Hello Nick,
yes, it works as you said. If a user has the CREATE_USER and CREATE_CONNECTION
system permission privilege (table guacamole_system_permission) he/she can
create user and connection resources with access (ADMINISTER privilege
subsuming READ, UPDATE and DELETE). My use case however is, I have two
department admins both need full resource access, no matter which one of both
created the resource. If admin A creates a user or connection resource, A has
full access (Administer) while admin B has not and vice versa. Creating a dept
admin group with CREATE_USER and CREATE_CONNECTION privilege and put both, A
and B into it, doesn't cover my use case. If I look into the database scheme it
doesn't seem to me as this use case is applicable. I can add to table
guacamole_user_permission admin B to a user resource owned by A by some extra
INSERT statements with cumulative entity_id - affected_user_id - permission
records and I have what I want. It will not work however as expected at first
glance with the guacamole_user_group_permission table
desc guacamole_user_group_permission;
+------------------------+---------------------------------------------+------+-----+---------+-------+
| Field | Type | Null |
Key | Default | Extra |
+------------------------+---------------------------------------------+------+-----+---------+-------+
| entity_id | int(11) | NO |
PRI | NULL | |
| affected_user_group_id | int(11) | NO |
PRI | NULL | |
| permission | enum('READ','UPDATE','DELETE','ADMINISTER') | NO |
PRI | NULL | |
+------------------------+---------------------------------------------+------+-----+---------+-------+
"entity_id" seems to be seen here just in USER_GROUP entity context. A record
here by an extra INSERT statement with the entity_id of a USER entity (in my
case admin A and B) will not work.
Same for connection resources, I can cumulate it in the same way to table
guacamole_connection_permission by associating entity_id's from different USER
entities but however the same, it will not work for GROUP entities. The table
guacamole_connection_group seems to be something completely different, I cannot
associate user or user group entities with connection entities.
Doing some extra INSERT DML's whenever admin A or B has created a new user or
connection resource via web frontend is not what I want.
The only solution, as far as I understand, is to give admin A and B the system
permission privilege ADMINISTER (guacamole_system_permission) but this implies
at the same time full Guacamole instance access what I do not want for my use
case.
Do I see it right, my use case is not applicable or is there still little hope
cause I overlooked or misunderstood something?
Thank you
Jürgen
El 26.10.21 a las 20:03, Nick Couchman escribió:
> (Adding back the mailing list)
>
>
> On Tue, Oct 26, 2021 at 12:53 PM Jürgen Kuri <[email protected]
> <mailto:[email protected]>> wrote:
>
> My Guacamole instance is running for more than a year or so. Initially, I
> filled the database with users, user groups and connections "manually"
> according to the instructions in
>
> http://guacamole.apache.org/doc/gug/jdbc-auth.html
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html>:
>
> -- Generate salt
> SET @salt = UNHEX(SHA2(UUID(), 256));
>
> -- Create base entity entry for user
> INSERT INTO guacamole_entity (name, type)
> VALUES ('myuser', 'USER');
>
> -- Create user and hash password with salt
> INSERT INTO guacamole_user (
> entity_id,
> password_salt,
> password_hash,
> password_date
> )
> SELECT
> entity_id,
> @salt,
> UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)),
> CURRENT_TIMESTAMP
> FROM guacamole_entity
> WHERE
> name = 'myuser'
> AND type = 'USER';
>
>
> Similar I did for the creation of connections and user mappings by
> INSERTS into the guacamole_connection, guacamole_connection_permission and
> guacamole_connection_parameter.
>
>
> Cause I'm not understand fully, especially how connections are mapped in
> a way like "entity_id" ->
> "affected_connection_id/affected_connection_group_id", I just created:
>
> 1) a user "blah-blah-user"
>
> 2) a connection "blah-blah-host"
>
> 3) associated "blah-blah-user" with "blah-blah-host"
>
> via web frontend. Now, to my surprise, I cannot find the user
> "blah-blah-user" neither in table guacamole_entity nor in guacamole_user.
> Same with connection "blah-blah-host" in table guacamole_connection and
> needless to say not in guacamole_connection_permission and
> guacamole_connection_parameter.
>
>
> If you create this in the web frontend and don't see the corresponding
> database entries, then you're either looking at the wrong database or schema,
> or you're looking at a replica of some sort that isn't consistent, yet. Make
> sure you're connecting to the same database that your web front-end is using,
> as configured in guacamole.properties.
>
> -Nick
--
Jürgen Kuri
Product Owner Enhanced Backup
TechOps IT Engineering
1&1 IONOS SE | Hinterm Hauptbahnhof 5 | 76137 Karlsruhe | Germany
Phone: +49 721 91374-4902
E-mail: [email protected] | Web: www.ionos.de
Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498
Vorstand: Hüseyin Dogan, Dr. Martin Endreß, Claudia Frese, Henning Kettler,
Arthur Mai, Matthias Steinberg, Achim Weiß
Aufsichtsratsvorsitzender: Markus Kadelke
Member of United Internet
Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen
enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail
irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten
Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt,
diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise
auch immer zu verwenden.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient of this e-mail, you are hereby notified that saving,
distribution or use of the content of this e-mail in any way is prohibited. If
you have received this e-mail in error, please notify the sender and delete the
e-mail.
