AlertR User Management Update in Version 0.503-5
AlertR User Management Update
In version 0.503-5 of the AlertR server I updated the user management. The previous user management was always a thorn in my side. Every user has to be added manually to the users.csv and the server has to be restarted. Additionally, the passwords of the users were stored in cleartext in the file (since I am working in security, this was always nagging at me). Hence, updating the user management was definitely necessary.
User Management Script
So what is actually new? First of all, the users are no more added by manually updating the users.csv file. The server now has a new script called manageUsers.py which handles all the user management. It can add, delete, modify any user and list all existing ones. To make it more simple, it prompts questions for data it needs and downloads information from the central repository. For example, when adding a new user it will ask for the username and password, downloads the list of existing clients from the central repository and asks you what kind of client you want to add. Adding a user looks then like the following:
alertr@towel:/home/alertr/server# python manageUsers.py -a
Please make sure that the AlertR Server is not running while adding a user.
Otherwise it can lead to an inconsistent state and a corrupted database.
Are you sure to continue?
(y/n): y
Please enter username:
client_raspi_kitchen
Please enter password:
Please verify password:
####################################################################################################
No. | Option
####################################################################################################
---------------------------------------- Type: alert -----------------------------------------------
1. | Use instance 'alertClientDbus'.
2. | Use instance 'alertClientExecuter'.
3. | Use instance 'alertClientMail'.
4. | Use instance 'alertClientPushNotification'.
5. | Use instance 'alertClientRaspberryPi'.
6. | Use instance 'alertClientTemplate'.
7. | Use instance 'alertClientXBMC'.
---------------------------------------- Type: manager ---------------------------------------------
8. | Use instance 'managerClientConsole'.
9. | Use instance 'managerClientDatabase'.
10. | Use instance 'managerClientKeypad'.
---------------------------------------- Type: sensor ----------------------------------------------
11. | Use instance 'sensorClientDevelopment'.
12. | Use instance 'sensorClientExecuter'.
13. | Use instance 'sensorClientFIFO'.
14. | Use instance 'sensorClientICalendar'.
15. | Use instance 'sensorClientLightning'.
16. | Use instance 'sensorClientPing'.
17. | Use instance 'sensorClientRaspberryPi'.
18. | Use instance 'sensorClientWeatherService'.
---------------------------------------- Type: other -----------------------------------------------
19. Enter instance and node type manually.
Please choose an option: 17
However, it also allows you to add the same user just with a single command execution:
alertr@towel:/home/alertr/server# python manageUsers.py -a -u client_raspi_kitchen -p totally_secret_pw -t sensor -i sensorClientRaspberryPi
Please make sure that the AlertR Server is not running while adding a user.
Otherwise it can lead to an inconsistent state and a corrupted database.
Are you sure to continue?
(y/n): y
If the last prompt about asking if the AlertR server is stopped at the moment is also annoying, we can also suppress this:
alertr@towel:/home/alertr/server# python manageUsers.py -a -u client_raspi_kitchen -p totally_secret_pw -t sensor -i sensorClientRaspberryPi -y
If you do not have an Internet connection or you do not want to connect to the central repository you can use the -o argument to disable it.
Password Storage
The password is no longer stored in cleartext but using bcrypt. This ensures that an adversary that is able to get the users.csv file cannot read them. When updating the AlertR server from a previous version, the old users.csv file will automatically be converted into the new version. So nothing to change here. However, the AlertR server needs a new pip package called bcrypt to work correctly.
Adding and Deleting Users
An additional new thing is that the AlertR server does not have to be restarted when adding or deleting a new user. The server will check every 60 seconds if the users.csv has changed and reload it if it has. However, this does not work correctly when modifying a user. Modifying a user without stopping the server will definitely corrupt your database. This happens because of the way the users are managed internally. And since this small edge case is just too much effort to fix (regarding cost-benefit assessment), I added the warning prompt when using the manageUsers.py.
A thoughtful reader might now ask: but you also show the warning prompt when adding or deleting a user. This is correct. Since deleting a user and instantly adding the same user with other features is the same as modifying it (because the AlertR server needs around 60 seconds before reloading the users.csv file), I also added the warning prompt to the adding and deleting options.
