Just to provide a little background on users in openHAB 3.
OH 3 does support creating users, but you have to use the Karaf Console to create them/change passwords.
_ _ _ ____
___ ___ ___ ___ | | | | / \ | __ )
/ _ \ / _ \ / _ \ / _ \ | |_| | / _ \ | _ \
| (_) | (_) | __/| | | || _ | / ___ \ | |_) )
\___/| __/ \___/|_| |_||_| |_|/_/ \_\|____/
|_| 3.1.0-SNAPSHOT - Build #2431
Use '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
To exit, use '<ctrl-d>' or 'logout'.
Usage: openhab:users list - lists all users
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userId> - removes the given user
Usage: openhab:users changePassword <userId> <newPassword> - changes the password of a user
Usage: openhab:users listApiTokens - lists the API tokens for all users
Usage: openhab:users addApiToken <userId> <tokenName> <scope> - adds a new API token on behalf of the specified user for the specified scope
Usage: openhab:users rmApiToken <userId> <tokenName> - removes (revokes) the specified API token
Usage: openhab:users clearSessions <userId> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
Users can have one of two roles:
- admin: the Settings and Developer Tools entries in MainUI will appear and this user has full access to all of openHAB’s REST APIs (i.e. they can do anything).
- user: these users will only have access to Pages in MainUI and will not have the ability to edit, their access to the REST API is usually limited to just Items.
By default, non-logged in users are treated as if they have the role of “user”. This behavior can be turned off in Settings > API Security.
When turned off, nothing can be accessed without logging on.
There is a feature of Pages where you can show or hide certain widgets or Items based on the user’s logged in role. However, this is not a security feature. A knowledgable user could still access and interact with these Items through the REST API and they will be able to discover that stuff is being hidden through the browser’s debug console and such. But this can be useful to hide information that regular users do not need.
There is no Item-by-Item authentication and authorization controls. It’s either all or nothing. For something like that you’ll need a combination of rossko57’s link and the above. But it’s going to be a whole lot of work.