Enterprise RWSERVE CLI Tool

RBAC Roles

Role Based Access Control

by Read Write Tools Dec 10, 2019

Abstract
The `rwserve-roles` command line utility for creating user accounts for use with the RWSERVE Role Based Access Control mechanism is described.

Motivation

Websites often need to restrict access to portions of the public document area based on a user's assigned privileges. The RWSERVE Role Based Access Control (RBAC) module provides a way to do that.

Usage

The software can be invoked via a Bash shell. Here is an example demonstrating how to create a new user account for "webmaster" having the roles "editor" and "devops":

[user@host]# sudo rwserve-roles webmaster:secret:editor,devops >> /etc/rwserve/roles

Notes:

Be sure to use sudo because the program accesses the restricted file /etc/rwserve/roles file.
The input is three values, separated by colons :

First is the user name for the account, e.g. "webmaster"
Next is the user's password, e.g. "secret"
Last are the roles the account will have; these should be separated by commas, e.g. "editor,devops"

The output from the utility is a single line of text. Use the Bash redirection append operator >> to add the output to the target file.

The rwserve-roles CLI utility hashes the clear-text password into a 32-byte SHA256 value. This password is never saved, and there is no retrieval or recovery method that can decrypt the hash. The hashing algorithm uses a separate 16-byte nonce to ensure that no two users have the same hash value, even if they coincidentally have the same password.

The combination of hash and nonce are stored in the roles file as a shaDigest.

Finally, the rwserve-roles CLI utility generates a UUID, which can be used by the webmaster as a unique key to other user data — such as name, contact information, preferences, etc. — stored in a separate file or database.

Here is what the roles file might look like after creating the webmaster account:

webmaster    ee13abc8-1b37-46d0-bfc2-425169411f6a    9ea896dc91018a6a9bc03e48e1c2b3dd:2ce0b565b347b454fbeb0636c0780c99e0542aaa145f8b02cae93b1115df4e47    editor,devops,anonymous

It is a plain text file with one account on each line, consisting of four tab-separated fields: 1) user, 2) UUID, 3) base64-encoded nonce:shaDigest, and 4) a comma separated list of roles.

License and availability

This tool is distributed with the RWSERVE HTTP/2 Web Server. It is not available separately.

RWSERVE RBAC Roles Software License Agreement

This Software License Agreement ("Agreement") is a legal contract between you and Read Write Tools ("RWT"). The "Materials" subject to this Agreement include the software app "RWSERVE RBAC Roles" and its associated documentation.
By installing, copying or otherwise using the Materials, you agree to abide by the terms of this Agreement. If you choose not to agree with these provisions, you must uninstall and delete all copies of the Materials.
The Materials are protected by United States copyright law, patent law, and trade secret law, as well as international treaties on intellectual property rights. The Materials are licensed, not sold to you, and can only be used in accordance with the terms of this Agreement. RWT is and remains the owner of all titles, rights and interests in the Materials, and RWT reserves all rights not specifically granted under this Agreement.
Subject to the terms of this Agreement, RWT hereby grants to you a limited, non-exclusive license to use the Materials subject to the following conditions:

You are allowed to install the Materials on more than one computer or device, as long as the Materials will not be used on more than one computer or device simultaneously. You may make additional copies of the Materials for backup purposes only.
You may not distribute, publish, make publicly available, sub-license, sell, rent, or lease the Materials.
You may not extract, decompile, or reverse engineer any binary or source code included in the Materials. Your license to use the Materials is limited to its use in its original packaged format, and does not include permission to extract or use parts on a separate basis.

THE MATERIALS ARE PROVIDED BY READ WRITE TOOLS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL READ WRITE TOOLS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions of the Material are covered by third-party software license agreements. Those agreements have their own terms and conditions, which may include restrictions and limitations on intellectual property use, distribution, publication, and modification that differ from this Agreement. Those agreements are:
The terms and conditions of those third-party agreements apply to the respective intellectual property covered by those software license agreements, and do not extend to any Material owned by Read Write Tools.
This license is effective until terminated. Without prejudice to any other rights, RWT may terminate your right to use the Materials if you fail to comply with the terms of this Agreement. In such event, you shall uninstall and delete all copies of the Materials.
This Agreement is governed by and interpreted in accordance with the laws of the State of California. If for any reason a court of competent jurisdiction finds any provision of the Agreement to be unenforceable, that provision will be enforced to the maximum extent possible to effectuate the intent of the parties and the remainder of the Agreement shall continue in full force and effect.