In version 0.503-5 of the AlertR server I updated the user management. The previous user management was always a thorn in my side. Every user has to be added manually to the users.csv and the server has to be restarted. Additionally, the passwords of the users were stored in cleartext in the file (since I am working in security, this was always nagging at me). Hence, updating the user management was definitely necessary.
User Management Script
So what is actually new? First of all, the users are no more added by manually updating the users.csv file. The server now has a new script called manageUsers.py which handles all the user management. It can add, delete, modify any user and list all existing ones. To make it more simple, it prompts questions for data it needs and downloads information from the central repository. For example, when adding a new user it will ask for the username and password, downloads the list of existing clients from the central repository and asks you what kind of client you want to add. Adding a user looks then like the following:
alertr@towel:/home/alertr/server# python manageUsers.py -a
Please make sure that the AlertR Server is not running while adding a user.
Otherwise it can lead to an inconsistent state and a corrupted database.
Are you sure to continue?
(y/n): y
Please enter username:
client_raspi_kitchen
Please enter password:
Please verify password:
####################################################################################################
No. | Option
####################################################################################################
---------------------------------------- Type: alert -----------------------------------------------
1. | Use instance 'alertClientDbus'.
2. | Use instance 'alertClientExecuter'.
3. | Use instance 'alertClientMail'.
4. | Use instance 'alertClientPushNotification'.
5. | Use instance 'alertClientRaspberryPi'.
6. | Use instance 'alertClientTemplate'.
7. | Use instance 'alertClientXBMC'.
---------------------------------------- Type: manager ---------------------------------------------
8. | Use instance 'managerClientConsole'.
9. | Use instance 'managerClientDatabase'.
10. | Use instance 'managerClientKeypad'.
---------------------------------------- Type: sensor ----------------------------------------------
11. | Use instance 'sensorClientDevelopment'.
12. | Use instance 'sensorClientExecuter'.
13. | Use instance 'sensorClientFIFO'.
14. | Use instance 'sensorClientICalendar'.
15. | Use instance 'sensorClientLightning'.
16. | Use instance 'sensorClientPing'.
17. | Use instance 'sensorClientRaspberryPi'.
18. | Use instance 'sensorClientWeatherService'.
---------------------------------------- Type: other -----------------------------------------------
19. Enter instance and node type manually.
Please choose an option: 17
However, it also allows you to add the same user just with a single command execution:
alertr@towel:/home/alertr/server# python manageUsers.py -a -u client_raspi_kitchen -p totally_secret_pw -t sensor -i sensorClientRaspberryPi
Please make sure that the AlertR Server is not running while adding a user.
Otherwise it can lead to an inconsistent state and a corrupted database.
Are you sure to continue?
(y/n): y
If the last prompt about asking if the AlertR server is stopped at the moment is also annoying, we can also suppress this:
alertr@towel:/home/alertr/server# python manageUsers.py -a -u client_raspi_kitchen -p totally_secret_pw -t sensor -i sensorClientRaspberryPi -y
If you do not have an Internet connection or you do not want to connect to the central repository you can use the -o argument to disable it.
Password Storage
The password is no longer stored in cleartext but using bcrypt. This ensures that an adversary that is able to get the users.csv file cannot read them. When updating the AlertR server from a previous version, the old users.csv file will automatically be converted into the new version. So nothing to change here. However, the AlertR server needs a new pip package called bcrypt to work correctly.
Adding and Deleting Users
An additional new thing is that the AlertR server does not have to be restarted when adding or deleting a new user. The server will check every 60 seconds if the users.csv has changed and reload it if it has. However, this does not work correctly when modifying a user. Modifying a user without stopping the server will definitely corrupt your database. This happens because of the way the users are managed internally. And since this small edge case is just too much effort to fix (regarding cost-benefit assessment), I added the warning prompt when using the manageUsers.py.
A thoughtful reader might now ask: but you also show the warning prompt when adding or deleting a user. This is correct. Since deleting a user and instantly adding the same user with other features is the same as modifying it (because the AlertR server needs around 60 seconds before reloading the users.csv file), I also added the warning prompt to the adding and deleting options.
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded