Guards against writes to the main branch and enforces branch usage
Project description
Netbox-Branch-Guard
This Netbox middleware plugin can be used to guard against writes to the Main branch in Netbox. It can also be setup to enforce branch ownership checks and control which branches users are able to write into.
It is used in conjunction with the Netbox Branching plugin Netbox Branching.
See the compatibility matrix for supported NetBox versions.
[!NOTE] This module has only been tested in conjuction with Netbox Community Edition. Please ensure that you fully test the behaviour of this module in a test environment before using in production.
Requirements
- NetBox 4.x
- Netbox-Branching plugin for branch operations
- Python 3.10+
Installation
- Install the plugin:
pip install netbox-branch-guard
- Enable in NetBox configuration.py:
netbox-branching must come last
PLUGINS = [
"netbox_branch_guard",
"netbox_branching",
]
PLUGINS_CONFIG = {
"netbox_branch_guard": { # Default setting in (brackets)
"enabled": True, # (True) / False = plugin is enabled.
"api_bypass": True, # (True) / False = API can write to Main, else it's blocked.
"superuser_bypass": True, # (True) / False = Superuser can write to Main, else it's blocked.
"enforce_ownership": False, # (True) / False = Users can only write to branches they own.
"logging": True, # True / (False) = Output detailed logging to the netbox log.
"group_branch_map": { # Optional - Map user groups to their allowed branches. Wildcards are allowed.
"Group 1": ["Branch 1", "Branch 2"],
"Group 2": ["Branch 3"],
"Group AB *": ["Branch AB *"],
},
},
}
- Migrate:
python manage.py migrate
- Restart NetBox.
Using Netbox-Branch-Guard with NetBox Docker
- Configure the plugin Create plugins.py to store the plugin's configuration.
- Add netbox_branch_guard to PLUGINS and PLUGINS_CONFIG in plugins.py
[!IMPORTANT] netbox-branching must come last
PLUGINS = [
"netbox_branch_guard",
"netbox_branching",
]
PLUGINS_CONFIG = {
"netbox_branch_guard": { # Default setting in (brackets)
"enabled": True, # (True) / False = plugin is enabled.
"api_bypass": True, # (True) / False = API can write to Main, else it's blocked.
"superuser_bypass": True, # (True) / False = Superuser can write to Main, else it's blocked.
"enforce_ownership": False, # (True) / False = Users can only write to branches they own.
"logging": True, # True / (False) = Output detailed logging to the netbox log.
"log_level": "warning", # Valid levels are ("debug"), "info", "success", "warning", "error"
"group_branch_map": { # Optional - Map user groups to their allowed branches. Wildcards are allowed.
"Group 1": ["Branch 1", "Branch 2"],
"Group 2": ["Branch 3"],
"Group AB *": ["Branch AB *"],
},
},
}
-
Build the NetBox image docker compose build --no-cache
-
Start NetBox Docker docker compose up -d
Usage
Permissions
- If you are giving users the ability to create their own branches, then it's suggested to set "enforce_ownership"
- The users will need to have the permissiones set in Netbox to allow branch add, create, and optionally, delete, for the branch object type
Permissions required to allow users to create a branch
- If you are creating the branch beforehand and assigning the user to the appropriate group, then it's suggested to not set "enforce_ownership"
- In the example given, you would assign the user to either "Group 1" or "Group 2" and create the branches "Branch 1", "Branch 2" and "Branch 3"
Messages
Netbox UI Examples
Writes to the Main branch are restricted
You cannot use branch "..."
You can only modify a branch you own
Netbox Log Examples
The logging output will only appear in the Netbox log when logging is enabled and that log_level is set higher than the current Netbox log_level
The current BranchGuard settings are displayed when the plugin is initialized. Note that you may see multiple entries if there are multiple workers configured.
[BranchGuard SETTINGS] enabled: True, api_bypass: True, superuser_bypass: True, enforce_ownership: False, logging: True, group_branch_map: {'Group 1': ['Branch 1', 'Branch 2'], 'Group 2': ['Branch 3']}
Example output showing that an attempt to write to the Main branch was blocked.
[BranchGuard REQUEST] <WSGIRequest: POST '/dcim/sites/813/edit/'>
[BranchGuard USER] User: True, Groups: {'Group 1'}, requst.user.is_authenticated: True, requst.user.is_superuser: False, requst.path: /dcim/sites/813/edit/
[BranchGuard DEBUG] header=None, query=None, session=None, cookies=None, branch_id=None
[BranchGuard BLOCK] user=JohnDoe, POST /dcim/sites/813/edit/ -> No Branch (UI/API)
[BranchGuard BLOCK] Blocking writes to Main
Example output showing that an attempt to write to a branch that the user is not assigned too, was blocked.
[BranchGuard REQUEST] <WSGIRequest: POST '/dcim/sites/813/edit/'>
[BranchGuard USER] User: True, Groups: {'Group 1'}, requst.user.is_authenticated: True, requst.user.is_superuser: False, requst.path: /dcim/sites/813/edit/
[BranchGuard DEBUG] header=None, query=None, session=None, cookies=sfaqlxj5, branch_id=sfaqlxj5
[BranchGuard BLOCK] You cannot use branch "Branch 3"
[BranchGuard BLOCK] Only: "Branch 1", "Branch 2"
Example output showing that an attempt to write ot a branch was blocked as the the user is not the owner of the branch and "enforce_ownership" is set.
[BranchGuard REQUEST] <WSGIRequest: POST '/dcim/sites/813/edit/'>
[BranchGuard USER] User: True, Groups: {'RIS-View', 'RIS-Modify'}, requst.user.is_authenticated: True, requst.user.is_superuser: False, requst.path: /dcim/sites/813/edit/
[BranchGuard DEBUG] header=None, query=None, session=None, cookies=5o9aq85u, branch_id=5o9aq85u
[BranchGuard BLOCK] user=JohnDoe, branch_owner=admin, branch=5o9aq85u -> Not Branch Owner
Example output showing that the user has write permissiones and are trying to save a change in a branch but they are not a memnber of any of the groups in "group_branch_map"
[BranchGuard BLOCK] You are not assigned to a branch group"
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file netbox_branch_guard-1.0.8.tar.gz.
File metadata
- Download URL: netbox_branch_guard-1.0.8.tar.gz
- Upload date:
- Size: 85.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Oracle Linux Server","version":"9.7","id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c023dac77addd7160850b29f49d1d6390184a14101e9f1484662225070c4cbb5
|
|
| MD5 |
0e22b16e24d00ba7be141178ad8fa9a7
|
|
| BLAKE2b-256 |
48381451a1d3f844f15ca69f8130c0bf79b587b3c30e9de4181199bf616635ad
|
File details
Details for the file netbox_branch_guard-1.0.8-py3-none-any.whl.
File metadata
- Download URL: netbox_branch_guard-1.0.8-py3-none-any.whl
- Upload date:
- Size: 11.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Oracle Linux Server","version":"9.7","id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a2d4dfc2e482278a41234666f8752344743f4eeaed73f846be61729e56158519
|
|
| MD5 |
182780f489aeb2b33039991f138e8477
|
|
| BLAKE2b-256 |
697f7eeb886602ba7edd53268d55240f28c92e96413db28f1379eebdbf0baa0a
|
