API Auth

PetrZ

Dabbler
Joined
Feb 23, 2018
Messages
20
Hi.
There is "Currently only the user of ID 0 (root) is allowed to access the API." in API documentation.
Is there any chance it will be changed (implemented) in future releases? That really limits some serious usage.
E.g. you want to give permit some script / person to add users or certificates and you have to tell them root passphrase?

I didn't check how it's currently implemented, but I could imagine e.g. a way of specifying API URL RegExp list allowed for user.
So there will be e.g. for user jail_admin:
Code:
\/api\/v1\.0\/jails\/jails\/[^\/]+\/(stop|start)\/

At least at the beginning there is no need to implement it in GUI, I would be happy even with adding table into DB to allow adding / modifying rules using SQL queries.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
I have yet to see any hint of administrative user delegation. Every time its brought up, it's considered unneeded nonsense. This is one of the may reasons I cannot recommend FreeNAS or TrueNAS in any environment with more than one admin. It's kind of a joke that they call any of it enterprise ready. Even things like defaulting to http show a lack of care for any type of security let alone permissions management for API access...
 

PetrZ

Dabbler
Joined
Feb 23, 2018
Messages
20
As workaround could be (maybe) used some self coded wrapper with own auth DB. But...

I put into my FreeNAS systems quite a lot of "own" stuff (last time it was zfs-auto-snapshot with ruby, as I want same "snapshot policy" as I have in my Debian systems running OpenNebula on ZFS). Now I am playing with smbcacls as there is no other way (or at least I don't know about any) to set access rights for more groups. E.g. you want to have share where one group has RW, two other groups R only and rest of users any access. In GUI you can use just one group and set permissions for that one group (+owner +others). There is also no "normal" way to modify sudoers. I have to use lot of post-init scripts, as configs are regenerated every reboot. Enough for home plex server, etc., but as you wrote, quite far from enterprise when you try to use it without "customization". Maybe pure FreeBSD would be better choice, I am still not sure.
 
Top