Security system allows to restrict access to certain resources for some users.
system: security introduced in v0.1
Security system leverages simple RBAC model to defines who can do what.
First thing to do is to define a new Role. By default roles list is empty, meaning everything is restricted for everyone.
Roles are defining set of rules and users. Be aware, go-home is not validating mutual exclusion and works by first match. Meaning, if you have two rules:
- First – grants access to resource A
- Second – restricts access to resource A
Actual access will be defined by first rule, un-marshaled from config.
Role is authorization part. Authentication is a users storage.
By default Basic Authentication storage is used.
|rules||yes||List of rules for this role|
|users||yes||[string]||List of glob-based user names who have this role|
|system||yes||string||System which is described by this rule|
|resources||yes||[string]||List of glob-based entities affected by this rule|
|verbs||yes||[string]||List of verbs (operations) affected by this rule|
*– defines every possible operation
get– defines read access to the entity
command– defines entity’s command invocation
history– defines status history read access
device– defines devices access
trigger– defines triggers access.
commandverb is obsolete for this system
core– defines access to a helper systems. See below
This system is used to grant access to the helper APIs available in a
Those APIs are designed for a system administrators and don’t support
fine grained rules.
The following verbs could be used:
*– all APIs are available
worker– user will see all operating workers
status– user will see all loaded devices and their load status. Please note, even if user doesn’t have access to some device, he still will see its status through this API
logs– user will see system’s logs, if a configured logger supports this
The following role defines
root access to every device in the system.
user-2 will match this role:
system: security provider: role name: root rules: - system: device resources: - "*" verbs: - get - command - history users: - user*