Jeremy Stretch - Leveraging the ORM to enforce object level permissions

00:31

- Hi everyone. This is Jeremy Stretch presenting

00:32

for DjangoCon 2021.

00:35

Today I'll be talking about implementing object based

00:37

permissions in Django. So let's go ahead and jump in.

00:44

First off a little bit about myself.

00:45

I am a former network engineer turned software developer.

00:48

So I originally got my start in my career in traditional

00:52

network infrastructure and engineering.

00:54

And over the past few years I've transitioned

00:55

into full-time software development.

00:58

Currently at the NS1, have been working with Django,

01:01

however, since around early 2008, I think,

01:03

when I originally had for, you know, just a personal blog.

01:08

These days though, I am probably best known

01:10

as the founder and lead maintainer of NetBox.

01:18

So what is NetBox?

01:20

It's an application for basically

01:23

modeling network infrastructure.

01:24

So if you think about traditional data center

01:27

infrastructure and IP address management,

01:29

performs all of those tasks, as well as some other roles.

01:33

It was originally conceived at DigitalOcean,

01:35

back when I was a network engineer

01:36

on the infrastructure team there,

01:39

and we released it as an open source project

01:41

under the Apache 2 license back in 2016.

01:45

So it's completely built on Django.

01:47

We've got about 70 or so complex models,

01:50

lots of relationships among them.

01:53

It's a pretty advanced application and it's gotten

01:55

really popular, especially in recent years.

01:57

If it sounds like something you're interested by all means,

01:59

check us out on GitHub.

02:04

But in developing NetBox,

02:06

we've noticed a few things about our users.

02:09

We have a very, very wide diverse user base.

02:12

Many of them have very, very large networks

02:15

to the tunes of tens or even hundreds of thousands

02:17

of nodes on a network or addresses on the network.

02:20

They also have unpredictable use cases, meaning, you know,

02:24

a financial company might use something different

02:27

than a service provider,

02:28

which would be different than, like,

02:29

higher education and so on.

02:32

So, we see wildly different use cases

02:37

among industries and different organizational sizes,

02:39

and depending on even what they're using it for.

02:42

Different organizational structures as well,

02:44

some people, some organizations out there

02:46

are a one or two person shops.

02:48

Some are huge teams running their infrastructure,

02:50

and every step along the way between those.

02:54

And so we've seen plenty of unique approaches around working

02:57

or working around limitations. So for example,

02:59

if an organization wants to model something

03:01

that NetBox doesn't support natively,

03:04

they have some clever work around sometimes

03:06

to make it do what they want it to.

03:11

This leads to some interesting challenges,

03:13

specifically around permissions.

03:15

So a couple of years back,

03:17

we started looking at, uh,

03:20

doing, seeing what we could do to provide

03:23

more robust permissions

03:24

in NetBox, beyond what Django provides natively

03:27

as a framework.

03:28

And really what the question boiled down to is just this:

03:31

It's how do we grant permissions to users

03:33

and or groups for subsets of objects

03:36

within NetBox on a dynamic basis?

03:39

Meaning we want them to apply,

03:41

we want the permissions to apply even to objects that

03:43

haven't been created yet.

03:47

So that's what I'm gonna be talking about today.

03:49

First, we'll start with a quick dive

03:51

into de Django permissions as they

03:52

exist in the framework today.

03:55

To provide some scope and context of this conversation.

03:59

If you're familiar with the acronym, triple A,

04:02

that's authentication authorization and accounting,

04:04

pretty standard term in security,

04:06

basically, we're going to be looking

04:07

at that second point right there.

04:09

So authentication is who you are.

04:10

Authorization is what you can do.

04:12

And accounting is what you did.

04:13

Permissions is pertinent to the second point is

04:16

authorization.

04:17

So we're not going to be talking about authentication

04:19

at all. Just, just the permissions framework.

