How to restrict foreman api user to login console

yyan4 · January 4, 2022, 3:32am

How to restrict foreman api user, the user only access by api ,can not to login console

evgeni · January 4, 2022, 6:52am

You mean to allow the user to access /api but not the WebUI at /? That’s currently not possible.

What is the scenario you want this in? Maybe we can help with other restrictions?

yyan4 · January 4, 2022, 7:27am

HI
Thank you for your reply，or how to protect the api user，because we need put the user and passwprd to client script，and exec it in client ，but if others see that ，it is not security

Thanks again, best wishes
yanyan

evgeni · January 4, 2022, 7:30am

What is the purpose of the client script?

yyan4 · January 4, 2022, 7:52am

HI,

The user need these permissions, what is the best ways to do that？

[/uploads/default/original/2X/3/35237c7b2986442ce40206da32c5f060bf1669df.png]

Thanks again, best wishes
yanyan

evgeni · January 4, 2022, 7:58am

Seems the screenshot didn’t properly make it into your post?

But again, my question was what the purpose of the script is, not which permissions you’ve set.
E.g. if the script is used for registration, you could use tokens, which are only capable of registrations and nothing more.

yyan4 · January 4, 2022, 10:17am

HI，
Thank you，how use the tokens，what can I refer to？

Thanks again, best wishes
yanyan

evgeni · January 4, 2022, 10:20am

If it’s for registration, have a look at Managing Hosts documentation, which walks you through the procedure.

If it’s for something else (you still didn’t say what you’re trying to achieve), I don’t know if tokens can be used for that, but we can ask @Marek_Hulan.

Marek_Hulan · January 4, 2022, 2:36pm

If I understand the question correctly and you want use to only use API (and not allow access to the Web UI) then Personal Access Tokens can somewhat help you. PAT can be used instead of a password and are only accepted for the API requests. However a user with a PAT can edit their password which grants them access to the UI. We may want to limit that capability from PAT since every authenticated user can edit their profile including their password. That may be relatively easy fix.

With that implemented, one could create a user account with a password that’s impossible to guess. Then impersonate such user and go to their edit form. Under the tab Personal Access Tokens add a new such token and share that as a password to the user. Some additional info about the use can be found here API access via Personal Access Tokens

A better fit for this would be using the JWT which are not complete though. Since Foreman 2.4 it’s possible to generate the JWT scoped for specific controllers, but there’s no way for user to create custom tokens like that. Not sure if @lstejska progressed with that in any way.