Page MenuHomePhabricator
Create Task
Maniphest T308002

Move Netbox authentication to python-social-auth
Open, In Progress, MediumPublic
Actions

Description

Currently netbox uses django-ca-ng to preform cas authentications. this is added via a cherry-pick we apply to every upgrade· however since we implemented this netbox has added support for djangi-social-auth. As such it makes senses for use to try and migrate to that. Currently the plug-in does not support the CAS protocol but dose support OAuth, OpenID and a bunch of providers. I suggest that we either work on adding cas support to python-social-app or migrate netbox to use OpenID connect or OAuth2

Some history on netbox sso and cas T244849

Details

SubjectRepoBranchLines +/-
P:netbox Move to OIDC for authenticationoperations/puppetproduction+4 -0
Add python-joseoperations/software/netbox-deploywmf-next+6 -0
Add ApereoSocialPipelineoperations/software/netbox-deploywmf-next+1 -0
Add ApereoSocialPipeline for now CAS authoperations/software/netbox-deploymaster+1 -1
idp: use groups for the groups attribute when doing OIDCoperations/puppetproduction+5 -3
P:netbox reconfigure to used OIDCoperations/puppetproduction+50 -24
R:idp_test Add Netbox next as OIDC consumer.operations/puppetproduction+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

jbond created this task.May 10 2022, 11:11 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptMay 10 2022, 11:11 AM
MoritzMuehlenhoff subscribed.May 10 2022, 11:26 AM
jbond added a parent task: T310717: Netbox: get rid of WMF Production Patches.Sep 7 2022, 8:32 AM
jbond updated the task description. (Show Details)
jbond triaged this task as Medium priority.Sep 7 2022, 8:39 AM
SLyngshede-WMF updated the task description. (Show Details)Mar 29 2023, 11:15 AM
SLyngshede-WMF subscribed.EditedMar 29 2023, 11:18 AM

I currently have a patch with the python-social-auth project to enable OIDC via CAS in the django-social-auth plugin. It still needs documentation and tests to be accepted, but can be used for Netbox as well. https://github.com/python-social-auth/social-core/pull/743

We may need to add a pipeline, if we wish to use groups, but that work is already done in the IDM and can simply be lifted from there.

SLyngshede-WMF changed the task status from Open to In Progress.EditedMay 31 2023, 8:36 AM

Installed the now release social-core on netbox-dev2002

$ source /srv/deployment/netbox/venv/bin/activate
$ pip install --proxy  http://webproxy.eqiad.wmnet:8080 social-auth-core==4.4.2 python-jose>=3.0.0
SLyngshede-WMF added a comment.May 31 2023, 8:49 AM

CAS is presented correctly, but needs correct credentials:

Skærmbillede 2023-05-31 kl. 10.48.24.png (918×796 px, 58 KB)

REMOTE_AUTH_BACKEND = 'social_core.backends.cas.CASOpenIdConnectAuth'
SOCIAL_AUTH_CAS_OIDC_ENDPOINT = 'https://idp-test.wikimedia.org/oidc'
SOCIAL_AUTH_CAS_KEY = 'netbox-next'
SOCIAL_AUTH_CAS_SECRET = 'BORKED'
SOCIAL_AUTH_CAS_USERINFO_URL = 'https://idp-test.wikimedia.org/oidc/profile'
SOCIAL_AUTH_CAS_SCOPE = ['openid', 'profile', 'email', 'groups']
SOCIAL_AUTH_CAS_ID_KEY = 'username'
gerritbot added a comment.May 31 2023, 9:19 AM

Change 924895 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp_test Add Netbox next as OIDC consumer.

https://gerrit.wikimedia.org/r/924895

gerritbot added a project: Patch-For-Review.May 31 2023, 9:19 AM
gerritbot added a comment.May 31 2023, 11:00 AM

Change 924895 merged by Slyngshede:

[operations/puppet@production] R:idp_test Add Netbox next as OIDC consumer.

https://gerrit.wikimedia.org/r/924895

SLyngshede-WMF added a comment.May 31 2023, 12:00 PM

Configuration is going to become something like:

REMOTE_AUTH_BACKEND = 'social_core.backends.cas.CASOpenIdConnectAuth'
REMOTE_AUTH_GROUP_SYNC_ENABLED = True
REMOTE_AUTH_SUPERUSER_GROUPS = 'cn=ops,ou=groups,dc=wikimedia,dc=org'
REMOTE_AUTH_STAFF_GROUPS = 'cn=ops,ou=groups,dc=wikimedia,dc=org'
SOCIAL_AUTH_ALLOW_GROUPS = ('cn=ops,ou=groups,dc=wikimedia,dc=org', 'cn=wmf,ou=groups,dc=wikimedia,dc=org', 'cn=nda,ou=groups,dc=wikimedia,dc=org')
SOCIAL_AUTH_CAS_OIDC_ENDPOINT = 'https://idp-test.wikimedia.org/oidc'
SOCIAL_AUTH_CAS_KEY = 'netbox_next'
SOCIAL_AUTH_CAS_SECRET = 'BORKED'
SOCIAL_AUTH_CAS_USERINFO_URL = 'https://idp-test.wikimedia.org/oidc/profile'
SOCIAL_AUTH_CAS_SCOPE = ['openid', 'profile', 'email', 'groups']
SOCIAL_AUTH_CAS_ID_KEY = 'username'

