From 9986c29df9a73b08a8467d65aa194109ec9bc10c Mon Sep 17 00:00:00 2001 From: Nikos Date: Thu, 12 Dec 2024 14:01:26 +0100 Subject: [PATCH 1/3] docs: add device ownership configuration docs --- docs/howto/configure-authd.md | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/docs/howto/configure-authd.md b/docs/howto/configure-authd.md index adee70ca3..b8a5e0175 100644 --- a/docs/howto/configure-authd.md +++ b/docs/howto/configure-authd.md @@ -89,6 +89,65 @@ client_id = client_secret = ``` +## Configure allowed users + +The users who are allowed to log in (after successfully authenticating via the +identity provider) are configured in the `users` section of the +`/var/snap/authd-/current/broker.conf` file: + +```ini +[users] +## 'allowed_users' specifies the users who are permitted to log in after +## successfully authenticating with the Identity Provider. +## Values are separated by commas. Supported values: +## - 'OWNER': Grants access to the user specified in the 'owner' option +## (see below). This is the default. +## - 'ALL': Grants access to all users who successfully authenticate +## with the Identity Provider. +## - : Grants access to specific additional users +## (e.g. user1@example.com). +## Example: allowed_users = OWNER,user1@example.com,admin@example.com +#allowed_users = OWNER + +## 'owner' specifies the user assigned the owner role. This user is +## permitted to log in if 'OWNER' is included in the 'allowed_users' +## option. +## +## If this option is left unset, the first user to successfully log in +## via this broker will automatically be assigned the owner role. A +## drop-in configuration file will be created in broker.conf.d/ to set +## the 'owner' option. +## +## To disable automatic assignment, you can either: +## 1. Explicitly set this option to an empty value (e.g. owner = "") +## 2. Remove 'OWNER' from the 'allowed_users' option +## +## Example: owner = user2@example.com +#owner = +``` + +By default, the first person to log in to the machine is automatically registered +as the owner. If you wish to override this behavior then specify a list of allowed +users with the `allowed_users` keyword, while omitting the `OWNER` keyword: + +```text +allowed_users = person1@email.com,person2@email.com +``` + +Alternatively, you can directly register someone as the owner by using the `owner` +keyword: + +```text +owner = your@email.com +``` + +Explicitly setting an empty owner, has the same effect as omitting the `OWNER` keyword +in `allowed_users`: + +```text +owner = +``` + ## Restart the broker When a configuration file is added you have to restart authd: From 92a6eae3c6d3ac28f4cf0ce326d495276b602969 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Wed, 29 Jan 2025 21:15:19 +0100 Subject: [PATCH 2/3] docs: Fix usage of the term "keyword" for an option --- docs/howto/configure-authd.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto/configure-authd.md b/docs/howto/configure-authd.md index b8a5e0175..e55d326da 100644 --- a/docs/howto/configure-authd.md +++ b/docs/howto/configure-authd.md @@ -128,14 +128,14 @@ identity provider) are configured in the `users` section of the By default, the first person to log in to the machine is automatically registered as the owner. If you wish to override this behavior then specify a list of allowed -users with the `allowed_users` keyword, while omitting the `OWNER` keyword: +users with the `allowed_users` option, while omitting the `OWNER` keyword: ```text allowed_users = person1@email.com,person2@email.com ``` Alternatively, you can directly register someone as the owner by using the `owner` -keyword: +option: ```text owner = your@email.com From 304e661adb97e49f789208d9834e68983c980643 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Wed, 29 Jan 2025 21:15:39 +0100 Subject: [PATCH 3/3] docs: Use empty string for explicitly setting empty value A bit easier to understand IMO. --- docs/howto/configure-authd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/configure-authd.md b/docs/howto/configure-authd.md index e55d326da..3426e92a2 100644 --- a/docs/howto/configure-authd.md +++ b/docs/howto/configure-authd.md @@ -145,7 +145,7 @@ Explicitly setting an empty owner, has the same effect as omitting the `OWNER` k in `allowed_users`: ```text -owner = +owner = "" ``` ## Restart the broker