From 92a1d596066bbb9543079738b148580326bac0fb Mon Sep 17 00:00:00 2001 From: Arthur Date: Fri, 4 Aug 2023 14:03:50 +0700 Subject: [PATCH] 11508 remove is_active, add documentation use azuread --- .../authentication/microsoft-azure-ad.md | 37 +++++++++++++++++++ netbox/netbox/authentication.py | 9 +---- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/docs/administration/authentication/microsoft-azure-ad.md b/docs/administration/authentication/microsoft-azure-ad.md index ee24e8232..a97c22b2d 100644 --- a/docs/administration/authentication/microsoft-azure-ad.md +++ b/docs/administration/authentication/microsoft-azure-ad.md @@ -61,6 +61,43 @@ Restart the NetBox services so that the new configuration takes effect. This is sudo systemctl restart netbox ``` +## Group Assignment + +If you want NetBox to assign groups based on Azure AD groups, then some additonal configuration is needed. Enter the following configuration parameters in `configuration.py`, substituting your own values: + +```python +SOCIAL_AUTH_AZUREAD_OAUTH2_RESOURCE = 'https://graph.microsoft.com/' +SOCIAL_AUTH_PIPELINE = ( + 'social_core.pipeline.social_auth.social_details', + 'social_core.pipeline.social_auth.social_uid', + 'social_core.pipeline.social_auth.social_user', + 'social_core.pipeline.user.get_username', + 'social_core.pipeline.social_auth.associate_by_email', + 'social_core.pipeline.user.create_user', + 'social_core.pipeline.social_auth.associate_user', + 'netbox.authentication.user_default_groups_handler', + 'social_core.pipeline.social_auth.load_extra_data', + 'social_core.pipeline.user.user_details', + 'netbox.authentication.azuread_map_groups', +) +SOCIAL_AUTH_AZUREAD_MAP_GROUP_PERMS = True + +# Define special user types using groups. Exercise great caution when assigning superuser status. +SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP = { + "is_staff": ['{AZURE_GROUP_ID}',], + "is_superuser": ['{AZURE_GROUP_ID}',] +} + +SOCIAL_AUTH_AZUREAD_GROUP_MAP = { + '{AZURE_GROUP_ID}': '{NETBOX_GROUP}', +} +``` +**SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP.is_staff**: users who are in any of the Azure AD group-ids in the array will have staff permission assigned to them. + +**SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP.is_superuser**: users who are in any of the Azure AD group-ids in the array will have superuser permission assigned to them. + +**SOCIAL_AUTH_AZUREAD_GROUP_MAP**: Any user with the given Azure AD group-id is included in the given NetBox group name. + ## Testing Log out of NetBox if already authenticated, and click the "Log In" button at top right. You should see the normal login form as well as an option to authenticate using Azure AD. Click that link. diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py index 82ae86d45..acc3a1783 100644 --- a/netbox/netbox/authentication.py +++ b/netbox/netbox/authentication.py @@ -393,7 +393,7 @@ class AuthFailed(Exception): pass -def azure_map_groups(response, user, backend, *args, **kwargs): +def azuread_map_groups(response, user, backend, *args, **kwargs): ''' Map Azure AD group ID to Netbox group Also set is_superuser or is_staff based on config map @@ -413,8 +413,6 @@ def azure_map_groups(response, user, backend, *args, **kwargs): "Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_GROUP_MAP is not defined." ) - all_users_active = getattr(settings, "SOCIAL_AUTH_AZUREAD_USER_DEFAULT_ACTIVE", False) - url = 'https://graph.microsoft.com/v1.0/me' access_token = response.get('access_token') @@ -443,10 +441,6 @@ def azure_map_groups(response, user, backend, *args, **kwargs): # AD response contains both directories and groups - we only want groups if value.get('@odata.type') == '#microsoft.graph.group': group_id = value.get('id', None) - if all_users_active: - is_active = True - else: - is_active = group_id in flags_by_group['is_active'] if group_id in flags_by_group['is_superuser']: is_superuser = True @@ -463,5 +457,4 @@ def azure_map_groups(response, user, backend, *args, **kwargs): user.is_superuser = is_superuser user.is_staff = is_staff - user.is_active = is_active user.save()