How to use payload.username in webhook conditions ? #12923
-
|
I would like to add a webhook condition to NOT start a webhook when a certain user has triggered the webhook. My use case is that I have a device update webhook that triggers an awx job. The awx job changes the configuration of a network device and then (as an api user / token using netbox galaxy collection) adds a journal entry in netbox and sets the state of the device IN netbox. Setting the state of the device in netbox then triggers the update webhook which then triggers awx again etc. So I would like to NOT start the webhook trigger when the api user has initiated the webhook. It should be possible according to this post (#9779 (comment)). I verified in netbox/extras/webhooks_worker.py code that the username is added but how can I use it as a webhook condition ? I use the following webhook condition which does not work (webhook is still executed) :
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
|
Ok, I have found a work-around for my problem :
I only want the webhook to take effect when an USER changed something in netbox, not when an api (awx) is changing stuff in netbox. Now for the work-around : I created an api user / token that I use (awx) to call the netbox rest api. This "api" username is the keyword that we will use to drop the incoming webhook from netbox. Unfortunately I could not prevent the webhook from being triggered but because of the drop my awx doesn't receive the rest call. So the effect is the same : only user actions in netbox will trigger my awx and webhook caused by api actions are not received. In Netbox I add an extra webhook custom header option. Go to your webhook configuration and add additional header :
Now we use nginx as http proxy to drop the incoming webhooks from netbox which contain a custom http header with an username:api option. My nginx.conf (fill in the stuff between <> !!!) : ` server { } |
Beta Was this translation helpful? Give feedback.
-
|
https://demo.netbox.dev/static/docs/additional-features/webhooks/#conditional-webhooks
https://demo.netbox.dev/static/docs/reference/conditions/
You should be able to suppress the webhook based on conditional logic just for this kind of case.
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: bkampsnl ***@***.***>
Sent: Sunday, June 18, 2023 3:58 PM
To: netbox-community/netbox ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [netbox-community/netbox] How to use payload.username in webhook conditions ? (Discussion #12923)
Ok, I have found a work-around for my problem :
1. Netbox calls a webhook when a device has changed.
2. The webhook calls the rest api of awx (in my case) to kick-off an ansible script.
3. The ansible script does its work, updates the network device.
4. The ansible script also changes the state / tags of the dcim device IN NETBOX (for example set the device state to fail or whatever).
5. Now the dcim device is updated in netbox which causes the device-update webhook to be triggered again which kicks awx again.
I only want the webhook to take effect when an USER changed something in netbox, not when an api (awx) is changing stuff in netbox.
Now for the work-around :
I created an api user / token that I use (awx) to call the netbox rest api. This "api" username is the keyword that we will use to drop the incoming webhook from netbox. Unfortunately I could not prevent the webhook from being triggered but because of the drop my awx doesn't receive the rest call. So the effect is the same : only user actions in netbox will trigger my awx and webhook caused by api actions are not received.
In Netbox I add an extra webhook custom header option. Go to your webhook configuration and add additional header :
username: {{username}}
Now we use nginx as http proxy to drop the incoming webhooks from netbox which contain a custom http header with an username:api option.
My nginx.conf (fill in the stuff between <> !!!) :
`
map $http_username $is_api_user {
default 0;
api 1;
}
server {
listen <my_nginx_listen_port>;
location / {
if ($is_api_user) {
return 200;
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass https://<ip_address_of_my_awx>:<port_of_my_awx>/;
}
}
`
—
Reply to this email directly, view it on GitHub<#12923 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM6BNODKEZ3RZUENTBDXL5TX5ANCNFSM6AAAAAAZKMYUOE>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
You can only use conditions on data of a netbox entity. But it is not possible to apply a condition to the username that initiated the CRUD operation on a netbox entity. |
Beta Was this translation helpful? Give feedback.
-
|
Ah so. I'm just catching up with the thread context. Another way this could be suppressed at the source is if you could enumerate all the data changes made by API if they don't overlap with changes made by humans, eg if status or tags are only updated by AWX/Ansible then suppress outgoing webhooks that change those fields, but this seems like a brittle and fiddly rule to maintain.
Filtering on the username field at the webhook receiver as you have figured out is probably the right way to handle this, so AWX can ignore changes made by itself. Adding as a header and filtering at the webserver level is a valid mechanism for this, does AWX not have a way to provide conditional logic based on the webhook contents, as username is included in the payload?
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: bkampsnl ***@***.***>
Sent: Tuesday, June 20, 2023 4:47 AM
To: netbox-community/netbox ***@***.***>
Cc: Mark Tinberg ***@***.***>; Comment ***@***.***>
Subject: Re: [netbox-community/netbox] How to use payload.username in webhook conditions ? (Discussion #12923)
You can only use conditions on data of a netbox entity.
But it is not possible to apply a condition to the username that initiated the CRUD operation on a netbox entity.
—
Reply to this email directly, view it on GitHub<#12923 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM4LLLLROUKALINR6Z3XMFWSPANCNFSM6AAAAAAZKMYUOE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Yes I think the most simple way is to filter out the outgoing webhook by nginx. AWX does not receive the webhook call at all.
I cannot filter at AWX side that's why I use nginx (http proxy) to drop the webhook.
Do you know if it is possible to compare the prechange and postchange data in a webhook condition in netbox ? I thought that you only can use the data of the entity itself you selected for the webhook. Not the pre/postchange stuff that is being sent with the webhook call to outside. |
Beta Was this translation helpful? Give feedback.
-
|
I've written my own webhook listener, and that filters out operations that I don't need (based on configurable usernames or whatever I want), and enriches the calls that it makes forward. This is one example: https://majornetwork.net/2020/10/webhook-listener-with-fastapi/ |
Beta Was this translation helpful? Give feedback.
-
|
* if you could enumerate all the data changes made by API
Do you know if it is possible to compare the prechange and postchange data in a webhook condition in netbox ? I thought that you only can use the data of the entity itself you selected for the webhook. Not the pre/postchange stuff that is being sent with the webhook call to outside.
I think you are right, that wouldn't work either unless you were just ignoring specific status or tag values as being ineligible for AWX config changes (ie skip anything with non-Active status if AWX isn't being used for de-provisioning) but I imagine that's not very useful for your case. Apparently, I'm full is half-baked ideas that don't quite pan out today, maybe I need some stronger coffee 😉.
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: bkampsnl ***@***.***>
Sent: Thursday, June 22, 2023 6:32 AM
To: netbox-community/netbox ***@***.***>
Cc: Mark Tinberg ***@***.***>; Comment ***@***.***>
Subject: Re: [netbox-community/netbox] How to use payload.username in webhook conditions ? (Discussion #12923)
Yes I think the most simple way is to filter out the outgoing webhook by nginx. AWX does not receive the webhook call at all.
AWX not have a way to provide conditional logic based on the webhook contents, as username is included in the payload?
I cannot filter at AWX side that's why I use nginx (http proxy) to drop the webhook.
if you could enumerate all the data changes made by API
Do you know if it is possible to compare the prechange and postchange data in a webhook condition in netbox ? I thought that you only can use the data of the entity itself you selected for the webhook. Not the pre/postchange stuff that is being sent with the webhook call to outside.
—
Reply to this email directly, view it on GitHub<#12923 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM3NWSEH4LTUMTRHXYDXMQUL5ANCNFSM6AAAAAAZKMYUOE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
Ok, I have found a work-around for my problem :
I only want the webhook to take effect when an USER changed something in netbox, not when an api (awx) is changing stuff in netbox.
Now for the work-around :
I created an api user / token that I…