04:23

The Default Permissions Backend

04:26

in Django is the ModelBackend

04:27

that's provided under cotrib.auth.backends.

04:30

Permissions are created automatically.

04:31

Every time we create a model and we get

04:34

four default permissions out of the box for each model.

04:38

Those are the,

04:39

what we'll refer to sometimes as CRUD actions being,

04:42

create, read, update, delete.

04:43

In Django vernacular those are going to be

04:45

view, add, change, and delete.

04:46

So the four basic options or operations or others

04:49

that you can do with an instance.

04:52

Permission names or follow the structure below here.

04:54

This is app label, dot, action, underscore,

04:57

name of the model.

05:00

Here's an example. We have a model called Book.

05:03

It's an application called Library.

05:05

It's got some fields on there and under the meta class,

05:07

we have permissions defined. So here we're actually,

05:09

we are defining a custom permission as well.

05:12

So Django is very flexible in that,

05:14

it lets you do this as well, pretty easily.

05:17

And the permission here is publish underscore book.

05:21

So this model will result in five

05:23

ultimate permissions being created.

05:25

Whenever you run the migration to introduce the model

05:27

within the Django application.

05:29

So you've got view book, add book,

05:31

change, book, delete book, and our custom permission,

05:34

which is published book.

05:37

When we evaluate these permissions,

05:39

if we're doing it in the view,

05:40

we're typically going to call it user dot has perm

05:42

or has perms with an S on the end

05:44

for evaluating multiple permissions within a template.

05:48

And a couple of ways we can do that.

05:49

Typically we're going to do it, perms dot

05:50

and then the permission name,

05:51

or look for the permission name

05:53

as a string within the perms context variable.

05:58

So none of this should be new.

05:59

Hopefully this is a quick refresher for folks who may

06:02

not have much use to mess

06:04

with permissions on a regular basis.

06:06

This is really, the kind of the crux of the matter,

06:09

everything we just talked about is for evaluating

06:11

permissions on a model basis. So for example,

06:13

you saw the book model, right?

06:14

And this applies to all instances,

06:16

all books that we might create in our Django application.

06:19

What if we want to enforce permissions

06:20

for a specific object?

06:23

Well, let's take a look at the has perm method.

06:26

Remember we call it user dos has perm

06:27

to evaluate that.

06:29

Within the doc string of this,

06:31

we see a note at the end.

06:33

So first off it has perm is going to just return true

06:35

if the user has the specified permission.

06:37

So I call has perm,

06:39

you know, view, underscore

06:40

or, sorry,

06:41

library dot view underscore book,

06:43

if they have that permission, it's gonna return it.

06:45

You'll note though that

06:47

the method signature has the option to pass an object

06:50

as well, but default it's going to be none.

06:52

And this line at the end

06:54

of the dock string here is kinda interesting.

06:56

So if an object is provided check permissions

06:59

for that object.

07:00

Now the documentation actually doesn't make any

07:02

mention of this.

07:03

So this is pretty interesting and encouraging.

07:05

So maybe, maybe this is already kind of built in,

07:08

let's see what we can do.

07:10

So starting from the has per method here

07:12

on the user instance,

07:13

we did a little bit of digging and it turns out

07:15

the rabbit hole goes pretty far.

07:17

The has perm method actually calls a utility function,

07:21

which references a method on the ModelBackend,

07:24

which in turn references,

07:27

a parent class of base Backend,

07:29

and it goes down a few more levels.

07:31

But ultimately what you'll find is that

07:33

it will return false, has perm, the initial method,

07:36

will return false because a ModelBackend dot get permissions

07:41

is saying, if you pass any object,

07:43

regardless of what's past there, if it's not none,

07:45

it's going to return an empty set,

07:46

because I don't know how, me being a ModelBackend is saying,

07:51

Hey, I don't know how to evaluate permissions

07:53

for a specific object. So I'm just going to say,

07:55

no, you don't have any. Right?

