Authentication
There is a user_list.yml mechanism to authenticate web mode access users.
This section describes how to use user_list.yml.
Configuration items in user_list.yml
users: # A list of users, each of which is a map that contains the following fields.
- uid: 1 # An ID that identifies a user. No two users can have the same ID.
name: admin # A name that identifies the user. No two users can have the same name.
password: XXXXX # The user's password. The value is hashed with the hash function specified in the next hash field.
hash: plain # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
groups: [admin] # A list of groups to which the user belongs, as specified in the groups field.
email: admin@aaa.bbb.jp # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
- uid: 101
name: user01
password: XXXXX
hash: md5
groups: [user]
email: user01@aaa.bbb.jp
- uid: 102
name: user02
password: XXXXX
hash: sha1
groups: [readonly]
email: user02@aaa.bbb.jp
- uid: 103
name: user03
password: XXXXX
hash: sha256
groups: [editor]
email: user03@aaa.bbb.jp
groups: # A list of groups, each of which is a map that contains the following fields.
- gid: 1 # An ID that identifies a group. No two groups can have the same ID.
name: admin # A name that identifies the group. No two groups can have the same name.
- gid: 2
name: guest
- gid: 101
name: user
- gid: 102
name: readonly
parent: user # The parent group of the group. If the parent group is not specified, the group is a top-level group.
- gid: 103
name: editor
parent: user
cmdrule: # A list of command rules, Specify a rule that determines whether or not a command is executable when executed by a user in web mode.
policy: deny # Specify the default policy for the rule. The value can be allow or deny.
rules: # Specify rules to allow or deny execution of the command, depending on the group the user belongs to.
- groups: [admin]
rule: allow
- groups: [user] # Specify the groups to which the rule applies.
mode: client # Specify the "mode" as the condition for applying the rule.
cmds: [file_download, file_list, server_info] # Specify the "cmd" to which the rule applies. Multiple items can be specified in a list.
rule: allow # Specifies whether or not the specified command is allowed for the specified group. The value can be allow or deny.
- groups: [user]
mode: server
cmds: [list]
rule: allow
- groups: [user]
mode: cmd
cmds: [list, load]
rule: allow
- groups: [user, guest]
mode: audit
cmds: [write]
rule: allow
- groups: [user, guest]
mode: web
cmds: [genpass]
rule: allow
- groups: [editor]
mode: client
cmds: [file_copy, file_mkdir, file_move, file_remove, file_rmdir, file_upload]
rule: allow
pathrule: # List of RESTAPI rules, rules that determine whether or not a RESTAPI can be executed when a user in web mode accesses it.
policy: deny # Specify the default policy for the rule. The value can be allow or deny.
rules: # Specify rules to allow or deny execution of the RESTAPI, depending on the group the user belongs to.
- groups: [admin] # Specify the groups to which the rule applies.
paths: [/] # Specify the "path" to which the rule applies. Multiple items can be specified in a list.
rule: allow # Specifies whether or not the specified RESTAPI is allowed for the specified group. The value can be allow or deny.
- groups: [guest]
paths: [/signin, /assets, /copyright, /dosignin, /dosignout, /password/change,
/gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
rule: allow
- groups: [user]
paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
/gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
/agent, /mcpsv,
/exec_cmd, /exec_pipe, /filer, /result, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
rule: allow
- groups: [readonly]
paths: [/gui/del_cmd, /gui/del_pipe, /gui/save_cmd, /gui/save_pipe]
rule: deny
- groups: [editor]
paths: [/gui/del_cmd, /gui/del_pipe, /gui/save_cmd, /gui/save_pipe]
rule: allow
password: # Password settings.
policy: # Password policy settings.
enabled: true # Specify whether or not to enable password policy.
not_same_before: true # Specify whether or not to allow the same password as the previous one.
min_length: 16 # Specify the minimum length of the password.
max_length: 64 # Specify the maximum length of the password.
min_lowercase: 1 # Specify the minimum number of lowercase letters in the password.
min_uppercase: 1 # Specify the minimum number of uppercase letters in the password.
min_digit: 1 # Specify the minimum number of digits in the password.
min_symbol: 1 # Specify the minimum number of symbol characters in the password.
not_contain_username: true # Specify whether or not to include the username in the password.
expiration: # Password expiration settings.
enabled: true # Specify whether or not to enable password expiration.
period: 90 # Specify the number of days after which the password will expire.
notify: 7 # Specify the number of days before the password expires that a notification will be sent.
lockout: # Account lockout settings.
enabled: true # Specify whether or not to enable account lockout.
