Closed thibauld closed 9 years ago
@thibauld I activated the admin user. To add more users, there are two options:
I suggest that I do a very simple registration form to enable users to register and save the credentials to sqlite database. Then each user can login with a different username and password (instead of the hard-coded one). Also, will we give public users write access? That privilege will enable them to deploy workflows to the server (from the existing nodes).
There is no registration mechanism with the default node red implementation ? If not I would rather start with the straightforward hardcoded option for now as I am afraid any another solution will have to be recoded at some point (on the website most probably). What about creating only a demo user for now ? We should also check the security of the function node in node red: can a user with write access access the /etc/passwords file for example or execute a command on the host system ? That would be a serious security issue...
Node Red provides authentication mechanism; not registration. That means I can plug in whatever authentication code I want to do to let a user in. So, I would start with the hard-coded option now.
Regarding the security, the user has full access over everything when it comes to writing a function. Actually there is a core node called "exec" (find it in the advanced section) that allow the user to execute whatever commands he want to do and get back the stdout, stderr, and the return code. The ultimate solution is to remove those nodes at all from the palette and provide the users with nodes that have specific jobs only.
Node Red has user management which should be activated for algopiper. It also means that the containers that are spawn should be tied to a specific user.