[Galene] Is the passwd file still needed?

[Galene] Is the passwd file still needed?

[Toke Høiland-Jørgensen]

With the new hashed-password syntax in group files, user credentials are
stored in the JSON for each group. But there's still a mention of a
passwd file in the README, but marked as 'optional' - is this still
needed? What's the consequence of not having it? And is there a way to
specify hashed passwords in that file?

-Toke

[Galene] Re: Is the passwd file still needed?

[Michael Ströder]

On 2/19/21 10:52 AM, Toke Høiland-Jørgensen wrote:
> With the new hashed-password syntax in group files, user credentials are
> stored in the JSON for each group. But there's still a mention of a
> passwd file in the README, but marked as 'optional' - is this still
> needed? What's the consequence of not having it? And is there a way to
> specify hashed passwords in that file?

AFAICS it's simply used to protect the /stats page (with HTTP basic authc).

Ciao, Michael.

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

Michael Ströder <michael@stroeder.com> writes:

> On 2/19/21 10:52 AM, Toke Høiland-Jørgensen wrote:
>> With the new hashed-password syntax in group files, user credentials are
>> stored in the JSON for each group. But there's still a mention of a
>> passwd file in the README, but marked as 'optional' - is this still
>> needed? What's the consequence of not having it? And is there a way to
>> specify hashed passwords in that file?
>
> AFAICS it's simply used to protect the /stats page (with HTTP basic authc).

Ah, right, gotcha. I thought that just required any user with ops privs,
but I guess I got that behaviour by reusing the same user/password
combination in passwd and the groups config.

OK, so my question about using the hashed syntax remains; but maybe this
is deferred until a more complete system for user management shows up? :)

-Toke

[Galene] Re: Is the passwd file still needed?

[Juliusz Chroboczek]

>>> With the new hashed-password syntax in group files, user credentials are
>>> stored in the JSON for each group. But there's still a mention of a
>>> passwd file in the README, but marked as 'optional' - is this still
>>> needed?

>> AFAICS it's simply used to protect the /stats page (with HTTP basic authc).

Right.

>>> And is there a way to specify hashed passwords in that file?

This file's syntax is going to change, but I'm not quite sure how.  Right
now, we're duplicating the same entry for a given user in all groups where
they have a username; it would be good to be able to say

  1. user "toke", has default password "foo";
  2. user "toke" is Op in group A with his default password;
  3. user "toke" is Presenter in group B with his default password;
  4. user "toke" is Op in this whole set of groups with his default password.

One possible solution would be to store default passwords in the "passwd"
file, and use the default password in "password" is not present (as
opposed to being the empty string, which will have the same meaning as
actually).  This doesn't solve point (4) above.

Ideas welcome, even if they're not accompanied with patches.  Please
recall that Galène is meant to be easy to install and have minimal
dependencies, so anything that relies on an external daemon (SQL) is out
of the question; on the other hand, I'm open to solutions that are
extensible to third-party authentication or delegation ("login with github")
as long as they remain optional.

-- Juliusz

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

Juliusz Chroboczek <jch@irif.fr> writes:

>>>> With the new hashed-password syntax in group files, user credentials are
>>>> stored in the JSON for each group. But there's still a mention of a
>>>> passwd file in the README, but marked as 'optional' - is this still
>>>> needed?
>
>>> AFAICS it's simply used to protect the /stats page (with HTTP basic authc).
>
> Right.
>
>>>> And is there a way to specify hashed passwords in that file?
>
> This file's syntax is going to change, but I'm not quite sure how.  Right
> now, we're duplicating the same entry for a given user in all groups where
> they have a username; it would be good to be able to say
>
>   1. user "toke", has default password "foo";
>   2. user "toke" is Op in group A with his default password;
>   3. user "toke" is Presenter in group B with his default password;
>   4. user "toke" is Op in this whole set of groups with his default password.
>
> One possible solution would be to store default passwords in the "passwd"
> file, and use the default password in "password" is not present (as
> opposed to being the empty string, which will have the same meaning as
> actually).  This doesn't solve point (4) above.

