Problems getting REMOTE_AUTH to work for groups

[larsks]

I'm trying to set up an oauth2 proxy in front of Netbox (to authenticate against a local Keycloak instance). I have the following configuration in the /etc/netbox/config/extra.py:

REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_AUTO_CREATE_USER=True
REMOTE_AUTH_HEADER='HTTP_X_FORWARDED_PREFERRED_USERNAME'
REMOTE_AUTH_GROUP_HEADER='HTTP_X_FORWARDED_GROUPS'
REMOTE_AUTH_GROUP_SYNC_ENABLED=True
REMOTE_AUTH_SUPERUSER_GROUPS=['netbox-admin']
REMOTE_AUTH_GROUP_SEPARATOR=','

Authentication works just fine; I can enter my credentials and Netbox shows my email address in the account menu.

Requests have an X-Forwarded-Groups header that looks like:

X-Forwarded-Preferred-Username: me@example.com
X-Forwarded-Groups: default-roles-moc-testing,offline_access,netbox-admin,uma_authorization,role:default-roles-moc-testing,role:offline_access,role:netbox-admin,role:uma_authorization,role:account:manage-account,role:account:manage-account-links,role:account:view-profile

I have verified that these headers are present in requests to Netbox.

I've tried setting REMOTE_AUTH_GROUP_HEADER and REMOTE_AUTH_GROUP_SEPARATOR appropriately, but viewing the account profile (https://netbox.../user/profile/) always shows "Groups: None", and I'm not able to get superuser privileges.

Is there something obvious missing from my configuration?

With debug logging enabled, I see the following trace for netbox.authentication.RemoteUserBackend when logging in as user alice@example.com who is a member of the netbox-admin group:

User alice@example.com has logged out
Trying to sync Groups
Groups are ['default-roles-moc-testing', 'offline_access', 'netbox-admin', 'uma_authorization', 'role:default-roles-moc-testing', 'role:offline_access', 'role:netbox-admin', 'role:uma_authorization', 'role:account:manage-account', 'role:account:manage-account-links', 'role:account:view-profile']
trying to authenticate alice@example.com with groups ['default-roles-moc-testing', 'offline_access', 'netbox-admin', 'uma_authorization', 'role:default-roles-moc-testing', 'role:offline_access', 'role:netbox-admin', 'role:uma_authorization', 'role:account:manage-account', 'role:account:manage-account-links', 'role:account:view-profile']
Could not assign group default-roles-moc-testing to remotely-authenticated user alice@example.com: Group not found
Could not assign group offline_access to remotely-authenticated user alice@example.com: Group not found
Could not assign group netbox-admin to remotely-authenticated user alice@example.com: Group not found
Could not assign group uma_authorization to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:default-roles-moc-testing to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:offline_access to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:netbox-admin to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:uma_authorization to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:account:manage-account to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:account:manage-account-links to remotely-authenticated user alice@example.com: Group not found
Could not assign group role:account:view-profile to remotely-authenticated user alice@example.com: Group not found
Stripping user alice@example.com from Groups
Superuser Groups: ['netbox-admin']
Superuser Users: []
User alice@example.com is in Groups:set()
User alice@example.com in Superuser Users :set()
User alice@example.com is Superuser: False
Superuser Groups: ['netbox-admin']
Superuser Users: []
User alice@example.com is in Groups:set()
User alice@example.com in Superuser Users :set()
User alice@example.com should be Superuser: False
Superuser Groups: []
Staff Users :[]
User alice@example.com is in Groups:set()
User alice@example.com in Staff Users :set()
User alice@example.com is Staff: False
Superuser Groups: []
Staff Users :[]
User alice@example.com is in Groups:set()
User alice@example.com in Staff Users :set()
User alice@example.com should be Staff: False

It looks like the problem is that the netbox-admin group has to exist in netbox before this will work. How are netbox groups supposed to be created? I haven't found any documentation on that topic, and I don't see anything in the UI either. Running psql and insert into auth_group (name) values ('netbox-admin'); seems to get things working, but I'm hoping there's a better way.

[candlerb]

Groups are administered in the django admin section of the web UI: from the 'admin' menu at top right, select 'Admin'

[candlerb]

# grep -1R "Admin Access" netbox/
netbox/templates/users/profile.html-
netbox/templates/users/profile.html:      <span class="text-muted">Admin Access</span>
netbox/templates/users/profile.html-      <h5 class="mb-3">{{ request.user.is_staff|yesno|capfirst }}</h5>

So "Admin Access" in this page is actually reflecting the "Staff" flag. Maybe it would be clearer to show separate "Staff" and "Superuser" flags here. However the "Staff" flag really means "Permit access to the Django admin area", so "Admin Access" does make sense.

EDIT: I believe that a superuser has admin access too. So maybe this field should say "Yes" when request.user.is_staff or request.user.is_superuser

EDIT2: I was wrong. You can create a superuser without staff, and they can't access the Django admin section.

[larsks]

Thanks, using REMOTE_AUTH_STAFF_GROUPS instead of REMOTE_AUTH_SUPERUSER_GROUPS has things working. In my head, "superuser" is synonymous with e.g. "root", so superuser > staff > regular user, hence the confusion.

[larsks]

Huh. While I can see the "admin" menu now, accessing the admin interface shows "You don’t have permission to view or edit anything.", so I'm not all the way there yet. Maybe I need both privileges?

[larsks]

Looks like that was the answer (both "superuser" and "staff" are required).

[jeremystretch]

Correct: is_superuser is analogous to root privilege on Linux (implying that the user has all possible permissions), but is_staff separately controls access to the Django admin UI.

[FOTempel]

Glad I wasn't the only one struggling with this ;) I feel slightly less stupid now. Also, beware, anything you configure regarding groups and users is case sensitive for some reason. So make sure you configure your groups an/or users and Netbox with the exact strings as they come from your IDP else it doesn't work either.