From: "Toke Høiland-Jørgensen" <toke@toke.dk> To: Juliusz Chroboczek <jch@irif.fr> Cc: "Michael Ströder" <michael@stroeder.com>, galene@lists.galene.org Subject: [Galene] Re: Is the passwd file still needed? Date: Fri, 19 Feb 2021 14:01:36 +0100 [thread overview] Message-ID: <87zh00jjnz.fsf@toke.dk> (raw) In-Reply-To: <87lfbk6x6w.wl-jch@irif.fr> Juliusz Chroboczek <jch@irif.fr> writes: >>>> With the new hashed-password syntax in group files, user credentials are >>>> stored in the JSON for each group. But there's still a mention of a >>>> passwd file in the README, but marked as 'optional' - is this still >>>> needed? > >>> AFAICS it's simply used to protect the /stats page (with HTTP basic authc). > > Right. > >>>> And is there a way to specify hashed passwords in that file? > > This file's syntax is going to change, but I'm not quite sure how. Right > now, we're duplicating the same entry for a given user in all groups where > they have a username; it would be good to be able to say > > 1. user "toke", has default password "foo"; > 2. user "toke" is Op in group A with his default password; > 3. user "toke" is Presenter in group B with his default password; > 4. user "toke" is Op in this whole set of groups with his default password. > > One possible solution would be to store default passwords in the "passwd" > file, and use the default password in "password" is not present (as > opposed to being the empty string, which will have the same meaning as > actually). This doesn't solve point (4) above. Well personally I can live without (4). The obvious answer that comes to mind to implement it is user groups, though. So (video) groups could delegate the op priv to a (user) group (of admins, say), and you'd only need to add a user to that group. Alternatively, make it up to any third-party administration interface to provide the group abstraction and just keep the "list of users per (video) group" that exists now, but move the passwords to a central file. > Ideas welcome, even if they're not accompanied with patches. Please > recall that Galène is meant to be easy to install and have minimal > dependencies, so anything that relies on an external daemon (SQL) is > out of the question; on the other hand, I'm open to solutions that are > extensible to third-party authentication or delegation ("login with > github") as long as they remain optional. Well if you abstract out the password checking to a passwd file, it would be fairly straight forward to add additional callbacks there, no? I.e., Galene can ask third-party services to authenticate a user ID, with the passwd file being the default? This would likely also need a decoupling of user identifiers and display names, as external services can use arbitrary IDs (but commonly, that's just emails) that is not necessarily what users want to show up in the user list... -Toke
next prev parent reply other threads:[~2021-02-19 13:01 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-02-19 9:52 [Galene] " Toke Høiland-Jørgensen 2021-02-19 10:44 ` [Galene] " Michael Ströder 2021-02-19 11:48 ` Toke Høiland-Jørgensen 2021-02-19 12:47 ` Juliusz Chroboczek 2021-02-19 13:01 ` Toke Høiland-Jørgensen [this message] 2021-02-19 13:13 ` Juliusz Chroboczek 2021-02-19 13:19 ` Gabriel Kerneis 2021-02-19 13:36 ` Toke Høiland-Jørgensen 2021-02-20 0:52 ` Juliusz Chroboczek 2021-02-20 10:06 ` Rémi Nollet 2021-02-20 11:49 ` Toke Høiland-Jørgensen 2021-02-20 12:09 ` Michael Ströder 2021-02-20 12:22 ` Toke Høiland-Jørgensen 2021-02-23 15:11 ` Dave Taht [not found] ` <YDAEso0xTvoIg+hJ@local> 2021-02-20 12:23 ` Toke Høiland-Jørgensen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87zh00jjnz.fsf@toke.dk \ --to=toke@toke.dk \ --cc=galene@lists.galene.org \ --cc=jch@irif.fr \ --cc=michael@stroeder.com \ --subject='[Galene] Re: Is the passwd file still needed?' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox