Skip to content

Conversation

pheus
Copy link
Contributor

@pheus pheus commented Aug 30, 2025

Pull Request

Related Issue

Fixes #72 - [Feature]: Assign a ACL to multiple devices
Fixes #41 - [Feature]: Add assigned_object models in GraphQL API similar to the REST API
Fixes #156 - [Housekeeping]: Move forms to use selector in place of various params

New Behavior

This PR introduces a unified assignment model, ACLAssignment, that supports applying a single AccessList to:

  • Hosts: Device, VirtualChassis, VirtualMachine
  • Interfaces: Interface, VMInterface

Key behavior:

  • A single ACL can now be assigned to multiple hosts and/or interfaces (across multiple devices).
  • Direction tri‑state: ingress | egress | none
    • For host assignments, direction is set to "none" and disabled in forms.
    • For interface assignments, ingress or egress is required.
  • Validation prevents duplicate assignments for the same object/direction.
  • Creating an ACL no longer forces an immediate assignment; assignments can be added later.

Contrast to Current Behavior

  • Previously, each ACL could be attached only to a single Device or VirtualMachine, and interface assignments were managed via ACLInterfaceAssignment.
  • The new approach consolidates all assignments into one model (ACLAssignment) and allows reusing the same ACL across many targets.
  • The UI presents a single Assignments concept (with children views on devices, virtual chassis, VMs, and interfaces), replacing the prior “Interface Assignments” only flow.

Discussion: Benefits and Drawbacks

Benefits

  • Reduces ACL duplication when the same policy applies to many devices/interfaces.
  • One assignment model simplifies code paths (forms, serializers, filtersets, tables, views).
  • Consistent UX and API across devices, virtual chassis, VMs, and interfaces.
  • Clear direction semantics (ingress | egress | none) across all assignment types.

Drawbacks / Notes

  • BREAKING CHANGE: ACLInterfaceAssignment is replaced by ACLAssignment.
    • API route renamed from interface-assignmentsassignments.
    • GraphQL types/filters renamed accordingly.
    • Templates, forms, filtersets, and tables updated to the unified model.
  • Name conflict checks are handled in application validation (no denormalized cached field), to avoid complexity during ACL renames.

Backwards compatibility

  • A data migration copies existing assignments to the new model.
  • API/GraphQL clients using the old “interface-assignments” routes/types will need to switch to the new “assignments” endpoints/types.

Changes to the Documentation

  • Update Assignments documentation to describe the unified ACLAssignment model, supported object types, and direction tri‑state.
  • Replace references to ACLInterfaceAssignment with ACLAssignment in README/Wiki/API/GraphQL sections.
  • Add Upgrade Notes covering:
    • Route/type renames
    • Direction semantics ("none" for host assignments)

Proposed Release Note Entry

  • Feature: Assign a single ACL to multiple devices and interfaces across devices via a new unified ACLAssignment model ([Feature]: Assign a ACL to multiple devices  #72).
  • Breaking: ACLInterfaceAssignment replaced by ACLAssignment; API route renamed interface-assignmentsassignments; GraphQL types/filters renamed. Includes data migration for existing assignments.

Double Check

  • I have explained my PR according to the information in the comments or in a linked issue.
  • My PR targets the dev branch.

Thanks for reviewing!

pheus added 18 commits August 7, 2025 19:28
Refactors ACLStandardRule and ACLExtendedRule to support generic source
and destination fields. Introduces GenericForeignKey and related caching
for improved flexibility and performance.

BREAKING CHANGE: Updates source/destination field structures; existing
ACL data require migration.
Renames and updates fields in ACLStandardRule and ACLExtendedRule to
support generic source and destination objects. Introduces new fields,
indices, and foreign key relationships for improved flexibility and
query performance.

