1 files changed, 37 insertions, 0 deletions
diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv
index 59b8b07f59..1085d0584e 100755
--- a/bitbake/bin/bitbake-hashserv
+++ b/bitbake/bin/bitbake-hashserv
@@ -17,6 +17,7 @@ warnings.simplefilter("default")
 sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
 import hashserv
+from hashserv.server import DEFAULT_ANON_PERMS
 VERSION = "1.0.0"
@@ -36,6 +37,22 @@ The bind address may take one of the following formats:
 To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
 "--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
 "[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
+Note that the default Anonymous permissions are designed to not break existing
+server instances when upgrading, but are not particularly secure defaults. If
+you want to use authentication, it is recommended that you use "--anon-perms
+@read" to only give anonymous users read access, or "--anon-perms @none" to
+give un-authenticated users no access at all.
+Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
+this would allow anonymous users to manage all users accounts, which is a bad
+idea.
+If you are using user authentication, you should run your server in websockets
+mode with an SSL terminating load balancer in front of it (as this server does
+not implement SSL). Otherwise all usernames and passwords will be transmitted
+in the clear. When configured this way, clients can connect using a secure
+websocket, as in "wss://SERVER:PORT"
        """,
    )
@@ -79,6 +96,22 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
        default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
        help="Database password ($HASHSERVER_DB_PASSWORD)",
    )
+    parser.add_argument(
+        "--anon-perms",
+        metavar="PERM[,PERM[,...]]",
+        default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
+        help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
+    )
+    parser.add_argument(
+        "--admin-user",
+        default=os.environ.get("HASHSERVER_ADMIN_USER", None),
+        help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
+    )
+    parser.add_argument(
+        "--admin-password",
+        default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
+        help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
+    )
    args = parser.parse_args()
@@ -94,6 +127,7 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
    logger.addHandler(console)
    read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
+    anon_perms = args.anon_perms.split(",")
    server = hashserv.create_server(
        args.bind,
@@ -102,6 +136,9 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
        read_only=read_only,
        db_username=args.db_username,
        db_password=args.db_password,
+        anon_perms=anon_perms,
+        admin_username=args.admin_user,
+        admin_password=args.admin_password,
    )
    server.serve_forever()
    return 0

diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv index 59b8b07f59..1085d0584e 100755 --- a/bitbake/bin/bitbake-hashserv +++ b/bitbake/bin/bitbake-hashserv
@@ -17,6 +17,7 @@ warnings.simplefilter("default")
17	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))	17	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
18		18
19	import hashserv	19	import hashserv
		20	from hashserv.server import DEFAULT_ANON_PERMS
20		21
21	VERSION = "1.0.0"	22	VERSION = "1.0.0"
22		23
@@ -36,6 +37,22 @@ The bind address may take one of the following formats:
36	To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or	37	To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
37	"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in	38	"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
38	"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"	39	"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
		40
		41	Note that the default Anonymous permissions are designed to not break existing
		42	server instances when upgrading, but are not particularly secure defaults. If
		43	you want to use authentication, it is recommended that you use "--anon-perms
		44	@read" to only give anonymous users read access, or "--anon-perms @none" to
		45	give un-authenticated users no access at all.
		46
		47	Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
		48	this would allow anonymous users to manage all users accounts, which is a bad
		49	idea.
		50
		51	If you are using user authentication, you should run your server in websockets
		52	mode with an SSL terminating load balancer in front of it (as this server does
		53	not implement SSL). Otherwise all usernames and passwords will be transmitted
		54	in the clear. When configured this way, clients can connect using a secure
		55	websocket, as in "wss://SERVER:PORT"
39	""",	56	""",
40	)	57	)
41		58
@@ -79,6 +96,22 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
79	default=os.environ.get("HASHSERVER_DB_PASSWORD", None),	96	default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
80	help="Database password ($HASHSERVER_DB_PASSWORD)",	97	help="Database password ($HASHSERVER_DB_PASSWORD)",
81	)	98	)
		99	parser.add_argument(
		100	"--anon-perms",
		101	metavar="PERM[,PERM[,...]]",
		102	default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
		103	help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
		104	)
		105	parser.add_argument(
		106	"--admin-user",
		107	default=os.environ.get("HASHSERVER_ADMIN_USER", None),
		108	help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
		109	)
		110	parser.add_argument(
		111	"--admin-password",
		112	default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
		113	help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
		114	)
82		115
83	args = parser.parse_args()	116	args = parser.parse_args()
84		117
@@ -94,6 +127,7 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
94	logger.addHandler(console)	127	logger.addHandler(console)
95		128
96	read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only	129	read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
		130	anon_perms = args.anon_perms.split(",")
97		131
98	server = hashserv.create_server(	132	server = hashserv.create_server(
99	args.bind,	133	args.bind,
@@ -102,6 +136,9 @@ To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
102	read_only=read_only,	136	read_only=read_only,
103	db_username=args.db_username,	137	db_username=args.db_username,
104	db_password=args.db_password,	138	db_password=args.db_password,
		139	anon_perms=anon_perms,
		140	admin_username=args.admin_user,
		141	admin_password=args.admin_password,
105	)	142	)
106	server.serve_forever()	143	server.serve_forever()
107	return 0	144	return 0