Revoke Permissons for certain Users

  • Platform information:

    • OS: Windows Server 2016 on a VM
    • Java Runtime Environment: java 10
    • openHAB version: 3.0
  • Issue of the topic:

i want to implement openhab in my business. However i want to be the only who can change the majority of openhab itself.
regular colleagues shouldnt have the same amount of permissons as I and other Admins.

But i simply cant find an easy tutorial on how to implement those parameters.

Thanks in advance

There aren’t any user management features (yet)

Just to provide a little background on users in openHAB 3.

OH 3 does support creating users, but you have to use the Karaf Console to create them/change passwords.

                           _   _     _     ____  
   ___   ___   ___   ___  | | | |   / \   | __ ) 
  / _ \ / _ \ / _ \ / _ \ | |_| |  / _ \  |  _ \ 
 | (_) | (_) |  __/| | | ||  _  | / ___ \ | |_) )
  \___/|  __/ \___/|_| |_||_| |_|/_/   \_\|____/ 
       |_|       3.1.0-SNAPSHOT - Build #2431

Use '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
To exit, use '<ctrl-d>' or 'logout'.

openhab> openhab:users
Usage: openhab:users list - lists all users
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userId> - removes the given user
Usage: openhab:users changePassword <userId> <newPassword> - changes the password of a user
Usage: openhab:users listApiTokens - lists the API tokens for all users
Usage: openhab:users addApiToken <userId> <tokenName> <scope> - adds a new API token on behalf of the specified user for the specified scope
Usage: openhab:users rmApiToken <userId> <tokenName> - removes (revokes) the specified API token
Usage: openhab:users clearSessions <userId> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
openhab>                                                                                                                                                                                 

Users can have one of two roles:

  • admin: the Settings and Developer Tools entries in MainUI will appear and this user has full access to all of openHAB’s REST APIs (i.e. they can do anything).
  • user: these users will only have access to Pages in MainUI and will not have the ability to edit, their access to the REST API is usually limited to just Items.

By default, non-logged in users are treated as if they have the role of “user”. This behavior can be turned off in Settings > API Security.

When turned off, nothing can be accessed without logging on.

There is a feature of Pages where you can show or hide certain widgets or Items based on the user’s logged in role. However, this is not a security feature. A knowledgable user could still access and interact with these Items through the REST API and they will be able to discover that stuff is being hidden through the browser’s debug console and such. But this can be useful to hide information that regular users do not need.

There is no Item-by-Item authentication and authorization controls. It’s either all or nothing. For something like that you’ll need a combination of rossko57’s link and the above. But it’s going to be a whole lot of work.

1 Like