Role Based Access Controlby Read Write Tools
Websites often need to restrict access to portions of the public document area based on a user's assigned privileges. The RWSERVE Role Based Access Control (RBAC) module provides a way to do that.
The software can be invoked via a Bash shell. Here is an example demonstrating how to create a new user account for "webmaster" having the roles "editor" and "devops":
[user@host]# sudo rwserve-roles webmaster:secret:editor,devops >> /etc/rwserve/roles
- Be sure to use
sudobecause the program accesses the restricted file
- The input is three values, separated by colons :
- First is the user name for the account, e.g. "webmaster"
- Next is the user's password, e.g. "secret"
- Last are the roles the account will have; these should be separated by commas, e.g. "editor,devops"
rwserve-roles CLI utility hashes the clear-text password into a 32-byte SHA256 value. This password is never saved, and there is no retrieval or recovery method that can decrypt the hash. The hashing algorithm uses a separate 16-byte nonce to ensure that no two users have the same hash value, even if they coincidentally have the same password.
The combination of hash and nonce are stored in the roles file as a shaDigest.
rwserve-roles CLI utility generates a UUID, which can be used by the webmaster as a unique key to other user data — such as name, contact information, preferences, etc. — stored in a separate file or database.
Here is what the roles file might look like after creating the webmaster account:
webmaster ee13abc8-1b37-46d0-bfc2-425169411f6a 9ea896dc91018a6a9bc03e48e1c2b3dd:2ce0b565b347b454fbeb0636c0780c99e0542aaa145f8b02cae93b1115df4e47 editor,devops,anonymous
It is a plain text file with one account on each line, consisting of four tab-separated fields: 1) user, 2) UUID, 3) base64-encoded nonce:shaDigest, and 4) a comma separated list of roles.
License and availability
This tool is distributed with the RWSERVE HTTP/2 Web Server. It is not available separately.
RWSERVE RBAC Roles Software License Agreement
Copyright © 2020 Read Write Tools.
- This Software License Agreement ("Agreement") is a legal contract between you and Read Write Tools ("RWT"). The "Materials" subject to this Agreement include the software app "RWSERVE RBAC Roles" and its associated documentation.
- By installing, copying or otherwise using the Materials, you agree to abide by the terms of this Agreement. If you choose not to agree with these provisions, you must uninstall and delete all copies of the Materials.
- The Materials are protected by United States copyright law, patent law, and trade secret law, as well as international treaties on intellectual property rights. The Materials are licensed, not sold to you, and can only be used in accordance with the terms of this Agreement. RWT is and remains the owner of all titles, rights and interests in the Materials, and RWT reserves all rights not specifically granted under this Agreement.
- Subject to the terms of this Agreement, RWT hereby grants to you a limited, non-exclusive license to use the Materials subject to the following conditions:
- You are allowed to install the Materials on more than one computer or device, as long as the Materials will not be used on more than one computer or device simultaneously. You may make additional copies of the Materials for backup purposes only.
- You may not distribute, publish, make publicly available, sub-license, sell, rent, or lease the Materials.
- You may not extract, decompile, or reverse engineer any binary or source code included in the Materials. Your license to use the Materials is limited to its use in its original packaged format, and does not include permission to extract or use parts on a separate basis.
- Node.js License
- V8 License
- nghttp2 License
- Joezone License
- Blue Phrase Processor Software License Agreement
The terms and conditions of those third-party agreements apply to the respective intellectual property covered by those software license agreements, and do not extend to any Material owned by Read Write Tools.