Add Role Based Access Control [RBAC] #3305
Comments
|
@openhab/core-maintainers Would you please add this to the project list for openHAB 4.0. |
|
Could add it myself ;-) |
hmerk
changed the title
|
@hmerk while not being a core contributor I might be able to work on this in my spare time based on earlier work I did with Open Smart House. I outlined some of concepts in forums https://community.openhab.org/t/rbac-model-in-openhab-and-potential-security-vulnerability-found/136419/4. They are based on initial implementation of eclipse-archived/smarthome#6034 which covered first step of design made under eclipse-archived/smarthome#579. Long story short - we got authentication API which was adjusted/stripped for openHAB 3.0, we never reached step 2 which would involve wider support for user roles and permissions. |
|
@splatch |
|
@hmerk I could argue on some of statements made there, ie.:
;-) |
|
@splatch Sorry, i might have been a bit unclear. So under the bottom line, I only wanted to prevent anyone from double work... |
|
Going over code made by @gennartn I found several troubles. There are multiple commits, including merges, which make moving it into current code base troublesome as we would need to make a "back merge" changes which are started on 3.2.x state of auth packages and UI. Both core and ui moved forward since then. I attempted to rebase/squash commits but its not going straight as there are conflicting changes between commits. Aside of above there are some more troubles I see:
Given the community inquiries about support for external oauth authentication, support for LDAP going forward with proposed way will not solve any of troubles we ended with after Eclipse SmartHome migration and will add more places to work with with eventual introduction of external authentication support for openHAB. Even if we do not wish to follow the whishlist then there is an issue of stronger authentication which is based ie. on client certificate - this will not be possible as well, because whole code right now does rely on user/password auth and does not leave any space for extension. My proposal of workflow is following:
Above steps will permit to switch authentication mechanism based on installed features and runtime configuration (possible to control using service configuration in OH webui) and also introduce a authorization logic which could be unified independently of user authentication source. |
|
@splatch As you offered to help with this issue, did you make any progress ? |
|
I have not touched openHAB side due to awaiting of publication of trademark policies which happened just few days ago. |
|
Hey folks, I apologize in advance, I am long winded... I've been looking into this since about this time last year, gennartn did not complete the implementation and as @splatch noted there are challenges with bringing it up to date. I did most the work in my own fork (I accidentally PR'd to this repository this past week). I have the work in my 4.1.X-RBAC branch that I cherry picked their work in and resolved issues as I found them. However, the UI remains incomplete, leading me to consider whether this feature might be better suited as a plugin. Initially, I worked on this for a project with friends that has since fallen through. Still, I’d love to see OpenHAB support local businesses like bars and shops, which I think could benefit from enhanced authorization features. Would it be feasible to develop a plugin that extends and re-registers the service UserRegistryImpl to introduce roles and permissions? This way, home users can maintain simplicity while those needing advanced features can opt-in by installing the plugin. I believe gennartn's work/thesis provides a starting point. |
|
Thanks @straiforos to bringing this back to life. |
|
Will do! Wow 5 already! Time flies. |
The core RBAC functionality, i.e. the parts securing Item access etc., need to be core, as well as the UI for creating and managing users/roles needs to be part of Main UI. Once core APIs are in place, I can help with the Main UI part.
I would have this roles and permissions stuff part of core, but with a default config that matches the status quo. I don’t think it is reasonable to effectively override a core service. |
Thank you for the thoughtful and informative response, ruling out a plugin architecture. I am excited to begin prototyping RBAC, personally I've worked on systems that use roles but use them as a collection of privileges/permissions, giving flexibility to developers and implementations to add roles and privileges that are more flexible, capturing the status quo will be the fun part. Privilege collections IMO would allow plugins to add to known roles supporting the current functionality while baking in security checks as it becomes a fundamental to the core of the application. I would be curious your thoughts on that kind of approach. Right now we have a user and admin role if I am not mistaken. |
|
At the moment we only have the user and admin roles, correct.
With these changes alone, it would be possible to have one admin taking care of a openHAB installation for a building with multiple flats, and create UI pages for the individual users (already possible) and groups (not yet possible) and very importantly limit access to Items through the REST API (currently, permissions only apply to page visibility, but the REST API allows full access to all Items, so this is no security feature). The last step is what I have implemented with an external proxy and which has been picked up by others once I archived it, see https://community.openhab.org/t/detailed-access-control-and-user-management-by-reverse-proxy-it-works/66450/23?u=florian-h05. In a second step I could imagine having an additional role to allow non-admin users to design UI pages. Your proposal sounds interesting, but I currently cannot imagine the use case for it. Can you please elaborate a bit more? |
|
Thanks again for the response, User groups is something I should consider for sure, I was not considering that idea originally. My thoughts are aside from item access the functionality for adding, deleting, and editing items is something I would want. Maybe I want a user to be able to add items and not remove them or not be able to add them but edit them for configuration updates, say they are on a phone call with support for that flat/retail space. Granular permissions would allow for dynamic use cases and if you want the simpler out of the box change nothing but once you want to make more fine grained roles beyond admin and user you could change the default behavior in your instance to have IT admins with separate responsibilities like plugin installation but not item configuration. Allowing for more fine grain management and oversight of an instance in say a hotel. A managed software company could own the IT admin and allow plugins and managers/handymen can access item addition and removal. Thats kinda my thought process how used in practice would it be, I am not sure. My ambition is to essentially make a local business that sells managed IT deployment of OpenHAB to hotels, venues etc that would want a level of confidence in the fine grain controls and various implementations of it. I tried to GPT a small summary that's maybe easier to read since I tend to be long winded. Expanded Roles and Use Cases
|
|
I missed it in the original topic discussion from @splatch. The OpenSmartHouse Permission is exactly where my head was at. Combining that idea with the work Nicolas Gennart was working on for dynamic roles. I started down this path as a proof of concept myself and I opted to make roles into a registry with a permission registry as well. |
|
That is way more complex than what I thought about, but really versatile and sounds very powerful!
I would love to see openHAB used in such a context, this also explains why you want such powerful RBAC. As long as the average openHAB user does not have to care about it, I fully support your proposal. |
I appreciate the support, I will continue down that path. The idea is no breaking changes, this needs to be transparent. Thank you. |
|
This issue has been mentioned on openHAB Community. There might be relevant details there: |
|
Yes! Using registry will allow us to extend it using add-ons to link this system using LDAP or whatever rbac back end you wish e.g.sql database. So it sounds great. |
|
Hey y'all, I am making good progress scaffolding out the solution. @splatch your proof of concept work has been invaluable. I had a couple questions for the community and @splatch. @splatch mind if I put you as the author for initial contribution for NamedPermission and a few others where I feel I am copy pasta'ing your work? For the community, I plan to implement RBAC as far as our users are concerned yet for us devs I am actually implementing a form of ABAC. Its a flavor as I described that gives the flexibility of granular access control, while also preserving what most are used too, Roles. Roles become a container/logical grouping of permissions which are the "Attributes" in Attribute Based Access Control. This allows for dynamic user defined roles. Additional functionality has been requested like User Groups, and Item assignment so users can have essentially multi-tenancy support. I would like to ask to split that out as additional initiatives? Keeping focus on RBAC without breaking changes giving me time to prove that out and stew on the larger implementation of groups and item assignment/tenancy. |
|
Hello @straiforos, There are several places where implementation I did got a little bit tricky. Main trouble maker for me was SSE. The item resource (as well as other places) is not ready to host more complex security concepts. Be aware that amount of calls to registries is huge, and REST layer itself is just top of iceberg. As of copyrights, code I did was contributed to OpenSmartHouse project for a reason. (IANAL) If you wish to copy it, you should be fine even copying whole files, as long as you retain original copyright statement from OSH (
WRT ABAC, I always thought that it is more about object attributes which can be used to evaluate access. Like for items it would be category or tag, for things its type or so. However, given that all terminology in IT is rather fluid and subject of evolution permissions might actually be also considered a sort of ABAC. :-) |
Wonderful, I plan to do something very similar in OpenHAB, I have a preference in aspect oriented programing so I plan to avoid some extra boiler plate that the OpenSmartHouse implementation required like manager patterns etc. Time will tell if thats my hubris or not LOL.
I appreciate the heads up here with SSE, I will have to keep and eye out for performance concerns.
Ah I will definitely need others feedback on copying it verbatim like NamedPermission, and bringing in the OpenSmartHouse copyright since this is not just my call even if I need to rename it enough to be my own. I do feel weird taking such inspiration from your work without attributing yourself to it. I am manually writing the files for my own sake let alone legal concerns. I will leave your initial contribution there and update the copyright to match. I will ask for others input as I am new to the community and as well am not a lawyer :)
Good point, I have not implemented these patterns enough to be able to state one way or another but certainly felt like an evolution of RBAC into something a little more dynamic like ABAC. @splatch, thank you for all your insight for my own implementation as well as others like Nicholas we could not do it without ya! |
|
Wrt file headers: For simplicity reasons, we typically have a standard license header on all files in It is therefore not really easy to "merge" files from two different projects into a single file for us for practicality reasons. |
Wicked cool, good to know.
Gotcha, that would be the simplest for sure. I'm still working out the kinks and approaching it using an annotation versus a helper method in each area so I can hopefully make it as reusable as possible. |
|
@kaikreuzer @straiforos I don't want to stop you from improving openHAB. At the same time, my position as inventor of code in question, on copyright hasn't changed. |
@splatch totally understandable, frankly I am writing this by hand and wanted to use your work as inspiration. I will make sure it's unique, and has openHAB only copyrights to comply with @kaikreuzer point about 3rd party code additions. I appreciate the guidance. |
|
@straiforos, let me know if I can anyhow contribute to your effort. I have taken over the archived OH Multi-user proxy created by @florian-h05 and adapted it for current OH versions (https://github.com/Davek145/openhab-multiuser-proxy). It does not have so big ambitions you have, but solves at least the basic issues I see in OH = no ability to differentiate between individual users of OH instance. |
|
This issue has been mentioned on openHAB Community. There might be relevant details there: |
See community discussion and proposal
https://community.openhab.org/t/rbac-model-in-openhab-and-potential-security-vulnerability-found/136419
The text was updated successfully, but these errors were encountered: