system: security introduced in v0.1

Security system leverages simple RBAC model to defines who can do what.

First thing to do is to define a new Role. By default roles list is empty, meaning everything is restricted for everyone.

Roles

Roles are defining set of rules and users. Be aware, go-home is not validating mutual exclusion and works by first match. Meaning, if you have two rules:

• First – grants access to resource A
• Second – restricts access to resource A

Actual access will be defined by first rule, un-marshaled from config.

Role is authorization part. Authentication is a users storage.

By default Basic Authentication storage is used.

Configuration options

Rules configuration

Rule verbs

• * – defines every possible operation
• get – defines read access to the entity
• command – defines entity’s command invocation
• history – defines status history read access

Rule systems

• device – defines devices access
• trigger – defines triggers access. command verb is obsolete for this system
• core – defines access to a helper systems. See below

Core system

This system is used to grant access to the helper APIs available in a go-home. Those APIs are designed for a system administrators and don’t support fine grained rules.

The following verbs could be used:

• * – all APIs are available
• worker – user will see all operating workers
• status – user will see all loaded devices and their load status. Please note, even if user doesn’t have access to some device, he still will see its status through this API
• logs – user will see system’s logs, if a configured logger supports this

Example

The following role defines root access to every device in the system. Any of user-1 and user-2 will match this role:

system: security
provider: role
name: root
rules:
  - system: device
    resources:
      - "*"
    verbs:
      - get
      - command
      - history
users:
  - user*