Configure istSOS security according to user needs

[ninsbl]

istSOS allows for lots of different security concepts, which can be chosen per istSOS instance (if I understood correctly).

For most of the projects in NINA I would assume that the following solution is appropriate: http://istsos.org/en/latest/doc/security.html#hybrid-w-o-insertobservation-and-registersensor

However, ongoing projects may prefer a closed configuration, where not even all istSOS users have a viewer role.

Current (unconfigured) setup allows everything for unregistered users and is not suitable for production.

Implementing authentication and security configuration requires user management and is thus probably a task for Robert...?

[pesekon2]

I agree with the hybrid type. But we will see after tests without firewall security because I can't test this solution from my house until the server is hidden for me.

And I hope that after some studies of Apache, we will be able to configurate other solutions for other services on the server, so there can be service NINA with this hybrid and NINAprivate with something more strict. But it's still just an idea, I'm not so proficient in Apache.

[ninsbl]

The firewall is not the main problem for testing security configuration (but a problem for real life application tests). We just have to be at office ore use VPN (preinstalled on NINA laptops). On the ninsrv16 server we have another istSOS installation running, where I could give you ssh access to the istSOS configuration files. There we could test apache settings ++. However, main challenge will probably be user management. And this will be different from a production server, when experimenting on ninsrv16...

[pesekon2]

Thanks, the ssh could be useful.

[pesekon2]

The permissions should be done. Can you please look at it and if everything works, close this issue? Thanks.

I created one admin user and one visitor user, I will send you access rights separately.

[ninsbl]

If I understood correctly, data could be relatively easy moved across services with: https://github.com/istSOS/istsos2/blob/2689a2d00f31dc851745e02c590fa6b6e607661e/scripts/istsos2istsos.py That means we could have e.g. a service per project (with individually configured access rights) and the collect publicly available data in an institute service e.g. by device type as discussed / planned earlier....

Maybe we can close this issue, but we have to further discuss implementation of different data access models with public vs. internal vs. project data...

[pesekon2]

I didn't try istsos2istsos, but it seems so.

The strategy with institute service seems really good to me.

[ninsbl]

We applied relevant possible security features. Rest is documentation and istsos3 development