You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Lars Kellogg-Stedman <la...@redhat.com> on 2022/03/03 20:30:02 UTC

Mapping header-authenticated users to connection permissions?

I have guacamole set up behind an SSO proxy that provides the username in an HTTP header. This all works fine and I can access Guacamole and see that I'm logged in with the expected user id.
I'm having less success creating connections that are accessible to logged-in users.  For example, I've created an ssh connection via the REST API; here it is in the database:

    guacamole=# select connection_id, connection_name, protocol from guacamole_connection;
     connection_id | connection_name | protocol
    ---------------+-----------------+----------
                 1 | larstest        | ssh

I've created a user in the database that matches my
header-authenticated username:

    guacamole=# select entity_id, name, type, user_id from guacamole_entity join guacamole_user using (entity_id);
     entity_id |        name         | type | user_id
    -----------+---------------------+------+---------
             1 | guacadmin           | USER |       1
             2 | lkellogg@redhat.com | USER |       2

And I've assigned permissions for this user on the connection, against
using the REST API, which results in:

    guacamole=# select connection_id, connection_name, entity_id, name, permission  from guacamole_connection join guacamole_connection_permission using (connection_id) join guacamole_entity using (entity_id);
     connection_id | connection_name | entity_id |        name         | permission
    ---------------+-----------------+-----------+---------------------+------------
                 1 | larstest        |         1 | guacadmin           | READ
                 1 | larstest        |         1 | guacadmin           | UPDATE
                 1 | larstest        |         1 | guacadmin           | DELETE
                 1 | larstest        |         1 | guacadmin           | ADMINISTER
                 1 | larstest        |         2 | lkellogg@redhat.com | READ

But when I log in as `lkellogg@redhat.com`, I don't see this
connection. Am I missing a step, or is there another way of handling
this?

Thanks,

-- 
Lars Kellogg-Stedman <la...@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/                | N1LKS


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Mapping header-authenticated users to connection permissions?

Posted by Lars Kellogg-Stedman <la...@redhat.com>.

On Thu, Mar 03, 2022 at 03:30:02PM -0500, Lars Kellogg-Stedman wrote:
> But when I log in as `lkellogg@redhat.com`, I don't see this
> connection. Am I missing a step, or is there another way of handling
> this?

Apparently the answer was "log out and log back in". Sorry for the
noise!

-- 
Lars Kellogg-Stedman <la...@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/                | N1LKS


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org