I’d like to share my open-source solution to authorization per sitemap for multiple users in openHAB2.
My concept was developed with the sidecar pattern in mind and assuming that the traffic towards openHAB2 is controlled by a layer 4 proxy, e.g. nginx or envoy proxy. The openhab-auth-router inspects a header, set by the proxy in front of openHAB, containing the authenticated user and applies its configured rules on the traffic. The router itself does not do authentication, only authorization.
Typical use case description:
You run openHAB2 behind nginx with HTTP basic authentication enabled. Now you want to decide, which of the created users can access the sitemaps in openHAB. So you have nginx covering authentication and can now use openhab-auth-router as an authorization sidecar to your openHAB2 instance. It intercepts the traffic and applies a given set of rules.
This can be achieved simply by telling nginx to route all requests to the auth-router instead of openHAB directly.
The router comes as pre-compiled binary for multiple architectures and as docker image.
I created guides on how to deploy using vanilla binary, vanilla binary managed by systemd, docker, docker managed by systemd and Kubernetes. All of these can be found in the project README.md.
The readme also comes with a guide on how to integrate the router into a running setup. First as pure passthrough, then with an applied ruleset.
Furthermore, you can try the router outside of a running setup entirely, by using the docker based examples, which are also handy if you’d like to contribute to the golang source.
I have been running the v0.0.1-alpha in production for a couple of weeks now and haven’t had any incidents yet. My setup runs on Kubernetes.