Well personally I can live without (4). The obvious answer that comes to
mind to implement it is user groups, though. So (video) groups could
delegate the op priv to a (user) group (of admins, say), and you'd only
need to add a user to that group.

Alternatively, make it up to any third-party administration interface to
provide the group abstraction and just keep the "list of users per
(video) group" that exists now, but move the passwords to a central file.

> Ideas welcome, even if they're not accompanied with patches. Please
> recall that Galène is meant to be easy to install and have minimal
> dependencies, so anything that relies on an external daemon (SQL) is
> out of the question; on the other hand, I'm open to solutions that are
> extensible to third-party authentication or delegation ("login with
> github") as long as they remain optional.

Well if you abstract out the password checking to a passwd file, it
would be fairly straight forward to add additional callbacks there, no?
I.e., Galene can ask third-party services to authenticate a user ID,
with the passwd file being the default?

This would likely also need a decoupling of user identifiers and display
names, as external services can use arbitrary IDs (but commonly, that's
just emails) that is not necessarily what users want to show up in the
user list...

-Toke

[Galene] Re: Is the passwd file still needed?

[Juliusz Chroboczek]

> Well personally I can live without (4). The obvious answer that comes to
> mind to implement it is user groups, though.

I like the idea.  But the term "group" is already taken.  "Team"?
"Clique"?  "Cabal"?  "Club"?

[Galene] Re: Is the passwd file still needed?

[Gabriel Kerneis]

On Fri, 19 Feb 2021, at 14:13, Juliusz Chroboczek wrote:
> > Well personally I can live without (4). The obvious answer that comes to
> > mind to implement it is user groups, though.
> 
> I like the idea.  But the term "group" is already taken.  "Team"?
> "Clique"?  "Cabal"?  "Club"?

If breaking changes are still possible, I'd go with "group" for this concept, and "room" for the current groups.

Otherwise, be explicit and go with "user_group".

-- 
Gabriel

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

"Gabriel Kerneis" <gabriel@kerneis.info> writes:

> On Fri, 19 Feb 2021, at 14:13, Juliusz Chroboczek wrote:
>> > Well personally I can live without (4). The obvious answer that comes to
>> > mind to implement it is user groups, though.
>> 
>> I like the idea.  But the term "group" is already taken.  "Team"?
>> "Clique"?  "Cabal"?  "Club"?
>
> If breaking changes are still possible, I'd go with "group" for this
> concept, and "room" for the current groups.
>
> Otherwise, be explicit and go with "user_group".

+1 (on both points)

-Toke

[Galene] Re: Is the passwd file still needed?

[Juliusz Chroboczek]

> If breaking changes are still possible, I'd go with "group" for this
> concept, and "room" for the current groups.

I tend to dislike real-world metaphors.

> Otherwise, be explicit and go with "user_group".

Only as a last resort.  Let's please try some more.

-- Juliusz

[Galene] Re: Is the passwd file still needed?

[Rémi Nollet]

I feel permitted to a bit of bike-shedding.

If the user groups you want to create have the same semantics as Unix 
groups, and if this is the right semantics to use, I would also go for 
naming them “groups” and finding something else for current “groups”. I 
feel like it would help the administrators to make correct quick guesses 
so as to how those user groups work.

If you then need a replacement name for current “groups”, I also happen 
to like “room”. For the end-user, they are nothing but a rendezvous 
point, a location in which we can meet and talk to and see each other. 
But if rooms are not the usual places where we meet people we want to 
talk with, maybe we can try something like “bar”, “pub”, “table”? Not 
sure what impression it will give to the user though. :-)

Also, I for one like real-life metaphors. They make easier to remember 
names and to build a mental model. At least for me.

