bitbake: hashserv: Add user permissions

Adds support for the hashserver to have per-user permissions. User management is done via a new "auth" RPC API where a client can authenticate itself with the server using a randomly generated token. The user can then be given permissions to read, report, manage the database, or manage other users. In addition to explicit user logins, the server supports anonymous users which is what all users start as before they make the "auth" RPC call. Anonymous users can be assigned a set of permissions by the server, making it unnecessary for users to authenticate to use the server. The set of Anonymous permissions defines the default behavior of the server, for example if set to "@read", Anonymous users are unable to report equivalent hashes with authenticating. Similarly, setting the Anonymous permissions to "@none" would require authentication for users to perform any action. User creation and management is entirely manual (although bitbake-hashclient is very useful as a front end). There are many different mechanisms that could be implemented to allow user self-registration (e.g. OAuth, LDAP, etc.), and implementing these is outside the scope of the server. Instead, it is recommended to implement a registration service that validates users against the necessary service, then adds them as a user in the hash equivalence server. (Bitbake rev: 69e5417413ee2414fffaa7dd38057573bac56e35) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2023-11-03 08:26:31 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-09 17:33:03 +0000
commit: 1af725b2eca63fa113cedb6d77eb5c5f1de6e2f0 (patch)
tree: adf200a0b03b8ee1f1a56c55e2ec657dcc7ed04a /bitbake/bin/bitbake-hashserv
parent: 6e67b000efb89c4e3121fd907a47dc7042c07bed (diff)
download: poky-1af725b2eca63fa113cedb6d77eb5c5f1de6e2f0.tar.gz
1 files changed, 37 insertions, 0 deletions
diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv
index 59b8b07f59..1085d0584e 100755
--- a/bitbake/bin/bitbake-hashserv
+++ b/bitbake/bin/bitbake-hashserv
@@ -17,6 +17,7 @@ warnings.simplefilter("default")
 sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
 import hashserv
+from hashserv.server import DEFAULT_ANON_PERMS
 VERSION = "1.0.0"
@@ -36,6 +37,22 @@ The bind address may take one of the following formats:
 To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
 "--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
 "[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
+Note that the default Anonymous permissions are designed to not break existing
+server instances when upgrading, but are not particularly secure defaults. If
+you want to use authentication, it is recommended that you use "--anon-perms
+@read" to only give anonymous users read access, or "--anon-perms @none" to
+give un-authenticated users no access at all.
+Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
+this would allow anonymous users to manage all users accounts, which is a bad
+idea.
+If you are using user authentication, you should run your server in websockets
+mode with an SSL terminating load balancer in front of it (as this server does
+not implement SSL). Otherwise all usernames and passwords will be transmitted
+in the clear. When configured this way, clients can connect using a secure
+websocket, as in "wss://SERVER:PORT"
        """,
    )
@@ -79,6 +96,22 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
        default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
        help="Database password ($HASHSERVER_DB_PASSWORD)",
    )
+    parser.add_argument(
+        "--anon-perms",
+        metavar="PERM[,PERM[,...]]",
+        default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
+        help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
+    )
+    parser.add_argument(
+        "--admin-user",
+        default=os.environ.get("HASHSERVER_ADMIN_USER", None),
+        help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
+    )
+    parser.add_argument(
+        "--admin-password",
+        default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
+        help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
+    )
    args = parser.parse_args()
@@ -94,6 +127,7 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
    logger.addHandler(console)
    read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
+    anon_perms = args.anon_perms.split(",")
    server = hashserv.create_server(
        args.bind,
@@ -102,6 +136,9 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
        read_only=read_only,
        db_username=args.db_username,
        db_password=args.db_password,
+        anon_perms=anon_perms,
+        admin_username=args.admin_user,
+        admin_password=args.admin_password,
    )
    server.serve_forever()
    return 0
author	Joshua Watt <JPEWhacker@gmail.com>	2023-11-03 08:26:31 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-11-09 17:33:03 +0000
commit	1af725b2eca63fa113cedb6d77eb5c5f1de6e2f0 (patch)
tree	adf200a0b03b8ee1f1a56c55e2ec657dcc7ed04a /bitbake/bin/bitbake-hashserv
parent	6e67b000efb89c4e3121fd907a47dc7042c07bed (diff)
download	poky-1af725b2eca63fa113cedb6d77eb5c5f1de6e2f0.tar.gz

diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv index 59b8b07f59..1085d0584e 100755 --- a/bitbake/bin/bitbake-hashserv +++ b/bitbake/bin/bitbake-hashserv
@@ -17,6 +17,7 @@ warnings.simplefilter("default")
17	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))	17	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
18		18
19	import hashserv	19	import hashserv
		20	from hashserv.server import DEFAULT_ANON_PERMS
20		21
21	VERSION = "1.0.0"	22	VERSION = "1.0.0"
22		23
@@ -36,6 +37,22 @@ The bind address may take one of the following formats:
36	To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or	37	To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
37	"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in	38	"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
38	"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"	39	"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
		40
		41	Note that the default Anonymous permissions are designed to not break existing
		42	server instances when upgrading, but are not particularly secure defaults. If
		43	you want to use authentication, it is recommended that you use "--anon-perms
		44	@read" to only give anonymous users read access, or "--anon-perms @none" to
		45	give un-authenticated users no access at all.
		46
		47	Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
		48	this would allow anonymous users to manage all users accounts, which is a bad
		49	idea.
		50
		51	If you are using user authentication, you should run your server in websockets
		52	mode with an SSL terminating load balancer in front of it (as this server does
		53	not implement SSL). Otherwise all usernames and passwords will be transmitted
		54	in the clear. When configured this way, clients can connect using a secure
		55	websocket, as in "wss://SERVER:PORT"
39	""",	56	""",
40	)	57	)
41		58
@@ -79,6 +96,22 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
79	default=os.environ.get("HASHSERVER_DB_PASSWORD", None),	96	default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
80	help="Database password ($HASHSERVER_DB_PASSWORD)",	97	help="Database password ($HASHSERVER_DB_PASSWORD)",
81	)	98	)
		99	parser.add_argument(
		100	"--anon-perms",
		101	metavar="PERM[,PERM[,...]]",
		102	default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
		103	help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
		104	)
		105	parser.add_argument(
		106	"--admin-user",
		107	default=os.environ.get("HASHSERVER_ADMIN_USER", None),
		108	help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
		109	)
		110	parser.add_argument(
		111	"--admin-password",
		112	default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
		113	help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
		114	)
82		115
83	args = parser.parse_args()	116	args = parser.parse_args()
84		117
@@ -94,6 +127,7 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
94	logger.addHandler(console)	127	logger.addHandler(console)
95		128
96	read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only	129	read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
		130	anon_perms = args.anon_perms.split(",")
97		131
98	server = hashserv.create_server(	132	server = hashserv.create_server(
99	args.bind,	133	args.bind,
@@ -102,6 +136,9 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
102	read_only=read_only,	136	read_only=read_only,
103	db_username=args.db_username,	137	db_username=args.db_username,
104	db_password=args.db_password,	138	db_password=args.db_password,
		139	anon_perms=anon_perms,
		140	admin_username=args.admin_user,
		141	admin_password=args.admin_password,
105	)	142	)
106	server.serve_forever()	143	server.serve_forever()
107	return 0	144	return 0