New Internal Auth

[zsfscode]

Question

Maybe, I am in wrong way. I tried the 1.7.0 with new authentication system.
I expected that from the following settings will deny any users from any action, except myuser with read.
But I can open via RTSP streams with any users or without users, like: rtsp://fake:[email protected]/my_stream
The former rtsp parameters readUser, readPass also ignored.
Where my mistaque?

authMethod: internal

- user: any
  pass:
  ips: ['127.0.0.1', '::1']
  permissions:
  - action: api
  - action: metrics
  - action: pprof

- user: myuser
  pass: mypass
  ips: []
  permissions:
  - action: read
    path:

....

  my_stream:
    source: "rtsp://user:pass@ipcam:554/main"
    rtspTransport: tcp

[zsfscode]

I tried again and again, but all case I can auth with any fake user.
Somebody can share with me a working internal authentication settings? Without "anonymous" user.

[zsfscode]

with 1.8.1, with the following authentication settings, I can connect with any user and any password or without users! Also with rtsp, hls, webrtc.

why?

The auth section:

authMethod: internal

authInternalUsers:
- user: myuser
  pass: mypass
  ips: []
  permissions:
  - action: read
    path:
  - action: playback
    path:

- user: any
  pass:
  ips: ['127.0.0.1', '::1']
  permissions:
  - action: api
  - action: metrics
  - action: pprof

[zsfscode]

Yeeeh, from one side is was my configuration mistaque, the other side is a unhandled/unlogged configuration mistaqe.

If you "forgot" remove some line in the configuration, from pre 1.6 (old auth system), will be ignored the all Internal authentication settings and paths can be get without any auth method.

The infected:

...
authMethod: internal

authInternalUsers:
- user: myuser
  pass: mypass
  ips: []
  permissions:
  - action: read
    path:

- user: any
  pass:
  ips: ['127.0.0.1', '::1']
  permissions:
  - action: api
  - action: metrics
  - action: pprof
  - action: publish

...
paths:
  test:
    runOnInit: /usr/local/bin/transcode.py ident_test
           'videotestsrc pattern=zone-plate kx2=20 ky2=20 kt=1 horizontal-speed=2 !
           video/x-raw, framerate=30/1, format=(string)I420, width=128, height=72 !
           nvvidconv !
           nvv4l2h264enc bitrate=80000 control-rate=1 !
           video/x-h264 ,level=(string)4 !
           identity name="ident_test" !
           queue ! rtspclientsink location=rtsp://127.0.0.1:8554/test latency=0'

    runOnInitRestart: yes
    publishIPs: [127.0.0.1]

  all_others:

If you commented out the " publishIPs", will be work the auth system:

#    publishIPs: [127.0.0.1]

[aler9]

If you "forgot" remove some line in the configuration, from pre 1.6 (old auth system), will be ignored the all Internal authentication settings and paths can be get without any auth method.

exactly, we are trying to improve support for these kind of intermediate scenarios but there are still some issues.

[zsfscode]

The time will be solve all migration problem :)
One log line, like 'Something is wrong... auth system ignored.", will be great.

Thx

[aler9]

@zsfscode after some investigation it turned out that the situation you mentioned (paths can be get without any auth method) happens when the legacy authentication mechanism is mixed with the new one, for instance when you set a read permission inside authInternalUsers and a publish IP inside publishIPs. This is now prevented by #3460

[gj357d]

How i do multiple users like #490 with new internal auth for individual paths?