Multiuser OH Setup

If you want to use openHAB in an environment with lots of appartements and one network, i.e. a house for students, then it’ll be appropriate to exclude some people from some information. How can we configure openHAB to master these challenges?

First thoughts:

  • we use different sitemaps and some kind of login and forward to the specific sitemap.

Thanks in advance for your input.

Best regards,

UPDATE: found the following Thread addressing a similar discussion

This using a reverse proxy configuration like NGINX.

However, realize that access to the REST API in all or nothing. While you can grant access to only certain sitemap URLs given users, you also have to grant access to the REST API endpoints and an inquisitive student will be able to sniff the network and discover the end points.

There is work ongoing to allow authentication and authorization but I don’t know how far they have gotten. It is not easy to implement.

Now another approach which might work for you is to set up a separate OH server for each sitemap. Then use MQTT to proxy/mirror the items that users on that one OH Server are allowed to interact with. Then use the reverse proxy to control access to each separate OH server. The users will still be able to access the full REST API for that OH, but everything on that OH instance is a proxy for the “real” ones so the amount of damage they can do will be limited.

It’s not a fully secure configuration but it does let you limit the damage that can be done by someone rooting around in the REST API.

1 Like