jwt_hmac.adoc 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100
  1. [#jwt-hmac]
  2. = JWT with HMAC
  3. You need to know your JWT **Cookie Name** and **Hash Secret**. Whatever tool you are using to authenticate users will probably have instructions on how to find this.
  4. * link:https://docs.organizr.app/features/server-authentication#validating-the-token[Organizr - Under "Validating the token"]
  5. Adding JWT details to OliveTin config.yaml
  6. Setup your config file so it has something like this;
  7. [source,yaml]
  8. .`config.yaml`
  9. ----
  10. # It's often useful to turn logging to DEBUG when trying to work out authentication problems
  11. logLevel: "INFO"
  12. authJwtCookieName: "Organizr_token_1234..."
  13. authJwtHmacSecret: "3l4jh23v_123!"
  14. authJwtClaimUsername: "username"
  15. authJwtClaimUsergroup: "usergroup"
  16. ----
  17. Note that your `authJwtCookieName` and `authJwtSecret` will need to be set exactly as they appear in your Authentication software.
  18. == Usable claims
  19. OliveTin currently can match Access Control Lists based on a **username** or **user group(s)**. You can see if these are being used properly turning on `DEBUG` logging and looking at the jwt claims.
  20. If `authJwtClaimUsergroup` is any array, ACL groups will match any of the user groups in the array.
  21. == Setup default permissions
  22. OliveTin will assume that guests are able to View and Execute every action by default. When you are setting up authorization you probably want to limit this. You can do that by setting `defaultPermissions` like this;
  23. [source,yaml]
  24. .`config.yaml`
  25. ----
  26. logLevel: "INFO"
  27. defaultPermissions:
  28. view: false
  29. exec: false
  30. ----
  31. == Setup OliveTin Access Control Lists
  32. Access Control Lists are a way to override the default permissions.
  33. [source,yaml]
  34. .`config.yaml`
  35. ----
  36. logLevel: "INFO"
  37. defaultPermissions:
  38. view: false
  39. exec: false
  40. logs: true
  41. accessControlLists:
  42. - name: Admins
  43. addToEveryAction: true
  44. matchUsergroups:
  45. - Admins
  46. permissions:
  47. view: true
  48. exec: true
  49. logs: true
  50. - name: "Developers"
  51. matchUsergroups:
  52. - "developer"
  53. permissions:
  54. view: true
  55. exec: false
  56. logs: false
  57. actions:
  58. - name: Only visible to admins
  59. shell: echo "I am a secret command only visible to admins"
  60. - name: Restart database
  61. shell: systemctl restart mariadb
  62. acls:
  63. - "developer"
  64. ----
  65. In the example above, the `admins` ACL is automatically added to every action, because `addToEveryAction` is true.
  66. Customizing field names
  67. You may need to customize the field names for your JWT authentication.
  68. [source,yaml]
  69. .`config.yaml`
  70. ----
  71. authJwtClaimUsername: "username"
  72. authJwtClaimUsergroup: "usergroup"
  73. ----