I'm running uibuilder on ubuntu installed on a user account $home/.node-red/uibuilder
When I tried to access uibindex via Show Detailed Information icon, I got this error msg
Unauthorized
May I know how do I troubleshoot this issue ?
Thanks
I'm running uibuilder on ubuntu installed on a user account $home/.node-red/uibuilder
When I tried to access uibindex via Show Detailed Information icon, I got this error msg
Unauthorized
May I know how do I troubleshoot this issue ?
Thanks
I’d like to add here that there’s a lot of debugging information posted to Slack, in the #uibuilder channel.
Thanks Lena, I'll take a look.
So for anyone following along, I believe that this is going to be related to having installed uibuilder with npm install node-red-contrib-uibuilder -g
. This is an untested configuration and not recommended.
I think what is happening is that the user running Node-RED doesn't have the right permissions to all the files it needs. However, I may be wrong. The easiest way to check would be to:
sudo chown root:users /usr/lib/node_modules/node-red-contrib-uibuilder
Actually you can use pi:pi
if running on a Pi, as long as either the user or group relates to the user running Node-RED, it should let us understand whether this is actually the issue.
Another thing to try would be to manually call the index URL with the parameter ?type=json
on the end. This uses different code which I think should work since it doesn't touch the filing system.
One other thought is whether you have specified fine-grained permissions for Editor users? If you have, then you would need to add uibuilder.read
to the list of permissions.
Oh yes, I install most uibuilder module with npm -g , I will try to install a local module and see if this issue still persist ..
Does installing a local module over-ride the global module ???
Thanks
I've completely removed the global version at /usr/lib/node_modules and install a local version at .node-red
Now all the node_modules are located at .node-red/node_modules
uibindex is still giving same error messages, I also cannot do ?type=json
I m running Node-red version 1.0.2
One other thought is whether you have specified fine-grained permissions for Editor users? If you have, then you would need to add
uibuilder.read
to the list of permissions.
Where do I change this settings for uibuilder.read ??
Try adding the defualt permissions to settings.js:
adminAuth: {
type: "credentials",
users: [ /* list of users */ ],
default: {
permissions: "read"
}
}
Or indeed, removing them temporarily to see if that fixes the issue
// Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See http://nodered.org/docs/security.html for details.
adminAuth: {
type: 'credentials',
//sessionExpiryTime: 86400, // in seconds
default: {
permissions: ['*'],
},
users: [
{
username: 'admin',
password: 'dummy', //dummy
permissions: ['*'],
},
{
username: 'random',
password: 'dummy', //dummy
permissions: ['uibuilder.read'],
},
],
},
The above gives all permissions by default to all users.
Right, you could restrict it to uibuilder:
default: {
permissions: "uibuilder.read"
}
Tried both methods, still not working ...
Some more Infos would be helpful:
OS version
Node-red version
uibuilder version
settings.js
Ubuntu 16.04
NR 1.0.2
node-red-contrib-uibuilder@2.0.7
settings.js everything default :
adminAuth: {
type: "credentials",
users: [{
username: "admin",
password: "#######",
permissions: "*"
}]
},
What happens if you comment out the adminAuth
in settings.js?
The issue here is that it is Node-RED itself that is applying the security and not uibuilder. All I do is specify an option as documented in the Node-RED docs.
On line 1238 (in the security branch, may be a different line number in the master branch):
RED.httpAdmin.get('/uibindex', RED.auth.needsPermission('uibuilder.read'), function(req,res) {
So if Node-RED security is working as expected, I would think this would as well.
Are you logged in to the Editor with the admin user when trying to access the uibindex page? Otherwise, Node-RED is not going to apply those permissions. Remember that the uibindex page uses the Editor's permissions.
Are you using https?
Do you have the CORS settings set?
Are you able to request the page from the command line on the same device as Node-RED using curl/wget? What errors are you getting?
If you turn the Node-RED logging up to trace
you will see a lot of output from uibuilder (and sadly from everything else as well!) which may present other clues.
Yep that works...
I have the same problem as described here by stanleyseow and without adminAuth I can now see the iubindex page.
I'm quite sure that this also works:
default: {
permissions: "uibuilder.read"
}
Yes it does indeed. Thanks!
So if you use the other example:
adminAuth: {
type: "credentials",
users: [{
username: "admin",
password: "#######",
permissions: "*"
}]
},
Can you confirm that you are able to use it if you are logged in to the Editor as user admin
? Because you should be able to.
If you can't then I need to raise it with Nick/Dave.
Found a bit of time to do some testing of my own.
I have to say that I don't think the admin API security works as I expected it to.
Take the following settings:
adminAuth: {
type: "credentials",
users: [
{
username: "admin",
// `reader`
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "*"
},{
username: "reader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "read"
},{
username: "uibreader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "uibuilder.read"
},
],
},
Log in to the Editor using the admin
user id and password reader
. Open the uibuindex page - everything works as expected. Now log out and log in with the uibreader
account, same password. It looks like the login fails (with no error msg), don't worry about that, reload the uibindex page and you will find that it works.
Now login with the reader
id (same password again). Try reloading the uibindex page and you will find that it fails.
This is NOT what I expect to happen. I expected that the read
permission would take preference over the uibuilder.read
- in other words that read
would encompass all read permissions.
Even less sense. If you change your settings to the following and restart Node-RED:
adminAuth: {
type: "credentials",
default: {
permissions: "read"
},
users: [
{
username: "admin",
// `reader`
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "*"
},{
username: "reader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "read"
},{
username: "uibreader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "uibuilder.read"
},
],
},
Now log in again using the reader
id. Now the uibindex page DOES load. That appears to be inconsistent to me - perhaps I'm missing something?