Found a bit of time to do some testing of my own.
I have to say that I don't think the admin API security works as I expected it to.
Take the following settings:
adminAuth: {
type: "credentials",
users: [
{
username: "admin",
// `reader`
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "*"
},{
username: "reader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "read"
},{
username: "uibreader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "uibuilder.read"
},
],
},
Log in to the Editor using the admin
user id and password reader
. Open the uibuindex page - everything works as expected. Now log out and log in with the uibreader
account, same password. It looks like the login fails (with no error msg), don't worry about that, reload the uibindex page and you will find that it works.
Now login with the reader
id (same password again). Try reloading the uibindex page and you will find that it fails.
This is NOT what I expect to happen. I expected that the read
permission would take preference over the uibuilder.read
- in other words that read
would encompass all read permissions.
Even less sense. If you change your settings to the following and restart Node-RED:
adminAuth: {
type: "credentials",
default: {
permissions: "read"
},
users: [
{
username: "admin",
// `reader`
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "*"
},{
username: "reader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "read"
},{
username: "uibreader",
password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
permissions: "uibuilder.read"
},
],
},
Now log in again using the reader
id. Now the uibindex page DOES load. That appears to be inconsistent to me - perhaps I'm missing something?