07:56

It's just feeling secure in that,

07:57

in that manner, which is great.

07:59

It's a good design choice. Unfortunately, it's,

08:01

not going to obviously give us anything to work with

08:04

out of the box.

08:08

All right. So what solutions are available if Django,

08:10

if it's not native in the framework?

08:13

The first package we looked at

08:15

you may be familiar with, is called django-guardian.

08:18

And it provides basically object-based permissions

08:21

through a direct assignment of objects

08:24

to specific users or groups.

08:27

So you can see from the code here,

08:28

what we're doing is basically

08:30

importing this user Object Permission.

08:32

And then we're going to assign this permission to a user

08:36

and a specific object.

08:38

And then we can evaluate that for a specific object.

08:40

And that's great. They've overridden that has perm method.

08:45

This is great if you have what I'll call

08:48

owner centric model.

08:50

So think about, like,

08:51

content management systems, blogs,

08:52

where the author of a piece of content should typically

08:55

be the owner. That's a great use case.

08:58

Unfortunately, it doesn't quite work for us

08:59

because we want to avoid those

09:00

explicit relationships just because of the scale and breadth

09:04

of which of resources that NetBox models.

09:08

It doesn't really scale for us.

09:11

Another package we looked at was django-rules.

09:14

So this is really cool in that it allows the developer

09:16

to define predicates and, and their terminology,

09:19

which can then be referenced to enforce permissions

09:23

or referenced by rules rather to enforce permissions.

09:25

So here's an example of a predicate being set,

09:28

is book author, which is basically some piece

09:31

of logic that will determine

09:33

whether or not a given user is an author of a book.

09:36

Now, obviously that's a very kind of trite example,

09:38

but you can imagine the flexibility as it forwards.

09:41

And then you have rules here that can be set and evaluated.

09:47

Tons of flexibility. Very cool.

09:49

Unfortunately it does rely on static

09:50

and predetermined rules, which weren't quite suitable

09:53

for our case, because as I alluded to earlier,

09:56

we don't really know how users

09:57

are going to use NetBox sometimes,

09:59

or how they're going to set up permissions

10:02

and what kind of assignments they're actually

10:04

going to be interested in evaluating.

10:07

So unfortunately that didn't quite work out for us either.

10:12

Can we build our own?

10:14

Nothing out there, at least I don't think

10:15

at the time suited to our needs.

10:17

So we set about trying to do it on our own.

10:20

Before we did that, we outlined some design goals.

10:23

So first off we wanted to make sure we retained

10:24

compatibility with a stock model-based permissions,

10:27

that you get out of Django and out of the box.

10:30

Second, we wanted to ensure that granting permissions

10:33

could be done based on arbitrary object attributes,

10:37

meaning we can say,

10:38

okay, you have, there's the concept of a site

10:41

in NetBox and say, you can assign users

10:44

to just have access to sites in the Europe region

10:46

or sites that have a status of active, for example.

10:50

We want to make it that

10:51

kind of to afford that degree of flexibility.

10:56

We also want to provide a user-friendly interface and an API

11:00

to make those assignments meaning that, you know,

11:02

we don't want users to have to go and edit code somewhere

11:05

to set up their rules for permission assignments.

11:07

We want that all to be done through the user interface so

11:09

that no one has to be a developer

11:11

just to assign permissions.

11:13

And finally, we want to make sure

11:14

permissions apply immediately upon changes.

11:17

And that's true in Django today.

11:21

Yeah, so we thought for some time about how best to do this.

11:26

And I think the aha moment really came about

11:28

when we realized this mechanism for filtering objects

11:31

by attributes, really already exists

11:34

in the form of the Django ORM.

11:36

That does exactly what we want.

11:37

Think about if we want to find,

11:39

if I want to find sites that are in Europe, I can do that.

11:41

I can filter by the region to which the site is assigned,

11:43

or I can filter by its status or,

11:45

or any number of other attributes.

