core
core copied to clipboard
opnsense
API / UI permissions
- [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [X] I am convinced that my issue is new after having checked both open and closed issues at
Is your feature request related to a problem? Please describe.
Access to user interface pages and API endpoints can be configured by user / group in a "True / False" manner as of today. While it is nice, it isn't fine grained at all. Example:
- create a OpenVPN server
- Prepare the client export page
- Make the vpn status and the client export page accessible to users / groups
Users can disconnect any VPN connected client if they are allowed to see the vpn status page Users can modify the client export page, which stores last set settings, so next user will se last user's settings.
That's just an example of why the "True / False" permission schema could be improved.
Describe the solution you like
It would be very useful to Read/Write style permissions, so users can see VPN statuses or export their VPN config, without being able to modify settings. Of course this applies everywhere in the UI ;)
Describe alternatives you considered
^^
Additional context
Not sure if so, but since the GUI is being rewritten into MVCr, perhaps it's the right moment to add permissions.
Highly unlikely to mature as this is quite application specific. In some cases it is practical to offer additional fine grained control (like we do for OPNcentral for example), for example to offer user exportable tokens, but is not a pattern you can store in any of the (existing) ACL patterns. Constraining on endpoints is usually enough, but currently there is no pluggable way to generate these dynamically (which also has disadvantages, we used this in earlier projects, and would still be very application specific).
If you're looking for the possibilities of the MVC framework (in which components are being rewritten), best check our documentation https://docs.opnsense.org/develop.html
Sorry, not a PHP developper, so I cannot give any framework specifc input here.
I initially thought of a very simple permission system, eg Read = GET, Write = POST / PUT / PATCH / DELETE, which could be enforced somewhere centrally like at the router level (as in http router of course) without modifying too much code.
But it isn't probably that simple. Perhaps POST verbs are also used for getting info ? Sorry if I make any bold and false assumptions.
The current method is way more fine grained than offering access on the http method type, in practice all information requests use "get" and updates use "set". Offering access to part of the data is the only thing that you just can't generalize as it depends on component scope.
When looking for information about our ACL system, best read https://docs.opnsense.org/development/components/acl.html first. I don't think we need anything else here as in most cases the endpoints themselves are pretty descriptive.
For example, the crud matrix for openvpn:
https://github.com/opnsense/core/blob/54d98085c2a5bda8fb773374a75897de88fe9d44/src/opnsense/mvc/app/views/OPNsense/OpenVPN/instances.volt#L30-L37
Additionally storing /api/openvpn/instances/del should only allow DELETE would be kind of duplicate..... (which is also the reason why we didn't implement other methods than GET/POST on our end even though it might optically look slightly better)
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
