zero-ui
zero-ui copied to clipboard
dec0dOS
feat: LDAP for User Authentication and Roles
LDAP as an authentication backend / SAML would be great. Roles could be user (only view) , admin (add or delete networks they create) and su-admin (manage any network on the controller). Such features would be great for people who have more than one user per controller.
OAuth is a better integration, however implementing plain old LDAP is much easier than going the OAuth route (like what WordPress has - separate simple LDAP plugin + A separate OAuth plugin).
LDAP works better in a totally self hosted local environment.
Just piggy backing on this, is there now user management currently? I can't see anything outwardly.
would be a little hack, but using #59 , you could limit the /api depending on the role to request methods.
in detail, introduce multiple auth middlewares with different scopes for the api "traefik.http.routers.zt-noauth.rule=Host(`zt.example.com`) && PathPrefix(`/api/`)"
e.g.
- role: admin, http request methods: GET, POST
- role: moderator: http request methods: GET
for traefik, perhaps: https://doc.traefik.io/traefik/middlewares/http/headers/#cors-headers
this could also further be extended to certain network ids, e.g. api/network/CERTAIN_NETWORK_ID/member
another idea would be, limit the zero-ui to admins, and just create a simple static website which queries the network information - or @dec0dOS introduces a /static read-only route for this use case :)
You can disable authentication and have zero-ui be protected by the reverse proxy which implements LDAP or OpenID or whatever.
Users are still required so that each can have their own set of networks, rules and capabilities.