local.adoc 3.8 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
  1. [#local-users]
  2. = Local Users Login
  3. OliveTin supports just basic users defined with a username and password in the config.yaml file. This can be used when you do not want to use a full authentication system like LDAP, OAuth2 or a Reverse Proxy.
  4. == Define a user
  5. include::partial$config-start.adoc[]
  6. ----
  7. authLocalUsers:
  8. enabled: true
  9. users:
  10. - username: james
  11. password: $argon2id$v=19$m=65536,t=4,p=6$LnNW4sw+jZfa5Ex3YjfuHQ$vl8pjUJhxNmBxScV4lI3cgAZPkNB1rSrnX6ibgoAP8k
  12. ----
  13. == Define users with a user group
  14. OliveTin local users do not need to be part of a user group, and unless any user groups are added, they will not be in any user group. However, if you want to add a user to a user group, you can do so like this:
  15. include::partial$config-start.adoc[]
  16. ----
  17. authLocalUsers:
  18. enabled: true
  19. users:
  20. - username: alice
  21. usergroup: admins
  22. password: $argon2id$v=19$m=65536,t=4,p=6$LnNW4sw+jZfa5Ex3YjfuHQ$vl8pjUJhxNmBxScV4lI3cgAZPkNB1rSrnX6ibgoAP8k
  23. - username: bob
  24. password: ...
  25. usergroup: admins
  26. - username: charlie
  27. password: ...
  28. usergroup: webmasters
  29. ----
  30. == Get a Argon2id hashed password
  31. You will notice from the configuration examples above that the password is hashed using Argon2id. You can use any of the following methods to generate a Argon2id hashed password;
  32. === Option A - Using OliveTin API
  33. You can see from the example above that the config contains a single user called *james*, and the password is hashed using Argon2id. OliveTin provides a utility API to hash passwords using Argon2id which can be useful when you want to create new users. Simply run the following curl command to hash a password:
  34. ```bash
  35. curl -sS --json '{"password": "myPassword"}' http://olivetin.example.com:1337/api/PasswordHash
  36. ```
  37. NOTE: Curl 7.82 added support for the `--json` option, if you are using an older version of curl, see link:https://github.com/OliveTin/OliveTin/issues/462[this issue].
  38. This will return a output like this, you can then copy and paste this hash into your config.yaml file;
  39. ```
  40. Your password hash is: $argon2id$v=19$m=65536,t=4,p=6$dlWTV1RL04/Nuvxzl94NAg$KsYXvCFE2Eu/jkXi/dbbZM3I/2b2VByTAwRIenUwdJk
  41. ```
  42. === Option B - Using the `argon2` command line tool
  43. You can also easily hash the password using the `argon2` package:
  44. ```bash
  45. echo -n "myPassword" | argon2 "$(openssl rand -base64 16)" -id -t 4 -m 16 -p 6 -l 32 -e
  46. ```
  47. === Opption C - Using the `hash` docker image
  48. Or using the link:https://hub.docker.com/r/leplusorg/hash[hash] docker image:
  49. ```bash
  50. docker run --rm -i --net=none leplusorg/hash sh -c 'echo -n "myPassword" | argon2 "$(openssl rand -base64 16)" -id -t 4 -m 16 -p 6 -l 32 -e'
  51. ```
  52. Then simply visit the OliveTin web interface and browse to the login page, eg: http://olivetin.example.com:1337/login
  53. === Why does OliveTin use Argon2id?
  54. Argon2id is the password hashing algorithm that is link:https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[recommended by OWASP] as of October 2024. There doesn't seem to be a good reason yet to provide configuration options for changing the password hashing algorithm, but if you have a good reason, please open an issue on the GitHub repository.
  55. == Force login page
  56. If you don't want to allow guests to do anything in OliveTin, you can use the `authRequireGuestsToLogin` option to force all users to login before they do anything. This will redirect all users to the login page if they are not logged in, and it will also set `defaultPermissions` to `false`, meaning that permissions must be explicitly set for each user or user group.
  57. include::partial$config-start.adoc[]
  58. ----
  59. authRequireGuestsToLogin: true
  60. authLocalUsers:
  61. enabled: true
  62. users:
  63. - username: james
  64. password: $argon2id$v=19$m=65536,t=4,p=6$LnNW4sw+jZfa5Ex3YjfuHQ$vl8pjUJhxNmBxScV4lI3cgAZPkNB1rSrnX6ibgoAP8k
  65. ----