I tried:
- /openhab/bin/client
- ssh connection to localhost:8101
Where is openhab-cli located? I cannot find it in the docker container.
In my package install, openhab-cli is located under /usr/bin
If you have docker container named openhab and default passwords please run:
docker exec -it openhab /openhab/runtime/bin/client -p habopen
and then command users
It is not there in the docker image. What would be the difference to the other options I tried? The ssh is the one that is officially documented here: The Console | openHAB
Ooooooh I seeeeee… I accidentally connected to my old 2.5 instance 
Sorry guys, my bad! And thank you for your help!
But here you have OH2.5.11
You have to run it on OH3
Yes I still have my old instance running while I migrate to 3.0.0. Sorry I should have noticed that before…
good that we’ve found what was the reason 
I did not realize that “client” simply opens a ssh connection. So even though I started it in the OH3 container it connected to my OH2.5 container…
Is it possible to restrict users (e.g. my children) to access only certain pages or sitemaps? If so, how do I do this. And if not, it would be great if this could be implemented. Thanks
5 Likes
I have the same need. After a bit of code reading and experimentation it turns out that even if the user management UI is not fully implemented, the function is operational.
First you need to create all the authorised users in the karaf console, and specify a role, for example, “user”, which is the default role and for which the UI allow selection of visibility (as of OH 3.0.1), or your specific roles such as “children” or “housekeeping” for example:
openhab> openhab:users add
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
openhab> openhab:users add gautier myNotSoStrongPassword user
gautier (user)
User created.
openhab> openhab:users add John myNotSoStrongPassword housekeeping
John (housekeeping)
User created.
Then, in the web UI, when you switch to code view for the pages that you want access-restricted, you can add which roles have access to it:
config:
visibleTo:
- role:administrator
- role:housekeeping
Of course the users will now have to login to confirm that they are in the ‘user’ role. Otherwise they will only see pages where no visibleTo setting was made. But since the token is saved, you only need to do it the first time.
It turns out that is is documented: https://www.openhab.org/docs/ui/building-pages.html#widgets-definition-usage
You can also restrict pages per user (not role).
2 Likes
Hi friend,
I have created some roles and I have added them so that they can see some specific layouts. This works for me, however, these layouts show data like temperatures and more and I can’t see those values. On the other hand, a user role user can see them. I have added to the code the visible one for the desired role.
Looking at the console it is returning me "{
“error”: {
“message”: “Access denied”,
“http-code”: 403
}
} "
I don’t know if this has to do with what you said in the last paragraph about a token. I am new and I am not very clear about this.
Thanks in advance.
It tuns out that an openhab user needs to belong at least to either the administrator or the user role. Otherwise, the user will not be able to access any page contents, as the REST API will return this kind of unauthorised errors.
Then, you can add additional roles to a given user to manage access to the various pages depending on your needs at a role level, because one user can belong to several roles. Unfortunately, it seems there is no UI to perform this task as of version 3.1, neither through the web ui nor through the openhab karaf console.
The only way I found to add a user to several roles is manually editing the userdata/jsondb/users.json file. Look at this example where user hpi belongs to 2 roles: user and atelier:
{
"hpi": {
"class": "org.openhab.core.auth.ManagedUser",
"value": {
"name": "hpi",
"passwordHash": ....
"roles": [
"user",
"atelier"
],
"sessions": [
...
]
}
},
"jennifer": {
"class": "org.openhab.core.auth.ManagedUser",
"value": {
"name": "jennifer",
"passwordHash": ...
"roles": [
"user",
"maison"
],
As with all modifications to JSON DB, I guess you need to do this modification while openhab is not running.
I found it quite convenient to manage access to various items depending roles and not on the user id itself. That way, definition of the layouts is faster and more flexible. You reduce the risk of forgetting to add a user to access a specific UI part.
1 Like
Hello again,
You were right. Thank you very much for the perfect explanation and example. It has solved the problem for me and I think this example may help other people.
Greetings and thanks again.
Raise a request via github to e.g. create an addgroup command to karaf console.
Most probably then also requireds deletegroup.
1 Like
Hello,
I wonder if it is necessary that the “implicit user role” option must be enabled to be able to see the screens.
Since disabling it has stopped working even for the administrator role and I get a 401 message as before. I do not understand anything.
On the other hand, I’m concerned that if I don’t disable this option, anyone can make GET / PUT … requests via API and get results.
I would like that API requests could not be made if credentials are not used but I also need to be able to see the data.
Any ideas?
The “implicit user” function, as described is needed for “clients” that are not able to do “authentification”… Which mainly means when something uses the rest api to acces data from openHAB… If u do something like that you are for sure aware of what it means…
But there is a second thing, where it is needed for. If you e.g. access openHAB via your webbrowser without providing user credentials (namely log in), you will see the fields that are not restricted to special users or administrators by the visibleTo flag, but you will not see the data that should be displayed in the widgets, as the “anonymous user” without implicit user role is not considered a user and will not get data…
Now u have to chances to fix that:
Turn on implicit user role, but this will allow anybody from anywhere to see the data or in case of a switch even turn it on, if your firewall doesn’t restrict acces or someone did break through your router into your network.
Or you define exceptions for IP adress ranges that get the implicit user role even implicit user role is turned of in trusted networks section, what is the thing I suggest, if u have, need or want to access openHAB without providing credentials.
basically on security there are always two approaches…
The brave approach, allow everything that you do not necessarily need to prohibit and then start prohibiting, and see if things still work as you want (the approach I suggest, as long as your firewall is safe and u do neither portforward your OH to the internet nor use the cloud acces system)… Means turn on implicit user role and ignore trusted networks, till the very day you need to close things, then turn off implicit user and set your complete local network to trusted [coma seperated CIDR notation].
The fearful approach, turn off implicit user and not set trusted network, then unauthorized acces will never work… And then only if unauthorized acces is need enter the exact IP adress of the device from which unauthorized acces with implicit user role is needed in the trusted networks section…