Is it Possible to have Azure users/groups mapped to different privileges

[0xab3d]

Hello guys,

Could you please advise if it is possible to map different Azure users/groups to different privileges?

[0xab3d]

I assume the feature isn't possible?

[benjy44]

I'm also interested in this feature.
The groups and/or role are present in the azure jwt token but i don't see any way to map them to netbox groups, it seems the only way to map groups currently is via a http header?

[benjy44]

So this is actually possible with a custom pipeline, it requires netbox >= v3.2.7 (due to #9715)

Once you have assigned roles to your azure netbox app you can do the following in netbox (alternatively instead of roles, other attributes included in the jwt can be used like groups)

You update the pipeline like this:

SOCIAL_AUTH_PIPELINE:
        - 'social_core.pipeline.social_auth.social_details'
        - 'social_core.pipeline.social_auth.social_uid'
        - 'social_core.pipeline.social_auth.social_user'
        - 'social_core.pipeline.user.get_username'
        - 'social_core.pipeline.social_auth.associate_by_email'
        - 'social_core.pipeline.user.create_user'
        - 'social_core.pipeline.social_auth.associate_user'
        - 'netbox.authentication.user_default_groups_handler'
        - 'social_core.pipeline.social_auth.load_extra_data'
        - 'social_core.pipeline.user.user_details'
        - 'netbox.custom-pipeline.set_role'

(only netbox.custom-pipeline.set_role added here)
And set the custom pipeline in /opt/netbox/netbox/netbox/custom-pipeline.py with something like this:

from django.contrib.auth.models import Group

class AuthFailed(Exception):
    pass

def set_role(response, user, backend, *args, **kwargs):
    '''
    Get roles from JWT
    Assign user to netbox group matching role
    Also set is_superuser or is_staff for special roles 'superusers' and 'staff'
    '''
    try:
        roles = response['roles']
    except KeyError:
        user.groups.clear()
        raise AuthFailed("No role assigned")

    try:
        user.is_superuser = False
        user.is_staff = False

        for role in roles:
            if role == 'superusers':
                user.is_superuser = True
                user.save()
                continue
            if role == "staff":
                user.is_staff = True
                user.save()
                continue

            group, created = Group.objects.get_or_create(name=role)
            group.user_set.add(user)
    except Group.DoesNotExist:
        pass