Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Static user documentation outdated #1757

Open
easybe opened this issue Jun 27, 2024 · 4 comments
Open

Static user documentation outdated #1757

easybe opened this issue Jun 27, 2024 · 4 comments
Milestone

Comments

@easybe
Copy link

easybe commented Jun 27, 2024

The static user creation as documented here does not seem to (just) work. Only the default admin user appears to have access.

By digging through the repository I noticed some rather recent refactorings (#1666) and was then able to create a second user (besides the default admin) in this manner:

"hawkbit.security.user.john.password": "{noop}password",
"hawkbit.security.user.john.tenant": "DEFAULT",

However, the user should only have the DOWNLOAD_REPOSITORY_ARTIFACT permission, for which there does not seem to be a corresponding role.

How can this currently be achieved? Some up-to-date documentation would of course be awesome...

@easybe easybe changed the title Static user creation documentation outdated Static user documentation outdated Jun 27, 2024
@avgustinmm
Copy link
Contributor

You could see the new current way to define static users at here
In short now you could use a map config where the username is the key:

hawkbit.security.user.admin.password={noop}admin
hawkbit.security.user.admin.roles=TENANT_ADMIN
hawkbit.security.user.admin.tenant=DEFAULT

hawkbit.security.user.anonymous.password={noop}admin
hawkbit.security.user.anonymous.roles=READ_REPOSITORY
hawkbit.security.user.anonymous.tenant=DEFAULT

hawkbit.security.user.operator.password={noop}admin
hawkbit.security.user.operator.roles=UPDATE_REPOSITORY
hawkbit.security.user.operator.tenant=DEFAULT

we should, sure, update the documentation. Thanks for pointing out

@avgustinmm avgustinmm added this to the 0.6.0 milestone Jun 28, 2024
@easybe
Copy link
Author

easybe commented Jun 28, 2024

Hi, thanks for the quick reply.

Unfortunately, roles=READ_REPOSITORY nor roles=DOWNLOAD_REPOSITORY_ARTIFACT (as according to the docs READ_REPOSITORY is only for metadata) does not seem to allow the user to download artifacts through .../rest/v1/softwaremodules/42/artifacts/1/download. The request will return the following response:

{
  "exceptionClass": "org.eclipse.hawkbit.repository.exception.InsufficientPermissionException",
  "errorCode": "hawkbit.server.error.insufficientpermission",
  "message": "Insufficient Permission"
}

Setting role=REPOSITORY_ADMIN works, however, these permissions are too broad for my use case.

So, assigning the permissions defined in SpPermission.java to role should work? Or does one need to add read-only roles to SpRole.java?

@avgustinmm
Copy link
Contributor

With roles you assign roles. To assign permissions you could use:

hawkbit.security.user.my_user.permissions=READ_REPOSITORY,READ_ROLLOUT

@easybe
Copy link
Author

easybe commented Jun 28, 2024

OK, hawkbit.security.user.john.permissions=READ_REPOSITORY,DOWNLOAD_REPOSITORY_ARTIFACT works. However, hawkbit.security.user.john.permissions=DOWNLOAD_REPOSITORY_ARTIFACT is unfortunately not enough for just downloading artifacts.

Anyway, that is good enough for me. Thanks for the support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants