7.2. Setting up JWT Authorization

You need to know your JWT Cookie Name and Hash Secret. Whatever tool you are using to authenticate users will probably have instructions on how to find this.

7.2.1. Adding JWT details to OliveTin config.yaml

Setup your config file so it has something like this;

# It's often useful to turn logging to DEBUG when trying to work out authentication problems
logLevel: "INFO"

authJwtCookieName: "Organizr_token_1234..."
authJwtSecret: "3l4jh23v_123!"

Note that your authJwtCookieName and authJwtSecret will need to be set exactly as they appear in your Authentication software.

7.2.2. Usable claims

OliveTin currently can match Access Control Lists based on a username or primary user group. These must be called name and group respectively. You can see if these are being used properly turning on DEBUG logging and looking at the jwt claims.

7.2.3. Setup default permissions

OliveTin will assume that guests are able to View and Execute every action by default. When you are setting up authorization you probably want to limit this. You can do that by setting defaultPermissions like this;

logLevel: "INFO"

defaultPermissions:
    view: false
    exec: false

7.2.4. Setup OliveTin Access Control Lists

Access Control Lists are a way to override the default permissions.

logLevel: "INFO"

defaultPermissions:
    view: false
    exec: false

accessControlLists:
    - name: Admins
      addToEveryAction: true
      matchUsergroups:
      - Admins
      permissions:
        view: true
        exec: true

    - name: "Web Admins"
      matchUsergroups:
      - "webadmin"
      permissions:
        view: true
        exec: false

actions:
    - name: Only visible to admins
      shell: echo "I am a secret command only visible to admins"

    - name: Restart database
      shell: reboot
      acls:
        - "webadmin"

In the example above, the admins ACL is automatically added to every action, because addToEveryAction is true.