threshold: 5 # Specify the number of failed login attempts before the account is locked.
reset: 30 # Specify the number of minutes after which the failed login count will be reset.
apikey:
gen_cert: # Specify whether to generate a certificate for API key.
enabled: true # Specify whether to enable certificate generation for API key.
privatekey: idp_private.pem # Specify the destination file for the generated private key.
certificate: idp_cert.pem # Specify the destination file for the generated certificate.
publickey: idp_public.pem # Specify the destination file for the generated public key.
gen_jwt: # Specify whether to generate JWT for API key.
enabled: true # Specify whether to enable JWT generation for API key.
privatekey: idp_private.pem # Specify the private key file for JWT generation.
privatekey_passphrase: # Specify the passphrase for the private key file.
# If the private key is encrypted, specify the passphrase here.
algorithm: RS256 # Specify the algorithm used to generate the JWT. The value can be RS256, PS256, or ES256.
claims: # Specify the claims to be included in the JWT.
iss: identity_provider # Specify the issuer of the JWT. This is usually the name of the identity provider.
sub: app_user # Specify the subject of the JWT. This is usually the name of the application.
aud: app_organization # Specify the audience of the JWT. This is usually the name of the organization that will use the application.
exp: 31536000 # Specify the expiration time of the JWT in seconds. The default is 31536000 seconds (1 year).
verify_jwt: # Specify whether to verify JWT for API key.
enabled: true # Specify whether to enable JWT verification for API key.
certificate: idp_cert.pem # Specify the certificate file for JWT verification.
publickey: idp_public.pem # Specify the public key file for JWT verification. Not required if certificate exists.
issuer: identity_provider # Specify the issuer of the JWT. This is usually the name of the identity provider. (If not specified, no verification)
audience: app_organization # Specify the audience of the JWT. This is usually the name of the organization that will use the application. (If not specified, no verification)
algorithm: RS256 # Specify the algorithm used to verify the JWT. The value can be RS256, PS256, or ES256.
oauth2: # OAuth2 settings.
providers: # This is a per-provider setting for OAuth2.
google: # Google's OAuth2 configuration.
enabled: false # Specify whether to enable Google's OAuth2.
client_id: XXXXXXXXXXX # Specify Google's OAuth2 client ID.
client_secret: XXXXXXXXXXX # Specify Google's OAuth2 client secret.
redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
scope: ['email'] # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
signin_module: # Specify the module name that implements the sign-in.
cmdbox.app.auth.google_signin
note: # Specify a description such as Google's OAuth2 reference site.
- https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
github: # OAuth2 settings for GitHub.
enabled: false # Specify whether to enable OAuth2 for GitHub.
client_id: XXXXXXXXXXX # Specify the OAuth2 client ID for GitHub.
client_secret: XXXXXXXXXXX # Specify the GitHub OAuth2 client secret.
redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
scope: ['user:email'] # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
signin_module: # Specify the module name that implements the sign-in.
cmdbox.app.auth.github_signin
note: # Specify a description, such as a reference site for OAuth2 on GitHub.
- https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
azure: # OAuth2 settings for Azure AD.
enabled: false # Specify whether to enable OAuth2 for Azure AD.
tenant_id: XXXXXXXXXXX # Specify the tenant ID for Azure AD.
client_id: XXXXXXXXXXX # Specify the OAuth2 client ID for Azure AD.
client_secret: XXXXXXXXXXX # Specify the Azure AD OAuth2 client secret.
redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
signin_module: # Specify the module name that implements the sign-in.
cmdbox.app.auth.azure_signin
note: # Specify a description, such as a reference site for Azure AD's OAuth2.
- https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
saml: # SAML settings.
providers: # This is a per-provider setting for OAuth2.
azure: # SAML settings for Azure AD.
enabled: false # Specify whether to enable SAML authentication for Azure AD.
signin_module: # Specify the module name that implements the sign-in.
cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
# see) https://github.com/SAML-Toolkits/python3-saml
sp:
entityId: https://localhost:8443/
assertionConsumerService:
url: https://localhost:8443/saml/azure/callback
binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
attributeConsumingService: {}
singleLogoutService:
binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
x509cert: ''
privateKey: ''
idp:
entityId: https://sts.windows.net/{tenant-id}/
singleSignOnService:
url: https://login.microsoftonline.com/{tenant-id}/saml2
binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
x509cert: XXXXXXXXXXX
singleLogoutService: {}
certFingerprint: ''
certFingerprintAlgorithm: sha1
See also the contents of .sample/sample_project/sample/extensions/user_list.yml.