example_some_admin_actions.adoc 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. = Example: Some actions require admin
  2. A common use case for OliveTin with security is to expose some actions to guests, and have some actions that require login to be able to use. This page brings together the configuration options that are needed to achieve this.
  3. == How ACL permissions work
  4. OliveTin ACLs are *allow lists*, not deny lists. Each action starts with `defaultPermissions`, and then any ACLs listed on that action can *grant* access for matching users. An ACL with `view: false` does not deny access — it simply does not grant it. If no relevant ACL grants a permission, OliveTin falls back to `defaultPermissions`.
  5. The default `defaultPermissions` allow guests to view and execute every action. To restrict some actions to logged-in admins while leaving others open to guests, set `defaultPermissions` to deny access by default, then use ACLs to explicitly grant access on each action.
  6. See xref:security/acl.adoc[Access Control Lists] for the full ACL reference.
  7. == Full example configuration
  8. ```yaml
  9. logLevel: "INFO"
  10. defaultPermissions:
  11. view: false
  12. exec: false
  13. logs: false
  14. accessControlLists:
  15. - name: "guests"
  16. permissions:
  17. view: true
  18. exec: true
  19. logs: false
  20. matchUsernames: [ "guest" ]
  21. - name: "admins"
  22. permissions:
  23. view: true
  24. exec: true
  25. logs: true
  26. matchUsergroups: [ "admins" ]
  27. authLocalUsers:
  28. enabled: true
  29. users:
  30. - username: "admin"
  31. usergroup: admins
  32. password: -- your password hash here --
  33. actions:
  34. - title: "Date"
  35. shell: date
  36. acls:
  37. - "guests"
  38. - title: "Reboot"
  39. shell: reboot # Note that this won't work inside a container
  40. acls:
  41. - "admins"
  42. dashboards:
  43. - title: "Guest Dashboard"
  44. contents:
  45. - title: "Date"
  46. - title: "Admin Dashboard"
  47. contents:
  48. - title: "Reboot"
  49. ```
  50. Note, to use this configuration, you will need to replace `-- your password hash here --` with a password hash. You can generate a password hash by looking at the options in the xref:security/local.adoc[local-users] configuration section.
  51. With this configuration:
  52. * Guests (not logged in) can view and run the *Date* action only.
  53. * Logged-in users in the `admins` usergroup can view and run the *Reboot* action.
  54. * Guests are not forced to log in — they simply do not see or cannot run actions that only list the `admins` ACL.
  55. == Common mistake: using a deny ACL for guests
  56. A configuration like the one below does *not* work as a deny rule when guests are allowed to browse without logging in:
  57. [source,yaml]
  58. ----
  59. accessControlLists:
  60. - name: "noguests"
  61. permissions:
  62. view: false
  63. exec: false
  64. matchUsernames: [ "guest" ]
  65. actions:
  66. - title: "Reboot"
  67. acls:
  68. - "noguests"
  69. - "admins"
  70. ----
  71. Because `view: false` does not deny access, guests still fall back to `defaultPermissions` (which default to `true`) and can see the action. Setting `authRequireGuestsToLogin: true` makes that pattern appear to work, but only because it forces all guests to log in first and sets all `defaultPermissions` to `false`. If you need mixed guest and admin access without forcing login, use the allow-list pattern in the full example above instead.
  72. If you want *every* action to require login, see xref:security/example_login_required.adoc[Example: Force Login].