feat(nautobot): YAML-driven group-mapping RBAC for JWT-authenticated users#24
feat(nautobot): YAML-driven group-mapping RBAC for JWT-authenticated users#24dmathur0 wants to merge 3 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (9)
💤 Files with no reviewable changes (9)
📝 WalkthroughWalkthroughThis PR adds YAML-driven JWT RBAC reconciliation for Nautobot, including mapping load/validation, login-time group and permission sync, superuser reconciliation changes, Helm wiring for config injection, and tests covering the new flows. ChangesJWT-driven Group Mapping RBAC
Estimated code review effort: 4 (Complex) | ~60 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
91ca8ad to
3b934e2
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@deploy/helm/templates/_nautobot-configmap-data.tpl`:
- Around line 79-90: The group-mapping ConfigMap and mounts are being rendered
unconditionally so nv_config_manager_auth.rbac (mapping_is_configured() /
DEFAULT_MAPPING_PATH) treats RBAC as configured even when
Values.nautobot.rbac.groupMapping is empty; update
deploy/helm/templates/nautobot.yaml to wrap the ConfigMap, volume, and
volumeMount blocks with a guard that checks for the presence of the key (e.g.,
{{ if hasKey .Values.nautobot.rbac "groupMapping" }} ) so an absent key means
“unconfigured”, and update deploy/helm/values.yaml to remove the default
groupMapping: [] (or set it to null) so the chart will not render the
ConfigMap/mount unless the operator explicitly provides groupMapping.
In `@deploy/helm/values.yaml`:
- Line 2454: The default empty array for groupMapping causes unintended
revoke-all behavior; change the default in values.yaml from "groupMapping: []"
to either remove the key or set "groupMapping: null" (or comment it out) and
update the Helm templates (the ConfigMap/volume creation in nautobot.yaml that
mounts the RBAC file) to be conditional on groupMapping being defined and
non-null so the ConfigMap is only created when the user explicitly configures
groupMapping (this preserves the documented semantics that null/omitted means
"do not touch", while an explicit [] still triggers the revoke-all behavior).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 7557663c-2858-4da0-8809-605501b8542b
📒 Files selected for processing (9)
components/nautobot/nv_config_manager_auth/jwt_authentication.pycomponents/nautobot/nv_config_manager_auth/rbac.pycomponents/nautobot/tests/conftest.pycomponents/nautobot/tests/test_jwt_authentication.pycomponents/nautobot/tests/test_rbac.pydeploy/helm/templates/_nautobot-configmap-data.tpldeploy/helm/templates/nautobot.yamldeploy/helm/values-local-azure-sso.yamldeploy/helm/values.yaml
There was a problem hiding this comment.
🧹 Nitpick comments (1)
docs/nautobot/nautobot-integration.mdx (1)
214-214: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueTerminology mismatch: "empty" vs. the chart's actual gating semantics.
This doc describes
superuserGroupsas disabled "when empty," which is consistent with the Helm template's{{- with .Values.nautobot.rbac.superuserGroups }}(falsy/empty skips rendering). No issue here, but worth double-checking phrasing consistency againstgroupMapping's very different "presence, not truthiness" semantics described a few lines below (Line 238) — a reader could conflate the two gating models since they're documented back-to-back with different rules.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/nautobot/nautobot-integration.mdx` at line 214, Clarify the documentation wording around `superuserGroups` versus `groupMapping` so readers do not conflate their gating behavior. Keep the `superuserGroups` description aligned with the `with .Values.nautobot.rbac.superuserGroups` truthiness-based behavior, and explicitly distinguish it from `groupMapping`, which is enabled by key presence rather than value truthiness. Use the existing `superuserGroups` and `groupMapping` sections in the Nautobot integration docs to make the contrast obvious and consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/nautobot/nautobot-integration.mdx`:
- Line 214: Clarify the documentation wording around `superuserGroups` versus
`groupMapping` so readers do not conflate their gating behavior. Keep the
`superuserGroups` description aligned with the `with
.Values.nautobot.rbac.superuserGroups` truthiness-based behavior, and explicitly
distinguish it from `groupMapping`, which is enabled by key presence rather than
value truthiness. Use the existing `superuserGroups` and `groupMapping` sections
in the Nautobot integration docs to make the contrast obvious and consistent.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 31e4bdaa-361a-406c-aa93-ae8705b77448
📒 Files selected for processing (6)
components/nautobot/nv_config_manager_auth/jwt_authentication.pycomponents/nautobot/nv_config_manager_auth/rbac.pydeploy/helm/templates/_nautobot-configmap-data.tpldeploy/helm/templates/nautobot.yamldeploy/helm/values.yamldocs/nautobot/nautobot-integration.mdx
🚧 Files skipped from review as they are similar to previous changes (5)
- deploy/helm/values.yaml
- deploy/helm/templates/nautobot.yaml
- deploy/helm/templates/_nautobot-configmap-data.tpl
- components/nautobot/nv_config_manager_auth/rbac.py
- components/nautobot/nv_config_manager_auth/jwt_authentication.py
Adds nv_config_manager_auth.rbac, which reads a YAML group-mapping file on every JWT login to reconcile Django Group membership and per-action ObjectPermissions (with optional constraints and is_superuser shortcut) against the JWT roles claim. Group lifecycle is operator-managed by default; NV_CONFIG_MANAGER_AUTO_CREATE_GROUPS opts into auto-creation. _sync_superuser_status now decouples mapping-enabled from per-user-match so revocation/demotion runs even with an empty or failed-to-parse mapping (fail-closed). Helm renders the mapping into a directory-mounted ConfigMap with a pod-template checksum. Signed-off-by: Davesh Mathur <daveshm@nvidia.com>
Adds values-local-azure-sso.yaml as a generic, scrubbed example: all tenant/client IDs, secrets, internal hostnames, and cluster contexts are replaced with <placeholder>s. Shows how to exercise the nautobot.rbac.groupMapping path against a real Entra ID OIDC provider on a local kind cluster. Signed-off-by: Davesh Mathur <daveshm@nvidia.com>
…fault revoke-all The group-mapping ConfigMap, volume, volumeMount, and env var rendered unconditionally, so /app/config/group-mapping.yaml always existed and rbac.mapping_is_configured() treated the feature as configured-but-empty by default (groupMapping: []). That ran the revoke-everyone / demotion path on every JWT login even when operators never opted in. Guard the ConfigMap, checksum annotation, volume, volumeMount, and the GROUP_MAPPING_PATH env var on `hasKey nautobot.rbac "groupMapping"`, and default the key to omitted (commented out) in values.yaml. The three states are now: omitted = unconfigured (privileges untouched), [] = configured-empty (deliberate revoke-all), [...] = configured. Document the semantics in values.yaml, the templates, the mapping_is_configured docstring, and a new Authentication and RBAC section in the Nautobot integration docs. Also add docstrings to the previously-undocumented JWT auth helpers to satisfy docstring coverage. Signed-off-by: Davesh Mathur <daveshm@nvidia.com>
e39912a to
9ba851e
Compare
Description
Validation
The kind integration test is manual due to taking ~30 min to complete. When the PR is ready for review,
run Actions -> Kind Integration -> Run workflow against the copy-pr-bot generated
pull-request/<PR_NUMBER>branch. Use the defaulttest_pathfor the full suite,or narrow it only while debugging.
Passing Kind Integration run:
Checklist
CONTRIBUTING.md.docs screenshots, or Helm/rendered outputs.
Summary by CodeRabbit