTH_ENABLED=true

REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend

The documentation says that it should be a list item: https://netbox.readthedocs.io/en/stable/configuration/optional-settings/#remote_auth_default_groups

Thank you for taking the time to help.  

[Brian Candler]

You should be aware that running Netbox in a docker container is not a supported configuration.  Those REMOTE_AUTH settings are configuration.py settings, not environment variables.

However, I did have a poke around for you.  The relevant line of code is here:

https://github.com/netbox-community/netbox-docker/blob/release/configuration/configuration.py#L212

and it shows that you need to set the environment variable to a space-separated list of group names, not a JSON or Python list.

So this should work:

REMOTE_AUTH_DEFAULT_GROUPS=SSO_USERS

[Bo Riis]

It works now, thank you.

I found the same line as you mention but could not figure out the format, as I'm not much into Python.

I know that It's not recommended to run netbox in docker, but the company policy is to run everything in containers if possible.

Thank you for your help.