JSON RPC limiting access

carbolymer · January 3, 2022, 12:25pm

I'm trying to configure home-assistant to read presence from the router using: https://www.home-assistant.io/integrations/luci/ . However, I don't feel comfortable hardcoding root password into home-assistant configuration in plain text. I found instructions how to create a read-only user for home-assistant & luci: https://stackoverflow.com/a/70441922/1608594 - but I'm wondering how can I restrict its access further?
I believe I need to put some list of things I would like to read into list read:

config login                     
        option username 'readonlyuser'
        option password '$p$readonlyuser'
        list read '*'

What should I put there?

jamesmacwhite · January 3, 2022, 5:50pm

Welcome to the forum! Interesting first post!

There is some documentation on ACLs here: https://openwrt.org/docs/techref/ubus#acls, using that as a guide you can see how you can set specific read values rather than * meaning all. You can also look at the luci-base example:

github.com

openwrt/luci/blob/master/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json

{
	"unauthenticated": {
		"description": "Allow system feature probing",
		"read": {
			"ubus": {
				"luci": [ "getFeatures" ]
			}
		}
	},

	"luci-base": {
		"description": "Grant access to basic LuCI procedures",
		"read": {
			"file": {
				"/": [ "list" ],
				"/*": [ "list" ]
			},
			"ubus": {
				"file": [ "list" ],
				"uci": [ "changes", "get" ]

This file has been truncated. show original

There is also a luci-app-acl package to manage ACLs as well.

Hope that helps!

carbolymer · January 4, 2022, 7:26am

That's what I needed! I've ended using one of the already existing ACLs you linked:

config login
	option username 'hass'
	option password '$p$hass'
	list read 'luci-base-network-status'

Thanks!

system · January 14, 2022, 7:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.