Is openhab 3 multiuser?

Did you try on normal console or did you try the following :

openhab-cli console
openhab:users [add|list|remove]

I tried:

  1. /openhab/bin/client
  2. ssh connection to localhost:8101

Where is openhab-cli located? I cannot find it in the docker container.

In my package install, openhab-cli is located under /usr/bin

If you have docker container named openhab and default passwords please run:

docker exec -it openhab /openhab/runtime/bin/client -p habopen

and then command users

It is not there in the docker image. What would be the difference to the other options I tried? The ssh is the one that is officially documented here: The Console | openHAB

Thank you smarthomepch but I tried that before:

It is not there :face_with_monocle:

Ooooooh I seeeeee… I accidentally connected to my old 2.5 instance :rofl:

Sorry guys, my bad! And thank you for your help!

But here you have OH2.5.11
You have to run it on OH3

Yes I still have my old instance running while I migrate to 3.0.0. Sorry I should have noticed that before…

:+1:
good that we’ve found what was the reason :slight_smile:

I did not realize that “client” simply opens a ssh connection. So even though I started it in the OH3 container it connected to my OH2.5 container…

Is it possible to restrict users (e.g. my children) to access only certain pages or sitemaps? If so, how do I do this. And if not, it would be great if this could be implemented. Thanks

4 Likes

I have the same need. After a bit of code reading and experimentation it turns out that even if the user management UI is not fully implemented, the function is operational.

First you need to create all the authorised users in the karaf console, and specify a role, for example, “user”, which is the default role and for which the UI allow selection of visibility (as of OH 3.0.1), or your specific roles such as “children” or “housekeeping” for example:

openhab> openhab:users add
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
openhab> openhab:users add gautier myNotSoStrongPassword user                                                                                                                                                                                                                   
gautier (user)
User created.
openhab> openhab:users add John myNotSoStrongPassword housekeeping                                                                                                                                                                                                                   
John (housekeeping)
User created.

Then, in the web UI, when you switch to code view for the pages that you want access-restricted, you can add which roles have access to it:
config:
  visibleTo:
    - role:administrator
    - role:housekeeping

Of course the users will now have to login to confirm that they are in the ‘user’ role. Otherwise they will only see pages where no visibleTo setting was made. But since the token is saved, you only need to do it the first time.

It turns out that is is documented: https://www.openhab.org/docs/ui/building-pages.html#widgets-definition-usage

You can also restrict pages per user (not role).

1 Like

Hi friend,

I have created some roles and I have added them so that they can see some specific layouts. This works for me, however, these layouts show data like temperatures and more and I can’t see those values. On the other hand, a user role user can see them. I have added to the code the visible one for the desired role.

Looking at the console it is returning me "{
“error”: {
“message”: “Access denied”,
“http-code”: 403
}
} "
I don’t know if this has to do with what you said in the last paragraph about a token. I am new and I am not very clear about this.

Thanks in advance.

It tuns out that an openhab user needs to belong at least to either the administrator or the user role. Otherwise, the user will not be able to access any page contents, as the REST API will return this kind of unauthorised errors.

Then, you can add additional roles to a given user to manage access to the various pages depending on your needs at a role level, because one user can belong to several roles. Unfortunately, it seems there is no UI to perform this task as of version 3.1, neither through the web ui nor through the openhab karaf console.

The only way I found to add a user to several roles is manually editing the userdata/jsondb/users.json file. Look at this example where user hpi belongs to 2 roles: user and atelier:

{
 "hpi": {
    "class": "org.openhab.core.auth.ManagedUser",
    "value": {
      "name": "hpi",
      "passwordHash": ....
      "roles": [
        "user",
        "atelier"
      ],
      "sessions": [
      ...
      ]
    }
  },
  "jennifer": {
    "class": "org.openhab.core.auth.ManagedUser",
    "value": {
      "name": "jennifer",
      "passwordHash": ...
      "roles": [
        "user",
        "maison"
      ],

As with all modifications to JSON DB, I guess you need to do this modification while openhab is not running.

I found it quite convenient to manage access to various items depending roles and not on the user id itself. That way, definition of the layouts is faster and more flexible. You reduce the risk of forgetting to add a user to access a specific UI part.

1 Like

Hello again,

You were right. Thank you very much for the perfect explanation and example. It has solved the problem for me and I think this example may help other people.

Greetings and thanks again.

Raise a request via github to e.g. create an addgroup command to karaf console.
Most probably then also requireds deletegroup.

1 Like

You are right.

Here it is: https://github.com/openhab/openhab-core/issues/2453

1 Like

Hello,

I wonder if it is necessary that the “implicit user role” option must be enabled to be able to see the screens.

Since disabling it has stopped working even for the administrator role and I get a 401 message as before. I do not understand anything.
image

image

On the other hand, I’m concerned that if I don’t disable this option, anyone can make GET / PUT … requests via API and get results.

I would like that API requests could not be made if credentials are not used but I also need to be able to see the data.

Any ideas?