hawkbit icon indicating copy to clipboard operation
hawkbit copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Static user documentation outdated

Open easybe opened this issue 1 year ago • 4 comments

The static user creation as documented here does not seem to (just) work. Only the default admin user appears to have access.

By digging through the repository I noticed some rather recent refactorings (#1666) and was then able to create a second user (besides the default admin) in this manner:

"hawkbit.security.user.john.password": "{noop}password",
"hawkbit.security.user.john.tenant": "DEFAULT",

However, the user should only have the DOWNLOAD_REPOSITORY_ARTIFACT permission, for which there does not seem to be a corresponding role.

How can this currently be achieved? Some up-to-date documentation would of course be awesome...

easybe avatar Jun 27 '24 19:06 easybe

You could see the new current way to define static users at here In short now you could use a map config where the username is the key:

hawkbit.security.user.admin.password={noop}admin
hawkbit.security.user.admin.roles=TENANT_ADMIN
hawkbit.security.user.admin.tenant=DEFAULT

hawkbit.security.user.anonymous.password={noop}admin
hawkbit.security.user.anonymous.roles=READ_REPOSITORY
hawkbit.security.user.anonymous.tenant=DEFAULT

hawkbit.security.user.operator.password={noop}admin
hawkbit.security.user.operator.roles=UPDATE_REPOSITORY
hawkbit.security.user.operator.tenant=DEFAULT

we should, sure, update the documentation. Thanks for pointing out

avgustinmm avatar Jun 28 '24 13:06 avgustinmm

Hi, thanks for the quick reply.

Unfortunately, roles=READ_REPOSITORY nor roles=DOWNLOAD_REPOSITORY_ARTIFACT (as according to the docs READ_REPOSITORY is only for metadata) does not seem to allow the user to download artifacts through .../rest/v1/softwaremodules/42/artifacts/1/download. The request will return the following response:

{
  "exceptionClass": "org.eclipse.hawkbit.repository.exception.InsufficientPermissionException",
  "errorCode": "hawkbit.server.error.insufficientpermission",
  "message": "Insufficient Permission"
}

Setting role=REPOSITORY_ADMIN works, however, these permissions are too broad for my use case.

So, assigning the permissions defined in SpPermission.java to role should work? Or does one need to add read-only roles to SpRole.java?

easybe avatar Jun 28 '24 14:06 easybe

With roles you assign roles. To assign permissions you could use:

hawkbit.security.user.my_user.permissions=READ_REPOSITORY,READ_ROLLOUT

avgustinmm avatar Jun 28 '24 14:06 avgustinmm

OK, hawkbit.security.user.john.permissions=READ_REPOSITORY,DOWNLOAD_REPOSITORY_ARTIFACT works. However, hawkbit.security.user.john.permissions=DOWNLOAD_REPOSITORY_ARTIFACT is unfortunately not enough for just downloading artifacts.

Anyway, that is good enough for me. Thanks for the support.

easybe avatar Jun 28 '24 14:06 easybe