11:47

I can traverse a related objects too.

11:50

So all that functionality is kind of there.

11:52

And we said, basically,

11:53

we just want a way to capture that flexibility of their ORM

11:57

during permissions enforcement.

12:00

So the idea was, let's declare QuerySet Filters in JSon,

12:05

and then just store them in the database.

12:06

So we're basically just storing QuerySet Filters.

12:10

Here's an example of that. So we've got JSon data there,

12:13

this is just a string at top,

12:16

we're filtering both region name, is Europe

12:19

and its status is active.

12:21

So this is a QuerySet Filter that applies the site model.

12:24

So what we're going to do is take that string,

12:26

which is just raw JSon,

12:28

load it using the loads string functionality

12:31

of the JSon library, into a dictionary called params.

12:34

This is now a Python dictionary.

12:37

Then we're going to pass that dictionary as a keyword

12:40

filters to the um, I'm sorry,

12:42

keyword arguments to the filter method

12:43

for the site objects QuerySet.

12:46

So pretty straightforward.

12:51

To do this though, we need a way to save

12:53

that JSon data in the database.

12:54

So the answer there of course, was to create a new model.

12:57

This is our ObjectPermission model,

12:59

or rather a very simplified version of it.

13:01

You can see some,

13:02

some fields that you probably would expect first off,

13:04

it has a name as a Boolean

13:06

to indicate whether or not it's enabled.

13:08

And then we have a bunch of many, too many fields.

13:10

So basically, we're mapping object types, groups

13:13

and users as many to many relationships.

13:16

And then we have an array field

13:17

on which we're

13:20

recording a set of actions that apply to this permission.

13:24

And we'll talk about that in a second.

13:25

And then finally at the bottom,

13:26

we see a JSon field called constraints.

13:28

And that is where we are in the previous example here

13:31

that the params, that's where we're saving

13:34

that in the database.

13:39

So basically this model is correlating content types

13:44

or models with users and or groups and actions.

13:49

So actions, again, going back to the view, add, change,

13:51

delete that are provided by default from Django,

13:54

and also, you can specify your custom actions if needed,

13:58

and they're stored as just an array of strings.

14:02

The constraints are optional.

14:04

If you don't provide constraints that essentially replicates

14:06

the built-in functionality of the Django permissions as they

14:08

exist today, just in a different manner.

14:11

But with constraints there,

14:12

basically we're doing a logical AND, when combining them

14:15

within an instance.

14:15

So for our previous example we had a region and status.

14:20

So it's going to be region is Europe AND status is active

14:23

because they're defined as one,

14:25

they're all defined as one set of constraints

14:27

in a specific Object Permission instance.

14:30

Whereas if we have multiple instances each

14:32

with their own constraints,

14:33

we're going to be doing a logical OR.

14:34

So if they were two different permissions,

14:36

we would say, you can, you know,

14:37

you have access to sites in Europe,

14:39

OR let's say any site that is active.

14:45

It's important to note that this model really supplants

14:47

Django's Stock Permission model.

14:49

So we're not, we're no longer using that.

14:53

And here they are side by side to give you a better idea

14:56

just of the differences.

14:57

So it's important to call out the Stock Permission model has

15:01

one instance per content type per action.

15:04

Whereas we kind of bundle all those up together

15:06

in ObjectPermission to make things

15:07

a little bit more streamlined.

15:09

Typically within NetBox, you know, we see most,

15:14

most of the right actions. So add change,

15:16

delete are all going to be bumbled together.

15:19

Not always the case, but where it is,

15:21

and that's going to be 90 plus percent of the time.

15:23

It's a little more efficient to do it in that manner.

15:25

It's also important to call out the, the groups and users,

15:28

many fields are actually on the Permission Object here,

15:31

whereas in a Stock model,

15:32

they're on the user and the group objects.

15:37

Okay. So we have our model here.

