Java Runtime Environment: 11.0.15 (Temurin-11.0.15+10) (running in Docker)
openHAB version: 3.3.0 (running in Docker)
ConBee 2 USB stick
In my smart home system, I have two types of ZigBee devices:
switchable sockets (Philips Hue Smart Plug) and
temperature sensors (Aqara Temperature & Humidity Sensor).
Because I do not want that everyone can switch the sockets without login in openHAB, I disabled the implicit user role.
However, I want everybody to access the current temperatures, displayed on an openHAB sitemap. At the moment, the sitemap is shown without authentication but contains the error SSE subscription failed (401 Unauthorized): running in fallback mode.
So my question is: what is the recommended openHAB way for this?
Should I enable the implicit user role again and delete openHAB’s Overview page so that nobody can switch the sockets without authentication?
Should I create a dedicated user to display the temperature sensors? If yes, do I have to create a dedicated role for this user to avoid that it can switch the sockets as well?
It depends on how thoroughly you want to prevent this.
In MainUI you can set the visibility on a per Item basis and per widget basis depending on the type of user logged in. So with the implicit user turned off and visibility set to just the admin role but the temperature sensors left unchanged, only those logged in as an admin user will see the switches.
However, visibility is not a security control. It only hides the widgets. It doesn’t prevent access to the Items so a clever, determined, or knowledgeable user on your LAN could flip the switches.
None of your approaches will work in OH as it currently exists. All of the UIs get their updates through the REST API and the authentication controls access to that API. That’s why you see the error in BasicUI when you disable the implicit role. BasicUI doesn’t really have a way to provide that authentication on its own. Note that the error is really a warning.
1 won’t work because you cannot delete the Overview page. You could remove everything from the semantic model, set the locations, equipment, and properties tabs visibility to off, or set the visibility to only the admin role, but you can’t delete the Overview page, only set it to blank.
2 won’t work because visibility is by user role, not individual users.
As of 3.4, widgets do have access to a user object which includes the name of the logged in user. So while the visibleTo property still only supports broad user roles, you can craft a general visible property for a widget that works on a per user basis.
As with what Rich said, this is not a full security measure, but does result in widgets that only particular users can see and interact with.
There’s no fine-grained authorization concept in openHAB yet to securely restrict access to certain resources. There are admins and users.
For my purposes, I could create a dedicated account within the user role and use the sitemap’s visibleTo property to restrict access only to this user. However, this only applies to the UI - one could still access the data via REST API.