-- Rémi

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

Juliusz Chroboczek <jch@irif.fr> writes:

>> If breaking changes are still possible, I'd go with "group" for this
>> concept, and "room" for the current groups.
>
> I tend to dislike real-world metaphors.

"Room" does seem to be popular in other services (e.g., matrix.org).
Otherwise there's "channel" (like in IRC) or "conference"?

Or, getting into sillier territory, "convent", "circle", "seance",
"gang", "society"? :P

-Toke

[Galene] Re: Is the passwd file still needed?

[Michael Ströder]

On 2/20/21 12:49 PM, Toke Høiland-Jørgensen wrote:
> Juliusz Chroboczek <jch@irif.fr> writes:
> 
>>> If breaking changes are still possible, I'd go with "group" for this
>>> concept, and "room" for the current groups.
>>
>> I tend to dislike real-world metaphors.
> 
> "Room" does seem to be popular in other services (e.g., matrix.org).

Yes, "room" is pretty widely used and it looks familiar for users.

I hope this is not registered as trademark or in a patent. But such an
issue can arise with any term you choose.

> Otherwise there's "channel" (like in IRC) or "conference"?

Also good ones. My similar idea would be simply "meeting".

> Or, getting into sillier territory, "convent", "circle", "seance",
> "gang", "society"? :P

Or "dungeon" for role players...

Or an even more stupid suggestion Juliusz will surely not like: Add a
config parameter for choosing an arbitrary term for what's currently
called "group". Yes, let's discuss the default value now... ;-]

Ciao, Michael.

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

Michael Ströder <michael@stroeder.com> writes:

> On 2/20/21 12:49 PM, Toke Høiland-Jørgensen wrote:
>> Juliusz Chroboczek <jch@irif.fr> writes:
>> 
>>>> If breaking changes are still possible, I'd go with "group" for this
>>>> concept, and "room" for the current groups.
>>>
>>> I tend to dislike real-world metaphors.
>> 
>> "Room" does seem to be popular in other services (e.g., matrix.org).
>
> Yes, "room" is pretty widely used and it looks familiar for users.
>
> I hope this is not registered as trademark or in a patent. But such an
> issue can arise with any term you choose.
>
>> Otherwise there's "channel" (like in IRC) or "conference"?
>
> Also good ones. My similar idea would be simply "meeting".
>
>> Or, getting into sillier territory, "convent", "circle", "seance",
>> "gang", "society"? :P
>
> Or "dungeon" for role players...

"Tower"? "Cave"? "Igloo"? "Attic"? "Cubicle"? "Dwelling"? "Hobbit hole"?

-Toke

[Galene] Re: Is the passwd file still needed?

[Toke Høiland-Jørgensen]

(Adding back the list)

HWJ <hwj+galene@secure.mailbox.org> writes:
>>I.e., Galene can ask third-party services to authenticate a user ID,
>>with the passwd file being the default?
>
> I really like this idea.
>
> Maybe the "third-party service" could just be a shell script, that gets
> the group, username, and password as $1, $2, and $3 respectively.
> Then everybody could implement his own authentication system, e.g. using
> LDAP/AD (which is common in educational institutions).

Yeah, just calling an external program would be one obvious API. Another
(and maybe Galene should do both natively?) would be to call an external
web service.

-Toke

[Galene] Re: Is the passwd file still needed?

[Dave Taht]

gang? Mafia? mutants?

On Fri, Feb 19, 2021 at 5:13 AM Juliusz Chroboczek <jch@irif.fr> wrote:
>
> > Well personally I can live without (4). The obvious answer that comes to
> > mind to implement it is user groups, though.
>
> I like the idea.  But the term "group" is already taken.  "Team"?
> "Clique"?  "Cabal"?  "Club"?
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org



-- 
"For a successful technology, reality must take precedence over public
relations, for Mother Nature cannot be fooled" - Richard Feynman

dave@taht.net <Dave Täht> CTO, TekLibre, LLC Tel: 1-831-435-0729