BREAKING CHANGE: Requires migration of existing ACL data to the new
field structure.
Introduces a data migration to copy source and destination prefix IDs
to the newly added GenericForeignKey fields in ACLStandardRule and
ACLExtendedRule. Ensures existing prefix assignments are preserved
during schema updates.
Extend test coverage for ACLStandardRule and ACLExtendedRule to include
validation of generic source and destination objects. Add scenarios for
aggregates, IP addresses, IP ranges, and validation of invalid objects.
Test updates ensure the robustness and accuracy of the new field
structure.
Introduces new columns for source and destination with support for
generic objects in ACLStandardRule and ACLExtendedRule tables. Updates
field and default column configurations for improved flexibility
and alignment with the new data model.
Adds support for filtering by aggregates, IP addresses, and IP ranges in
both source and destination fields. Updates filter fields for better
alignment with the extended ACL rules model.
Integrates generic object handling for source and destination fields in
ACLStandardRuleForm and ACLExtendedRuleForm. Introduces support for
content types, dynamic queries, and enhanced validation. Improves
alignment with the generic source/destination model update.
Rename labels for source and destination fields in ACL templates to
reflect the updated generic model structure. Improves clarity and
consistency with recent data model changes.
Replaces source_prefix and destination_prefix with generic source and
destination prefetches in views for ACLStandardRule and ACLExtendedRule.
Aligns view logic with the updated generic source/destination model for
better flexibility and consistency.
Replaces source_prefix and destination_prefix with generic source and
destination fields in ACL serializers. Introduces support for content
types, dynamic querying, and enhanced validation in ACLStandardRule and
ACLExtendedRule. Aligns serializers with the generic source/destination
model for improved flexibility and consistency.
Updated docstrings for clarity by replacing "&" with "and" in multiple
view classes. Revised prefetch fields in ACLStandardRule and
ACLExtendedRule to align with the new generic source/destination model
changes for better consistency.
Introduces generic source and destination fields in GraphQL types for
ACLStandardRule and ACLExtendedRule. Adds support for ContentType
relationships, caching related objects, and enhanced flexibility in
object handling. Aligns GraphQL implementation with the updated generic
model structure for consistency.
Introduces ContentType filtering for generic source and destination
fields in ACLStandardRule and ACLExtendedRule GraphQL filters. Adds
source_type, source_id, destination_type, and destination_id fields
to enhance filtering flexibility and alignment with generic models.
Replaces `source_prefix` and `destination_prefix` with generic `source`
and `destination` fields in ACL rule tests. Updates test cases to
include `source_type`, `source_id`, `destination_type`, and
`destination_id` for better alignment with the updated generic model.
Fixes multiple instances of "availble" to "available" in docstrings for
ACL action, rule action, type, and protocol choices. Ensures
documentation accuracy and readability.
Refines field names and query attributes for source and destination
filters. Ensures consistency with related models and improves filtering
accuracy for aggregates, IP ranges, and IP addresses.
Introduces `remark`, `source_port`, and `destination_port` fields to ACL
filtersets for enhanced filtering capabilities. Aligns with the generic
source/destination model updates and improves flexibility in rule
definition.
Adds `using(db_alias)` to queries for ACLStandardRule and
ACLExtendedRule to ensure the correct database alias is used during
migration. Also adjusts formatting for dependency tuples to enhance
consistency.
@pheus
Copy link
Contributor Author

pheus commented Aug 30, 2025

Status: Draft

This PR is marked as a draft because it would currently conflict with the open PR #275. Once #275 is merged into dev, I’ll rebase this branch on top of it, resolve any conflicts, and switch this PR to Ready for review.
Early feedback is still very welcome! Thank you!

Consolidates ACLInterfaceAssignment into a single ACLAssignment model,
ensuring support for devices, virtual chassis, VMs, and interfaces.
Improves validation logic by enforcing unique constraints per object
type and direction. Also enhances maintainability by centralizing
assignment-related logic.

