REMOTE_AUTH_DEFAULT_GROUPS possibly not working

[Bo Riis]

Hi

I have enabled REMOTE_AUTH successfully but I'm struggeling with REMOTE_AUTH_DEFAULT_GROUPS and REMOTE_AUTH_DEFAULT_PERMISSIONS
I have REMOTE_AUTH_DEFAULT_GROUPS=['SSO_USERS'] and i create the group with the initializers for groups but my users don't get put in the group. 

REMOTE_AUTH_DEFAULT_PERMISSIONS I just cant find a guide to possible valid values for.

 

Interestingly there is no initializer for permissions or the possibility of assigning a user to staff or superuser.

Regards

[Brian Candler]

> I have REMOTE_AUTH_DEFAULT_GROUPS=['SSO_USERS'] and i create the group with the initializers for groups but my users don't get put in the group. 

As far as I understand, it just means that when a user is seen *for the first time*, and their user entry is created in the Netbox users table, then they will be added into group SSO_USERS (if a Netbox group called "SSO_USERS" exists)

To test this, you can delete an existing user from the users table, and then when they next login and their account is recreated, they should be added to that group.

> REMOTE_AUTH_DEFAULT_PERMISSIONS I just cant find a guide to possible valid values for.

Example:

REMOTE_AUTH_DEFAULT_PERMISSIONS={'dcim.add_site': None, 'dcim.change_site': None}

This gives access to add_site and change_site.  If you want to add further constraints, change None to a constraint, as documented here:

https://netbox.readthedocs.io/en/stable/administration/permissions/

> Interestingly there is no initializer for permissions or the possibility of assigning a user to staff or superuser.

If that was a default, then all new SSO users would become superusers.  That rather defeats the point of authentication.

[Brian Candler]

I've confirmed this.

The code which creates the groups when a user is seen for the first time is here:

https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/authentication.py#L101-L106

In your case, if you haven't created a group called "SSO_USERS" in the Netbox database, then it will log a message but otherwise skip as if the group doesn't exist.

And the test code is here:

https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/tests/test_authentication.py#L113-L142

With REMOTE_AUTH_DEFAULT_GROUPS = ['Group 1', 'Group 2'], then when the user is created, it confirms they get added to Group 1 and Group 2.  (But note that this only happens when they are first created; otherwise it would not be possible to change the group memberships for a user)