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'netbox.authentication.user_default_groups_handler',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
    'extras.social_pipeline.add_user_to_groups',
)
SLyngshede-WMF claimed this task.Jun 1 2023, 11:28 AM
gerritbot added a comment.Jun 1 2023, 11:32 AM

Change 922506 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] WIP P:netbox reconfigure to used OIDC

https://gerrit.wikimedia.org/r/922506

gerritbot added a comment.Jun 22 2023, 11:46 AM

Change 922506 merged by Slyngshede:

[operations/puppet@production] P:netbox reconfigure to used OIDC

https://gerrit.wikimedia.org/r/922506

gerritbot added a comment.Jun 22 2023, 1:53 PM

Change 932247 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] idp: use groups for the groups attribute when doing OIDC

https://gerrit.wikimedia.org/r/932247

gerritbot added a comment.Jun 22 2023, 2:02 PM

Change 932247 merged by Jbond:

[operations/puppet@production] idp: use groups for the groups attribute when doing OIDC

https://gerrit.wikimedia.org/r/932247

BTullis mentioned this in T305874: Switch DataHub authentication to OIDC.Jul 19 2023, 9:31 AM
jbond mentioned this in T351950: taavi's netbox-next account is stuck.Nov 27 2023, 12:34 PM
gerritbot added a comment.Dec 6 2023, 10:04 AM

Change 980824 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/netbox-deploy@master] Add ApereoSocialPipeline for now CAS auth

https://gerrit.wikimedia.org/r/980824

gerritbot added a comment.Feb 23 2024, 10:29 AM

Change 980824 merged by Ayounsi:

[operations/software/netbox-deploy@master] Add ApereoSocialPipeline for now CAS auth

https://gerrit.wikimedia.org/r/980824

Pppery removed a project: Patch-For-Review.May 21 2024, 6:05 PM
gerritbot added a comment.May 22 2024, 3:15 PM

Change #1034962 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/netbox-deploy@wmf-next] Replace django-auth-ldap with ApereoSocialPipeline

https://gerrit.wikimedia.org/r/1034962

gerritbot added a project: Patch-For-Review.May 22 2024, 3:15 PM
gerritbot added a comment.May 27 2024, 9:38 AM

Change #1034962 merged by Ayounsi:

[operations/software/netbox-deploy@wmf-next] Add ApereoSocialPipeline

https://gerrit.wikimedia.org/r/1034962

Stashbot added a comment.May 27 2024, 9:41 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T09:41:43Z] <ayounsi@cumin1002> START - Cookbook sre.deploy.python-code netbox to netbox-dev2002.codfw.wmnet with reason: add python-social-auth and update wheels - ayounsi@cumin1002 - T308002

ops-monitoring-bot added a comment.May 27 2024, 9:45 AM

Deployed netbox to netbox-dev2002.codfw.wmnet with reason: add python-social-auth and update wheels - ayounsi@cumin1002 - T308002

Stashbot added a comment.May 27 2024, 9:45 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T09:45:33Z] <ayounsi@cumin1002> END (PASS) - Cookbook sre.deploy.python-code (exit_code=0) netbox to netbox-dev2002.codfw.wmnet with reason: add python-social-auth and update wheels - ayounsi@cumin1002 - T308002

gerritbot added a comment.May 27 2024, 11:10 AM

Change #1036238 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/netbox-deploy@wmf-next] Add python-jose

https://gerrit.wikimedia.org/r/1036238

gerritbot added a comment.May 27 2024, 11:43 AM

Change #1036238 merged by Ayounsi:

[operations/software/netbox-deploy@wmf-next] Add python-jose

https://gerrit.wikimedia.org/r/1036238

Stashbot added a comment.May 27 2024, 11:44 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T11:44:24Z] <ayounsi@cumin1002> START - Cookbook sre.deploy.python-code netbox to netbox-dev2002.codfw.wmnet with reason: add python-jose and update wheels - ayounsi@cumin1002 - T308002

ops-monitoring-bot added a comment.May 27 2024, 11:45 AM

Deployed netbox to netbox-dev2002.codfw.wmnet with reason: add python-jose and update wheels - ayounsi@cumin1002 - T308002

Stashbot added a comment.May 27 2024, 11:45 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T11:45:18Z] <ayounsi@cumin1002> END (PASS) - Cookbook sre.deploy.python-code (exit_code=0) netbox to netbox-dev2002.codfw.wmnet with reason: add python-jose and update wheels - ayounsi@cumin1002 - T308002

Stashbot added a comment.May 27 2024, 11:49 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T11:49:12Z] <ayounsi@cumin1002> START - Cookbook sre.deploy.python-code netbox to netbox2002.codfw.wmnet,netbox1002.eqiad.wmnet with reason: add CasApereo auth and update wheels - ayounsi@cumin1002 - T308002

ops-monitoring-bot added a comment.May 27 2024, 11:51 AM

Deployed netbox to netbox2002.codfw.wmnet,netbox1002.eqiad.wmnet with reason: add CasApereo auth and update wheels - ayounsi@cumin1002 - T308002

Stashbot added a comment.May 27 2024, 11:51 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-27T11:51:13Z] <ayounsi@cumin1002> END (PASS) - Cookbook sre.deploy.python-code (exit_code=0) netbox to netbox2002.codfw.wmnet,netbox1002.eqiad.wmnet with reason: add CasApereo auth and update wheels - ayounsi@cumin1002 - T308002

gerritbot added a comment.May 30 2024, 11:53 AM

Change #1037506 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:netbox Move to OIDC for authentication

https://gerrit.wikimedia.org/r/1037506

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits