Dynamically pass credentials to the Napalm module

[Random6554]

Issue type

[x] Feature request
[ ] Bug report
[ ] Documentation

Environment

• Python version: 3.5.4
• NetBox version: 2.1.3

Description

Please implement a way to pass SSH credentials to the Napalm module via the web interface or login creds.

I require a dynamic way to pass the --user and --password Naplam values to the module. My goal is to hookup NetBox to LDAP therefore allowing users to auth with NetBox and query devices using Napalm with the same creds.

Thanks,

[jeremystretch]

I require a dynamic way to pass the --user and --password Naplam values to the module.

What is the modification being proposed?

[hdinthkld]

Could the device details be edited to provide an option to specify a "secret" that is defined in NetBox that can then be passed to NAPALM?

I don't believe applying such a setting anywhere other than per-device makes much other sense, unless a "Device Group" feature is implemented in the future.

This would be very scaleable as if the login is used across a range of devices (such as per-customer), editing it in one place (say when the RADIUS/TACACS password is updated) and then all devices that it applies to, NAPALM will use the correct details.

Thanks for putting together such a great tool...keep these improvements coming.

[jeremystretch]

Could the device details be edited to provide an option to specify a "secret" that is defined in NetBox that can then be passed to NAPALM?

You would still need to pass an active session key to NetBox to unlock the secret so that its plaintext value can be fed to NAPALM. I don't think that will work for a GET API request, since we need to keep any sensitive data out of the query string. So, we would need to extend the NAPALM API endpoint to accept POST requests as well.

This might be okay for the API request, but I'm not a fan of extending the device model to point to a secret to use for NAPALM. That feels very hacky, and would be difficult to manage at scale.

[jeremystretch]

An alternative to using POST requests would be to pass the username and password as HTTP headers. For example:

curl \
-H "Authorization: Token <TOKEN>" \
-H "NAPALM-Username: <USERNAME>" \
-H "NAPALM-Password: <PASSWORD>" \
-H "Content-Type: application/json" \
-H "Accept: application/json; indent=4" \
https://netbox/api/dcim/devices/<PK>/napalm/?method=get_facts

The provided parameters would override the statically configured credentials. This approach could be extended to support other arguments as well.

[tb-killa]

we are currently running into exactly the same problem described above and asking for a possible solution period or a way to "bypass" the issue at the moment ?

We use different static usernames and passwords for different devices.

How about getting the usernames and passwords from the "Contextual Configuration Data" ?