Ejabberd Access to WebAdmin page vhosts/ for account

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)

https://www.process-one.net/en/ejabberd/

Other

6.01k stars 1.5k forks source link

Ejabberd Access to WebAdmin page vhosts/ for account #4247

Closed cherimo closed 1 week ago

cherimo commented 1 week ago

On my Ubuntu version 22 I have installed Ejabberd according to docs.ejabberd.im. Everything worked fine and made the minimum changes succesfull and registered a member and made the member admin in the conf ejabberd.yml file.

But when I login in to the admin panel: https://exdomain.com:5443 I get the login popup/dialog and can succesfully login as a admin. But when i visit the pages like vhosts, nodes, multichat etc.. the page gets loaded but now data is visible. When I view my logs I see the following error:

@ejabberd_web_admin:process_admin/3:524 Access to WebAdmin page vhosts/ for account admin@exdomain.com was denied

I made the following changes: /opt/ejabberd/conf/ejabberd.yml

hosts:
  - exdomain.com

...

acl:
  admin:
    user: admin@exdomain.com
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

I have got the SSL fixed and put the ports open.

But somehow I can't get the problem fixed.

Am I missing something?

badlop commented 1 week ago

In the 'api_permissions' option, you granted access to execute commands only to admin accounts from localhost, right? Well, at least the default configuration is defined that way.

And you are accessing the webadmin from another machine, outside localhost?

licaon-kter commented 1 week ago

Isn't this fixed in HEAD and ready for 24.07?

cherimo commented 1 week ago

In the 'api_permissions' option, you granted access to execute commands only to admin accounts from localhost, right? Well, at least the default configuration is defined that way.

And you are accessing the webadmin from another machine, outside localhost?

Thank you for your replies.

@badlop This is my "api_permissions" block:

api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      access:
        allow:
          - acl: loopback
          - acl: admin
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            - acl: loopback
            - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      ip: 127.0.0.1
    what:
      - status
      - connected_users_number

I changed 127.0.0.1 to 0.0.0.0 but no luck, what is the bestoption to make sure that the API is reachable for the public domain "exdomain.com" ?

licaon-kter commented 1 week ago

Ref: https://github.com/processone/ejabberd/issues/4243

cherimo commented 1 week ago

Ref: #4243

Thx added this block to my conf in "api_permissions":

  "webadmin commands":
    from:
      - ejabberd_web_admin
    who:
      access:
        allow:
          - acl: admin
    what:
      - "*"

Now everything works fine!