Simple Password Protection

[criticalfungus]

Hi there,

This is an excellent tool, I'm really impressed with it. Running in docker, on a TrueNAS Scale box with a redirected data folder. Its great for me and my team to make maps of our racks in, it was Visio before. Obviously its early days for the tool but we were wondering, we work in schools and rather than having to lock down the ports and IP of the web page of this app using firewall and access control rules. What are the chances of even simple user management. We wouldn't be web publishing it, just internal to the LAN.

For example, just a simple optional password for locking down the interface would stop students (well the majority) who stumble on the site from changing anything. Username and Password support would be great, 365 SSO integration even better, but honestly as simple enter a password would make this secure enough for us to use properly.

Thanks for putting this together.

Dale

[ggfevans]

Hey @criticalfungus thanks for dropping in. I agree, auth is probably overdue. Initially this project was entirely client side and session-based, so even if there were sensitive data it was only in one browser session.

now that we have persistent data, and potentially orgs putting detail about server architecture that may have sensitive/risk to it, auth is necessary.

While you could technically put whatever auth you wnat infront of the application, that is a bit like locking the front door while your garage door is wide open: the application would still be accessible unless you explicitly deny it through nginx config.

It is also interesting to me that you also mention being a school. This is the 2nd user that has mentioned this, I am beginning to see a trend.

Can you clarify, what auth methods does your org use right now? You mention 365 SSO so I am inferring you are a Microsoft shop though using TrueNAS makes me think you are probably open to just about any technical solution.

[criticalfungus]

Wow thats fast work, thanks for looking in to this.

We are ok with just a simple lock on the door currently, but Id imagine many of our IT Colleagues would love to be able to track cabinet changes. We would keep sensitive information out of the rack map's intially, then as security improves, it would be useful to be able to click on links straight to the management interfaces of switches etc. I'd say keeping device username and passwords out of the software (although really helpful) would mean the application can worry less about becoming Fort Knox while it develops.

If SSO is possible, most schools I've ever come across (UK based) tend to have On Prem Active Directory, often with Hybrid Office 365 tenancies. They often also have Google Workspaces, again often synced from Active Directory using either Google Cloud Directory Sync or we are using the new Cloud Sync BETA. Essentially this means that we are often looking for applications with either "Login with Microsoft" (Microsoft Entra single sign-on) or "Login with Google" (Google Workspace SSO) functionality, That way we can grant access to the app by granting permissions to groups within the respective tenancies. I'm sure theres far better ways but for education, it tends to be a good mix between cost and functionality. Hope that makes sense.

Rackula is the perfect tool for school engineers really. I work with several schools as part of a Trust, but even back when I was a single school network manager, I'd need something like Visio to produce cabinet diagrams properly (otherwise it was excel spreadsheets). As schools are almost constantly scrabbling around for money, IT Support and documentation doesn't get given much thought by Senior Leadership Teams when it comes to budgets, yet schools are under exactly the same scrutiny as companies when it comes to ensuring they have Disaster Recovery plans etc. So no, money, under appriciated skills, lone engineers who are expected to already have these bits of documentation, nothing to produce that documentation with, a tool like this is like striking a gold mine.

But yes, we should be able to work with most solutions, honestly at the minute, even something as simple as a password set using an Environment variable would keep at bay the kind of low level access attempts that we would get from most students. Obviously not secure enough for most places. As an example, we use Dashy (https://dashy.to/) internally in a similar way. A public facing Dashboard for students, and there is essentially an admin button with a password that lets us make changes.

Hope that helps

Dale

[ggfevans]

Hey @criticalfungus thanks for all that detail!

I have put a bunch of thought into this, see #1095 for the full scope. Authentication will be my next focus leading up to v0.9

I also have added some improved documentation in the Selfhosting guide. Can you have a look at that and let me know if that meets your needs and makes sense to you?

Cheers
Gareth

[mondychan]

@ggfevans yo mate,are you sure you were referencing the right person?

[ggfevans]

lol Whoops @mondychan - shows me for trusting GitHub's weird @ autocomplete. thanks for the heads up

[mondychan]

@ggfevans sure thing,been there,done that 👍