Tags in constraints for permissions

[Brad Bendy]

H,

Looked around and not seen any on this. We are trying to restrict access to certain devices in Netbox based on tags.

I have the tag created already, then I add to the constraint section for permissions I get:

<class 'TypeError'>
Field 'id' expected a number but got ['testtag']. Python version: 3.8.5 NetBox version: 2.10.6

I also tried 7 (the ID of the tag) in double quotes and no quotes, the actualk JSON I am trying is: {"tags":[7]} or {"tags":["testtag"]}

What am I missing exactly?

Any help would be great, thanks!

[Brian Candler]

https://netbox.readthedocs.io/en/stable/administration/permissions/#constraints

"Constraints are expressed as a JSON object or list representing a Django query filter. This is the same syntax that you would pass to the QuerySet filter() method when performing a query using the Django ORM."

This means you can test it using nbshell.

cd /opt/netbox

. venv/bin/activate

python3 netbox/manage.py nbshell

This gives you either the following way using the tag id:

>>> Tag.objects.get(name="prom_node").id

7

>>> Device.objects.filter(tags=7).count()

3

or using the tag name directly:

>>> Device.objects.filter(tags__name="prom_node").count()

3

Hence the constraint you want is:  {"tags__name":"testtag"}.  Note that even though tags has a many-to-one relationship with device, you're just looking for one tag, not a list.

If you want to check whether the device has tag A *or* tag B that's straightforward:

>>> Device.objects.filter(tags__name__in=["prom_node","prom_snmp"]).count()

6

If you want to check whether the device has tag A *and* tag B, the obvious way would require two filter() calls, and I can't think of a way to do it with a single constraint.

[Brad Bendy]

That makes way more sense now, thanks.

For a test I did all objects (except the ----) in the left hand side and added that constraint. I get this error now:

Invalid filter for <class 'circuits.models.CircuitTermination'>: Cannot resolve keyword 'tags' into field. Choices are: _cable_peer, _cable_peer_id, _cable_peer_type, _cable_peer_type_id, _cabled_as_a, _cabled_as_b, _path, _path_id, cable, cable_id, circuit, circuit_id, description, id, port_speed, pp_info, site, site_id, term_side, upstream_speed, xconnect_id

If I move those objects to the left, then it throws another set of errors, looks like basically every object it complains about.

Or I just totally lost on how to do this?

Thanks

[Brian Candler]

What it's saying is you can only enable that constraint on an object type which has a "tags" field.  That particular error says that circuit terminations don't have tags, so simply don't enable that constraint for circuit terminations.

When you removed that, you got some other error message - but since you didn't show it, I can't say specifically what it's telling you.

[Brad Bendy]

That makes sense, I got that to work now.

But I am seeing some errors like this: Invalid filter for <class 'ipam.models.RIR'>: Cannot resolve keyword 'tags' into field. Choices are: aggregates, created, description, id, is_private, last_updated, name, slug

But the RIR objects has tag support, I don't have any tags assigned at the moment, is that the reason?

[Brian Candler]

What do you see that makes you think RIRs support tags?  If I go to /ipam/rirs/1/ or /ipam/rirs/1/edit/, there is no field to show or set tags (I am looking at Netbox 3.0.8)

[Alex Shishko]

Hello. Here some information about your question. https://youtu.be/FFv23j4i_qg

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/4851a2e2-31db-44e1-b9df-f09ca713e95cn%40googlegroups.com.

[Brad Bendy]

Thanks for the help, I had clicked on a aggregate after the RIR and wasn't aware of it, whoops. That video is great as well!