15:39

We have a way of conveying a QuerySet parameters,

15:42

or filters rather.

15:43

How do we actually apply them to a QuerySet?

15:47

So there's a few steps.

15:48

First, once we have these defined,

15:49

we're going to retrieve all of the Object Permissions

15:51

for a given user.

15:53

And we do that by filtering on both the user

15:55

or a group of which the user is a member

15:58

for the specific action that we care about.

16:00

And that double underscore contains,

16:03

is referencing the view action.

16:05

So here we care about view and of course we need

16:07

to make sure they are enabled.

16:09

That'll give us all instances of Object Permissions that

16:11

apply for this user ,

16:14

for the action that we care about.

16:18

Second, we're going to build a QuerySet,

16:20

that's filtered by all these constraints

16:21

using again, that OR logic.

16:23

So we start with a queue object and that allows us to do

16:25

complex filtering on the OR,

16:27

and basically iterate through these permissions

16:29

that we retrieved from the database

16:31

and build this constraints dictionary.

16:32

So for every constraint that we find,

16:35

every Object Permission instance, rather,

16:37

we are OR-ing its constraints.

16:39

So that all becomes this one big queue object

16:41

that we can then apply directly

16:43

to the filter method on a QuerySet.

16:45

So model the objects that filter,

16:46

and then just passing into strengths,

16:48

which again is a queue object. It's not a dictionary.

16:50

So we are just passing it directly.

16:54

Once we have that, if we need to check

16:56

for a specific object,

16:57

so that's going to give us all objects.

16:59

If we wanted to check for a specific object,

17:00

we just filter by the primary key.

17:02

So we're filtering by both primary key

17:04

and the assigned permissions.

17:05

So whether or not that primary key exists,

17:07

it's only going to return,

17:10

if the permissions actually apply to it.

17:13

So basically we can check,

17:14

we can call it dot first or dot exists to check

17:16

whether those permissions are in fact valid.

17:23

Obviously that's all a little bit unwieldy.

17:25

So we created a QuerySet manager called

17:28

RestrictedQuerySet. All this is doing is,

17:31

is providing a dot restrict method to just allow passing

17:34

the user and this desired action in when doing a query,

17:38

obviously simplifies that quite a bit.

17:41

And the permissions retrieval is actually being done

17:44

behind the scenes or it's being cashed.

17:48

Okay, so that kinda makes sense,

17:51

or hopefully it's starting to make sense.

17:53

What about user dot has perm? Right?

17:54

That's kind of where we started with all this.

17:56

What does that look like, with this implementation?

18:01

So it became apparent pretty quickly that we would need

18:03

a Custom Authentication Backend to support

18:05

the built-in permissions evaluation logic.

18:08

So what we did was extend Django's ModelBackend

18:11

meaning the name of the class and then override.

18:14

So we did two things.

18:15

First, we overrode the has perm method and we overrid

18:21

get all permissions.

18:22

And this was the one, if you remember from earlier,

18:24

this is the one that was actually responsible for returning

18:28

an empty set, whenever an object was passed.

18:30

So obviously we needed to remove, remove that check,

18:34

but yeah, the meat of it is under the has perm method.

18:39

So this method is really going to check a few things.

18:41

First off it the user's inactive,

18:43

we're going to return false.

18:45

If it's a super user we're going to return true,

18:48

then we're going to look for any model level permission

18:50

assigned to the user.

18:52

Because if you don't have a model of a level of permission,

18:54

we don't need the next step,

18:56

which is to check for the assignment

19:00

of specific constraints within those permissions.

19:04

So basically we're checking model level first,

19:06

if you don't have, for example,

19:07

if there are no permissions that will allow a user to mod-

19:11

to modify any site,

19:13

then we can go ahead and return false.

19:14

We don't have to check for the constraints.

19:16

But if we do find one or more,

19:18

then we'll go ahead and check those constraints.