BREAKING CHANGE: Legacy ACLInterfaceAssignment is replaced with
ACLAssignment.
Renames `ACLInterfaceAssignment` to `ACLAssignment` and adjusts related
model fields and constraints. Removes legacy `assigned_object_id` and
`assigned_object_type` fields from `AccessList`. Adds data migration for
copying over existing host assignments to the updated model.
Removes tests for `assigned_object` in AccessList, aligning with the
migration to centralized ACLAssignment. Updates tests to focus on
ACLAssignment validation scenarios across different object types.
Replaces `ACLInterfaceAssignment` with `ACLAssignment` across table
definitions. Updates associated columns to use the centralized model
fields and modern column types from `netbox.tables`.
Replaces `ACLInterfaceAssignmentFilterSet` with `ACLAssignmentFilterSet`
to align with the consolidated ACLAssignment model. Updates filtersets
to support devices, virtual chassis, VMs, and interfaces using new
fields. Enhances query and filter logic for improved maintainability
and functionality.
Replaces `ACLInterfaceAssignmentForm` with `ACLAssignmentForm` across
forms to align with the unified ACLAssignment model. Removes legacy
fields and validation logic, introducing centralized validation for
assigned objects and directions. Simplifies fieldsets and enhances
maintainability by leveraging the consolidated model structure.
Replaces references to `ACLInterfaceAssignment` with `ACLAssignment` in
templates, aligning with the unified model. Updates template structure
to streamline assigned object display and improve maintainability.
Removes legacy elements no longer applicable after the migration.
Replaces `ACLInterfaceAssignment` views with updated `ACLAssignment`
views. Introduces unified children views for devices, interfaces, VMs,
and virtual chassis, improving maintainability and consistency. Enhances
tab logic and table configurations to reflect the consolidated model
structure.
Replaces `ACLInterfaceAssignment` routes with `ACLAssignment` routes in
URLs. Shortens path names for clarity and consistency with the unified
model.
Replaces `ACLInterfaceAssignmentSerializer` with
`ACLAssignmentSerializer` to align with the unified ACLAssignment model.
Removes legacy fields and validation logic that depended on outdated
models. Enhances maintainability by consolidating serializers under the
updated model structure.

BREAKING CHANGE: Legacy ACLInterfaceAssignmentSerializer is replaced
with ACLAssignmentSerializer.
Renames `ACLInterfaceAssignmentViewSet` to `ACLAssignmentViewSet` and
updates associated classes, serializers, and queryset references. Aligns
with the unified `ACLAssignment` model for improved consistency and
maintainability.
Replaces `interface-assignments` route with `assignments` to align with
the unified `ACLAssignment` model. Enhances consistency and
maintainability across the API by simplifying route names.
Renames `ACLInterfaceAssignmentFilter` to `ACLAssignmentFilter` and
updates related imports and fields. Removes legacy fields from the
filter and adjusts field placement for consistency with the unified
model structure.
Updates GraphQL types to use the unified `ACLAssignment` model, removing
legacy fields and adding support for additional object types like
virtual chassis. Enhances alignment with the consolidated model
structure for improved maintainability and consistency.
Updates GraphQL schema to rename `ACLInterfaceAssignmentType` to
`ACLAssignmentType`. Adjusts related fields and lists to align with the
unified `ACLAssignment` model. Enhances consistency and maintainability
within the GraphQL layer.
Replaces `ACLInterfaceAssignment` with `ACLAssignment` in test cases for
access lists. Removes legacy object creation for sites, devices, and
VMs, simplifying test data setup. Enhances test maintainability by
aligning with the unified model structure.
Updates navigation to use the unified `ACLAssignment` model. Replaces
`Interface Assignments` menu items with `Assignments`, aligning with the
consolidated model structure. Enhances consistency and maintainability
across the plugin interface.
@pheus pheus force-pushed the 72-allow-acl-assignment-to-multiple-devices branch from b5b3d66 to 186093d Compare September 26, 2025 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant