search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.07k stars 1.51k forks source link

Webadmin console empty for vhost #4243

Closed mremond closed 3 months ago

mremond commented 3 months ago

It seems for some users, the webadmin can be emtpy. It may be related to the way we access vhost are access (URL ?) as the log show the following message:

Access to WebAdmin page vhosts/ for account admin@example.com was denied
badlop commented 3 months ago

Until ejabberd 24.02, to use the WebAdmin it was enough that the account had configure access to login:

acl:
  admin: [user: username]

access_rules:
  configure:
    allow: admin

Since ejabberd 24.06, WebAdmin uses commands to get information to build the pages. If an account does not have permission to execute a command, that command does not appear in the WebAdmin.

In practice: the account must have configure access in order to login... and must have permission to execute the commands to view the pages contents. At least he should have permission to execute the registered_vhosts command.

The default ejabberd configuration is something like this. In this example, it allows "username" to login in the WebAdmin, and allows to execute all the commands as long as it connects from localhost; if it connects from outside, then it can login to WebAdmin, but cannot access the content:

acl:
  admin: [user: username]
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

access_rules:
  configure:
    allow: admin
  trusted_network:
    allow: loopback

api_permissions:
  "admin access":
    who:
      access:
        allow:
          - acl: loopback
          - acl: admin
    what:
      - "*"

Can you access all WebAdmin content when you login from localhost, but WebAdmin is empty when you login from outside? In that case, add the configuration that was mentioned in ejabberd 24.06 release notes: WebAdmin commands permissions configuration, or this one that allows webadmin to access to all commands for admin:

api_permissions:
  "webadmin commands":
    from:
      - ejabberd_web_admin
    who:
      access:
        allow:
          - acl: admin
    what:
      - "*"
licaon-kter commented 3 months ago

I tried @badlop's setup, still not able to access stuff, same log message

prefiks commented 3 months ago

@licaon-kter Would you be able to bump log level to debug for a second and do that again? I think this should log information about ejabberd command authentication tags, that may help here.

badlop commented 3 months ago

The other possible reason for WebAdmin to show only an empty webadmin, navigation links, but no actual administrative content:

  1. configure in ejabberd.yml only the host example.com, and grant account user admin rights as explaned previously
  2. open in browser http://localhost:5280/admin/
  3. login with account user@example.com

Due to a bug, webadmin uses user@example.com when checking access to webadmin, but it uses user@localhost when cheking access to commands!

That bug is solved right now thanks to commit https://github.com/processone/ejabberd/commit/54f5db851defb5f69e75830081c6aad4a991a20e