19:20

It's also important to call out that

19:22

the query is being done to object state in the database.

19:25

Not in the instance.

19:30

That's the, sorry, that's the attributes

19:33

of the object being evaluated.

19:35

So if I'm looking at a site, for example, and applying this,

19:39

using this Backend for Object Permissions,

19:41

it's going to be looking at the database representation

19:43

of the site, not whatever might be instantiated

19:47

in memory at the moment.

19:51

Cool. So what about, so that's querying objects.

19:54

What about modifying them?

19:57

Queuering is fine if you just need to view obviously

19:59

or delete, because we know what deleting

20:02

will do to an object.

20:04

However, it doesn't address modifying objects.

20:06

So when we go to modify an object,

20:08

we need to look at both the pre modification,

20:10

so the initial state,

20:13

what it looks like before we'd done anything

20:15

and then we need to look at the post modification state.

20:17

So after we've made our changes check that it's still

20:20

in a permitted state.

20:23

So for example, if let's say I have access to,

20:26

I can change any active site,

20:28

but then I go to an active site and I change it to be

20:31

inactive or reserved, or, you know,

20:32

some other status,

20:34

the end condition then no longer is permitted.

20:38

So the, the stance that we've taken is basically

20:41

you can't modify an object

20:43

into a non-permitted state because obviously

20:46

then you would no longer be able to modify the object.

20:48

And that probably disagrees with the reason why you weren't

20:51

allowed to do that in the first place.

20:54

So how do we, how do we do that?

20:56

Right? Once our users change something,

20:57

how do we go and figure out whether the modified version

21:02

of that object agrees with the permissions?

21:10

The answer we came up with was to use Atomic Transactions.

21:13

So if you're not familiar just a real quick primer

21:15

on Atomic Transactions.

21:16

Basically we are going to wrap

21:18

an underlying database transaction into an atomic action.

21:22

So here we've invoked the context manager

21:25

with transaction dot atomic.

21:27

Then we're gonna obviously do some modify object in some way

21:30

and then call save on it.

21:32

And then we're looking for a specific exception

21:34

if something bad happens.

21:35

Then we can,

21:37

that transaction gets aborted.

21:40

So no change is being written to the database permanently.

21:42

And then we can handle whatever exception we need to.

21:46

This hasn't anything to do with permission specifically,

21:48

this is again, just a general primer on atomic transactions.

21:52

So the idea is you can make a,

21:53

you can make a temporary modification to the database,

21:56

run some other logic, and then if something went wrong,

21:59

go ahead and report that.

22:01

So here's how we're using Atomic Transactions

22:03

for permissions enforcement.

22:05

First, we're going to check the pre modified object state,

22:08

Right? So this is us using that restrict method

22:10

on the QuerySet.

22:11

So first we're going to find

22:14

the object.

22:15

So we're going to filter the QuerySet,

22:17

but using restrict by user and the desired action

22:21

and by primary key, and to get that object.

22:24

So if it doesn't exist, we're done.

22:25

There's no more going off from here.

22:27

But assuming we do find that valid object,

22:29

we move on to the second step.

22:31

So then we're going to modify it.

22:32

So let's say I changed the object status to something bad,

22:34

something I'm not allowed to do.

22:37

And then I try to save it within an Atomic Transaction.

22:43

After we call save, we then try that query again.

22:45

So we're making another database query to retrieve

22:48

the now modified state of that object.

22:51

So we're running the same query again and just checking

22:53

whether or not it exists. So it's a very lightweight query,

22:55

but basically we're saying if it no longer exists,

22:57

we know that whatever happened to that object during this,

23:00

during the previous step, altered some attributes to a state

23:04

that is not permitted by the assigned permissions.

23:07

So now I can just say, raise PermissionsViolation

23:10

and then in doing so undo the transaction.

23:17

This ensures that the object is no longer model,

23:19

it remains unmodified in the database.

