API: read-only ID/token not allowed to read virtual interfaces

[jogulin]

Environment

• Python version: 3.6.8
• NetBox version: 2.10.3

Steps to Reproduce

1. Create two users... one with read-write access, one with read-only access
2. Assign security tokens to these users
3. Generic command:

curl -v -k -X GET \
-H "Authorization: Token $token" \
-H "Content-Type: application/json" \
-H "Accept: application/json; indent=4" \
https://netbox.example.local/api/virtualization/interfaces/1/

Replace "$token" with the read-only and read-write tokens from steps 1 and 2, and use an ID for the interface you know exists.

Expected Behavior

Response for both:

{
    "id": 1,
    "url": "http://netbox.example.local/api/virtualization/interfaces/1/",
    "virtual_machine": {
        "id": 6,
        "url": "http://netbox.example.local/api/virtualization/virtual-machines/6/",
        "name": "My VM"
    },
    "name": "Ethernet Adapter 1",
    "enabled": true,
    "mtu": 1500,
    "mac_address": "00:00:00:00:00:00",
    "description": "",
    "mode": null,
    "untagged_vlan": null,
    "tagged_vlans": [],
    "tags": []
}
* Connection #0 to host netbox.example.local left intact

(ids and mac address results will vary based on your data)

Observed Behavior

The expected behavior occurred with the read-write id/token. The following occurred with the read-only token/id:

{
    "detail": "You do not have permission to perform this action."
}
* Connection #0 to host netbox.example.local left intact

[jogulin]

I have also tried to get a generic list by leaving off the ID of the specific interface with identical results.

[DanSheps]

I am unable to reproduce this on our master instance:

* About to connect() to master.netbox.dev port 443 (#0)
*   Trying 144.217.88.130...
* Connected to master.netbox.dev (144.217.88.130) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=master.netbox.dev
*       start date: Dec 09 16:09:42 2020 GMT
*       expire date: Mar 09 16:09:42 2021 GMT
*       common name: master.netbox.dev
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET /api/virtualization/interfaces/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: master.netbox.dev
> Authorization: Token 3a1a2280b1c606b8e5e5386e38dcaba522573a66
> Content-Type: application/json
> Accept: application/json; indent=4
>
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Mon, 25 Jan 2021 15:27:59 GMT
< Content-Type: application/json
< Content-Length: 4200
< Connection: keep-alive
< Vary: Accept, Cookie, Origin
< Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
< API-Version: 2.10
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
<
{
    "count": 6,
    "next": null,
    "previous": null,
    "results": [
        {
            "id": 4,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/4/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "Test1",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 5,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/5/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "Test2",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 2,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/2/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "eth0",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 3,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/3/",
            "virtual_machine": {
                "id": 3,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/3/",
                "name": "afdsf"
            },
            "name": "eth0",
            "enabled": true,
            "mtu": null,
            "mac_address": "00:11:22:33:44:55",
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 6,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/6/",
            "virtual_machine": {
                "id": 9,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/9/",
                "name": "test"
            },
            "name": "ghjgjhghjgh",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": {
                "value": "tagged",
                "label": "Tagged"
            },
            "untagged_vlan": null,
            "tagged_vlans": [
                {
                    "id": 128,
                    "url": "https://master.netbox.dev/api/ipam/vlans/128/",
                    "vid": 2,
                    "name": "2",
                    "display_name": "2 (2)"
                }
            ],
            "tags": [
                {
                    "id": 3,
                    "url": "https://master.netbox.dev/api/extras/tags/3/",
                    "name": "pdu",
                    "slug": "pdu",
                    "color": "9e9e9e"
                }
            ]
        },
        {
            "id": 1,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/1/",
            "virtual_machine": {
                "id": 1,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/1/",
                "name": "testvm"
            },
            "name": "ens192",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        }
]

I suspect you have given the users different permissions

[DanSheps]

Testing with a user that only has "can view" permissions results in the same:

* About to connect() to master.netbox.dev port 443 (#0)
*   Trying 144.217.88.130...
* Connected to master.netbox.dev (144.217.88.130) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=master.netbox.dev
*       start date: Dec 09 16:09:42 2020 GMT
*       expire date: Mar 09 16:09:42 2021 GMT
*       common name: master.netbox.dev
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET /api/virtualization/interfaces/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: master.netbox.dev
> Authorization: Token cebeca168bf5483333655dba8b4a6d16c07186e7
> Content-Type: application/json
> Accept: application/json; indent=4
>
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Mon, 25 Jan 2021 15:33:21 GMT
< Content-Type: application/json
< Content-Length: 4200
< Connection: keep-alive
< Vary: Accept, Cookie, Origin
< Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
< API-Version: 2.10
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
<
{
    "count": 6,
    "next": null,
    "previous": null,
    "results": [
        {
            "id": 4,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/4/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "Test1",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 5,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/5/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "Test2",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 2,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/2/",
            "virtual_machine": {
                "id": 7,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/7/",
                "name": "2r443f"
            },
            "name": "eth0",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 3,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/3/",
            "virtual_machine": {
                "id": 3,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/3/",
                "name": "afdsf"
            },
            "name": "eth0",
            "enabled": true,
            "mtu": null,
            "mac_address": "00:11:22:33:44:55",
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        },
        {
            "id": 6,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/6/",
            "virtual_machine": {
                "id": 9,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/9/",
                "name": "test"
            },
            "name": "ghjgjhghjgh",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": {
                "value": "tagged",
                "label": "Tagged"
            },
            "untagged_vlan": null,
            "tagged_vlans": [
                {
                    "id": 128,
                    "url": "https://master.netbox.dev/api/ipam/vlans/128/",
                    "vid": 2,
                    "name": "2",
                    "display_name": "2 (2)"
                }
            ],
            "tags": [
                {
                    "id": 3,
                    "url": "https://master.netbox.dev/api/extras/tags/3/",
                    "name": "pdu",
                    "slug": "pdu",
                    "color": "9e9e9e"
                }
            ]
        },
        {
            "id": 1,
            "url": "https://master.netbox.dev/api/virtualization/interfaces/1/",
            "virtual_machine": {
                "id": 1,
                "url": "https://master.netbox.dev/api/virtualization/virtual-machines/1/",
                "name": "testvm"
            },
            "name": "ens192",
            "enabled": true,
            "mtu": null,
            "mac_address": null,
            "description": "",
            "mode": null,
            "untagged_vlan": null,
            "tagged_vlans": [],
            "tags": []
        }
    ]

[jogulin]

Is there a permission set on a database table that may need adjusting, possibly? Is there a debug setting that I can turn on to help provide some guidance?

As for users, we use LDAP authentication. Both users are in the group that grants access. One user has a green check under "Write enabled" while the other has a red X. The idea is that we want to have a "read-only service account" that can read information but not alter it for some of our automation scripts.

[jogulin]

So for gits and shiggles I tried turning on "write enabled" and it did not resolve the issue. This would indicate some authentication level issue or a permission issue somewhere inside.

[DanSheps]

How are your permissions structured? Does the read only account have access in the web interface to those interfaces?

[jogulin]

OK, so it looks like I had to go into the admin page and add in the permissions and it works now.