You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Lars Kellogg-Stedman <la...@redhat.com> on 2022/03/03 20:30:02 UTC
Mapping header-authenticated users to connection permissions?
I have guacamole set up behind an SSO proxy that provides the username in an HTTP header. This all works fine and I can access Guacamole and see that I'm logged in with the expected user id.
I'm having less success creating connections that are accessible to logged-in users. For example, I've created an ssh connection via the REST API; here it is in the database:
guacamole=# select connection_id, connection_name, protocol from guacamole_connection;
connection_id | connection_name | protocol
---------------+-----------------+----------
1 | larstest | ssh
I've created a user in the database that matches my
header-authenticated username:
guacamole=# select entity_id, name, type, user_id from guacamole_entity join guacamole_user using (entity_id);
entity_id | name | type | user_id
-----------+---------------------+------+---------
1 | guacadmin | USER | 1
2 | lkellogg@redhat.com | USER | 2
And I've assigned permissions for this user on the connection, against
using the REST API, which results in:
guacamole=# select connection_id, connection_name, entity_id, name, permission from guacamole_connection join guacamole_connection_permission using (connection_id) join guacamole_entity using (entity_id);
connection_id | connection_name | entity_id | name | permission
---------------+-----------------+-----------+---------------------+------------
1 | larstest | 1 | guacadmin | READ
1 | larstest | 1 | guacadmin | UPDATE
1 | larstest | 1 | guacadmin | DELETE
1 | larstest | 1 | guacadmin | ADMINISTER
1 | larstest | 2 | lkellogg@redhat.com | READ
But when I log in as `lkellogg@redhat.com`, I don't see this
connection. Am I missing a step, or is there another way of handling
this?
Thanks,
--
Lars Kellogg-Stedman <la...@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ | N1LKS
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Mapping header-authenticated users to connection permissions?
Posted by Lars Kellogg-Stedman <la...@redhat.com>.
On Thu, Mar 03, 2022 at 03:30:02PM -0500, Lars Kellogg-Stedman wrote:
> But when I log in as `lkellogg@redhat.com`, I don't see this
> connection. Am I missing a step, or is there another way of handling
> this?
Apparently the answer was "log out and log back in". Sorry for the
noise!
--
Lars Kellogg-Stedman <la...@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ | N1LKS
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org