23:21

We do use a custom exception here to avoid accidentally

23:24

catching it or catching

23:27

unrelated exceptions from, you know,

23:30

for other reasons.

23:32

We do have to wrap

23:34

and, you know, handle that exception.

23:36

So we have to do something with that exception once it's

23:38

been raised, ideally,

23:40

or depending on what you're doing specifically,

23:42

you might just raise and catch that. And then in turn,

23:45

raise PermissionDenied now for API views and so forth.

23:51

So other considerations to be, to be aware of,

23:55

we have to predict all avenues for object modification,

23:58

right? So this is pretty straightforward

23:59

when you're just looking at, like, the user interface

24:01

and traditional views that are serving a human.

24:05

But when you bring in something like

24:06

Django Rest Framework or graphing for Graph QL,

24:10

all those API views potentially provide an avenue for users

24:14

to modify objects. So all of those have to be,

24:18

diligently protected in the same manner.

24:21

As well, anywhere that, basically anywhere

24:23

you're calling safe, bulk update, etcetera,

24:25

any method that can modify the database has to be,

24:29

has to be controlled and secured in some way.

24:33

This approach does also work for bulk creating and editing,

24:36

by the way, we just, you know,

24:38

our examples have dealt with a single object,

24:40

but you can do it in bulk, just as well.

24:41

The only catches that reporting errors can be a little bit

24:45

tricky if you're trying to update ten things at once,

24:47

and then only like maybe two of the ten have,

24:51

are no longer valid for the, you know,

24:53

per the permissions policy.

24:54

It can be kind of tricky to figure out, okay, well,

24:57

how do I do it? Do I call out those specific two,

24:59

for example, or do I just say,

25:00

Hey, something you did went wrong.

25:02

Unfortunately right now we're doing the latter,

25:04

basically saying, Hey, you know,

25:05

one of those thousand objects that you,

25:08

that you just modified doesn't really doesn't really agree

25:10

with the policy. So try that again.

25:13

And the way in doing that is just using filter

25:15

and then passing any list of primary keys versus

25:17

a single primary key.

25:20

There is plenty of room for improvement, of course,

25:24

in the current implementation.

25:25

And that's something we're, we're working on today.

25:31

So as I mentioned,

25:32

we're working on basically taking our implementation

25:35

inside NetBox.

25:36

It's been, it was introduced back in NetBox two dot 10,

25:39

I believe. So about a year or so ago,

25:43

and it's been, it's been working pretty well.

25:46

Now we're actually starting to work

25:48

on extracting the implementation, kind of prettying it up

25:52

a bit and making it available as a standalone package.

25:56

So, you know, decoupling it from the NetBox

25:58

implementation into something that can stand on its own.

26:04

We're, it's still a work in progress.

26:07

We're shooting for end of 2021, early 2022.

26:11

And this is going to be available as a repo,

26:14

there you see the URL, Django object permissions

26:16

under NS1 Labs.

26:18

Any, you know, community help

26:20

with development and testing would be greatly appreciated.

26:23

We're pretty excited to have this split out from NetBox

26:26

and to be able to make it accessible for the, you know,

26:28

the greater Django community.

26:32

So if you're interested in doing that by all means,

26:34

you know, check it out and stop by, help us test it,

26:37

document it.

26:38

Anything else you think should be addressed or however

26:41

we can extend it to make it more usable,

26:43

more durable is obviously

26:45

of great interest to us.

26:49

So if you're interested, please check us out.

26:52

All right. With that said,

26:53

that should be wrapping up the talk.

26:55

Again my name is Jeremy Stretch.

26:57

Thank you everyone so much for attending

26:59

my virtual presentation.

27:01

I really appreciate it. I'll be available in chat

27:03

and I think a few other avenues here to answer questions,

27:07

any follow up questions, or again,

27:09

you can always just catch me on Twitter or Slack

27:12

and I'll see you around. Thanks again.