Fixed permission matrix (#1076)
Signed-off-by: Dominic Schabel <dominic.schabel@bosch.io>
This commit is contained in:
@@ -12,7 +12,9 @@ However, keep in mind that hawkBit does not offer an off the shelf authenticatio
|
|||||||
The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. Additionally, the application properties may be configured for multiple static users; see [Multiple Users](#multiple-users) for details.
|
The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. Additionally, the application properties may be configured for multiple static users; see [Multiple Users](#multiple-users) for details.
|
||||||
|
|
||||||
## DDI API
|
## DDI API
|
||||||
|
|
||||||
An authenticated target is permitted to:
|
An authenticated target is permitted to:
|
||||||
|
|
||||||
- retrieve commands from the server
|
- retrieve commands from the server
|
||||||
- provide feedback to the the server
|
- provide feedback to the the server
|
||||||
- download artifacts that are assigned to it
|
- download artifacts that are assigned to it
|
||||||
@@ -22,6 +24,7 @@ A target might be permitted to download artifacts without authentication (if ena
|
|||||||
## Management API and UI
|
## Management API and UI
|
||||||
|
|
||||||
### Multiple Users
|
### Multiple Users
|
||||||
|
|
||||||
hawkBit optionally supports configuring multiple static users through the application properties. In this case, the user and password Spring security properties are ignored.
|
hawkBit optionally supports configuring multiple static users through the application properties. In this case, the user and password Spring security properties are ignored.
|
||||||
An example configuration is given below.
|
An example configuration is given below.
|
||||||
|
|
||||||
@@ -42,6 +45,7 @@ An example configuration is given below.
|
|||||||
A permissions value of `ALL` will provide that user with all possible permissions. Passwords need to be specified with the used password encoder in brackets. In this example, `noop` is used as the plaintext encoder. For production use, it is recommended to use a hash function designed for passwords such as *bcrypt*. See this [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) for more information on password encoders in Spring Security.
|
A permissions value of `ALL` will provide that user with all possible permissions. Passwords need to be specified with the used password encoder in brackets. In this example, `noop` is used as the plaintext encoder. For production use, it is recommended to use a hash function designed for passwords such as *bcrypt*. See this [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) for more information on password encoders in Spring Security.
|
||||||
|
|
||||||
### OpenID Connect
|
### OpenID Connect
|
||||||
|
|
||||||
hawkbit supports authentication providers which use the OpenID Connect standard, an authentication layer built on top of the OAuth 2.0 protocol.
|
hawkbit supports authentication providers which use the OpenID Connect standard, an authentication layer built on top of the OAuth 2.0 protocol.
|
||||||
An example configuration is given below.
|
An example configuration is given below.
|
||||||
|
|
||||||
@@ -54,6 +58,7 @@ An example configuration is given below.
|
|||||||
spring.security.oauth2.client.provider.oidc.jwk-set-uri=https://oidc-provider/jwk-set-uri
|
spring.security.oauth2.client.provider.oidc.jwk-set-uri=https://oidc-provider/jwk-set-uri
|
||||||
|
|
||||||
### Delivered Permissions
|
### Delivered Permissions
|
||||||
|
|
||||||
- READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
|
- READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
|
||||||
- Target entities including metadata (that includes also the installed and assigned distribution sets)
|
- Target entities including metadata (that includes also the installed and assigned distribution sets)
|
||||||
- Target tags
|
- Target tags
|
||||||
@@ -77,18 +82,19 @@ An example configuration is given below.
|
|||||||
- TENANT_CONFIGURATION
|
- TENANT_CONFIGURATION
|
||||||
- Permission to administrate the tenant settings.
|
- Permission to administrate the tenant settings.
|
||||||
|
|
||||||
- ROLLOUT_MANAGEMENT
|
- READ_/UPDATE_/CREATE_/DELETE_/HANDLE_/APPROVE_ROLLOUT for:
|
||||||
- Permission to provision targets through rollouts.
|
- Managing rollouts and provision targets through a rollout.
|
||||||
|
|
||||||
### Permission Matrix for example uses cases that need more than one permission
|
### Permission Matrix for example uses cases that need more than one permission
|
||||||
|
|
||||||
Use Case | Needed permissions
|
Use Case | Needed permissions
|
||||||
-------------------------------------------------------------------------- | --------------------------------------------------
|
-------------------------------------------------------------------------- | ---------------------------------------------------------------------------
|
||||||
Search _targets_ by installed or assigned _distribution set_ | READ_TARGET, READ_REPOSITORY
|
Search _targets_ by installed or assigned _distribution set_ | READ_REPOSITORY, READ_TARGET
|
||||||
Assign _DS_ to a _target_ | READ_REPOSITORY, UPDATE_TARGET
|
Assign _DS_ to a _target_ | READ_REPOSITORY, UPDATE_TARGET
|
||||||
Assign DS to target through a _Rollout_, i.e. _Rollout_ creation and start | READ_REPOSITORY, UPDATE_TARGET, ROLLOUT_MANAGEMENT
|
Assign DS to target through a _Rollout_, i.e. _Rollout_ creation and start | READ_REPOSITORY, READ_TARGET, READ_ROLLOUT, CREATE_ROLLOUT, HANDLE_ROLLOUT
|
||||||
Read _Rollout_ status including its _deployment groups_ | ROLLOUT_MANAGEMENT
|
Read _Rollout_ status including its _deployment groups_ | READ_REPOSITORY, READ_ROLLOUT
|
||||||
Checks _targets_ inside _Rollout deployment group_ | READ_TARGET, ROLLOUT_MANAGEMENT
|
Checks _targets_ inside _Rollout deployment group_ | READ_REPOSITORY, READ_TARGET, READ_ROLLOUT
|
||||||
|
|
||||||
## Device Management Federation API
|
## Device Management Federation API
|
||||||
|
|
||||||
The provided _RabbitMQ_ [vhost and user](https://www.rabbitmq.com/access-control.html) should be provided with the necessary permissions to send messages to hawkBit through the exchange and receive messages from it through the specified queue.
|
The provided _RabbitMQ_ [vhost and user](https://www.rabbitmq.com/access-control.html) should be provided with the necessary permissions to send messages to hawkBit through the exchange and receive messages from it through the specified queue.
|
||||||
|
|||||||
Reference in New Issue
Block a user