• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Is there a way to restrict FOG menu access to specific users?

Scheduled Pinned Locked Moved Solved
FOG Problems
2
4
232
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jblomquist
    last edited by Mar 27, 2023, 7:09 PM

    I’d like to allow a particular user to be able to deploy an image, but not quick delete a host through the PXE menu.
    I could hide all the main menu options behind the PXE advanced menu secured with login, leaving deploy tasks to be created without login, but I would rather not allow individuals to deploy without having to pass credentials. I have an example PXE Advanced Menu file here that I’m thinking of trying to use, I’m wondering if there is any way I can use this (or any other mechanism) to control PXE Menu access on a user-by-user basis. If anyone has an idea, please let me know!

    #!ipxe
set fog-ip 192.168.112.116
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture http://192.168.112.116/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.memtest Run Memtest86+
item fog.reginput Perform Full Host Registration and Inventory
item fog.reg Quick Registration and Inventory
item fog.deployimage Deploy Image
item fog.multijoin Join Multicast Session
item fog.sysinfo Client System Information (Compatibility)
item fog.advanced Advanced Menu
item os.Debian.10.7L Debian 10.7 Live
item fog.keyenroll FOG Secure Boot Enrollment
choose --default fog.local --timeout 3000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.memtest
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:fog.reginput
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
imgfetch init_32.xz
boot || goto MENU
:fog.reg
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
imgfetch init_32.xz
boot || goto MENU
:fog.deployimage
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param qihost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.sysinfo
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
imgfetch init_32.xz
boot || goto MENU
:fog.advanced
chain -ar http://192.168.112.116/fog/service/ipxe/advanced.php || goto MENU
:os.Debian.10.7L
kernel tftp://${fog-ip}/debian/10.7L/vmlinuz
initrd tftp://${fog-ip}/debian/10.7L/initrd
imgargs vmlinuz dhcp boot=live components fetch=http://${fog-ip}/os/debian/10.7L/filesystem.squashfs
boot || goto MENU
param sysuuid ${uuid}
:fog.keyenroll
chain tftp:/${fog-ip}/EnrollKeys.efi
echo Rebooting the system in 8 seconds
sleep 5
reboot
param sysuuid ${uuid}
:bootme
chain -ar http://192.168.112.116/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot
    1 Reply Last reply Reply Quote 1
    • J
      jblomquist
      last edited by jblomquist Mar 28, 2023, 10:24 AM Mar 28, 2023, 4:19 PM

      Alright so I made some progress. I dont know PHP or C, and I’m just learning how iPXE is working.

      I was using the template above, which I retrieved from https://forums.fogproject.org/topic/15969/securing-fog-boot-options/17?sort=oldest_to_newest

      But, I don’t really know where that is from, so I wanted to find my own menu template. I was able to find that by putting http://<My FOG IP address>/fog/service/ipxe/boot.php? into my web browser.

      #!ipxe
set fog-ip <my fog ip>
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture http://<my fog ip>/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.memtest Run Memtest86+
item fog.reginput Perform Full Host Registration and Inventory
item fog.reg Quick Registration and Inventory
item fog.deployimage Deploy Image
item fog.multijoin Join Multicast Session
item fog.sysinfo Client System Information (Compatibility)
item fog.advancedlogin Advanced Menu
choose --default fog.local --timeout 3000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.memtest
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:fog.reginput
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
imgfetch init_32.xz
boot || goto MENU
:fog.reg
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
imgfetch init_32.xz
boot || goto MENU
:fog.deployimage
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param qihost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.sysinfo
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
imgfetch init_32.xz
boot || goto MENU
:fog.advancedlogin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param advLog 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:bootme
chain -ar http://<my fog ip>/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot

      The idea here is I want to have two users: one user that can do full registration, quick reg, deploy, quick delete, etc.
      The other user can only deploy.

      How I’m thinking of doing this is limiting the main menu options to Deploy and Advanced menu, only. Deploy (in the main menu) will be locked behind the user2 credentials, while advanced menu will be locked behind the user1 credentials. The advanced menu will contain all of tasks that user1 should have access to: full reg, quick reg, deploy, quick del, etc.

      I have implemented the advanced menu by, essentially, copying and pasting my Main menu template in FOG Configuration>iPXE General Configuration>Advanced Menu settings>Advanced menu command

      Which seems to work, however when I PXE boot and select Full Host Registration and Inventory, it boots me back to the menu because boot fails.

      Now, I’m trying to figure out why boot is failing, to not much avail.

      Edit: the error I’m getting on boot is

      Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
Chainloading failed, hit 's' for the iPXE shell; reboot in 10 seconds
      1 Reply Last reply Reply Quote 0
      • J
        jblomquist
        last edited by jblomquist Mar 29, 2023, 8:31 AM Mar 29, 2023, 2:00 PM

        So, I was making it so much more complicated than I needed!
        I don’t need an advanced menu to hide options behind – I can just secure all the menu options with the one user and then create another deploy option that is secured with the other, unprivileged user.

        For example, here are the parameters for my default deploy delete task:

        login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param delhost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme

        So instead of using ${username}, I just replace that with the actual username that I want to be able to be used, like this:

        login
params
param mac0 ${net0/mac}
param arch ${arch}
param username myadminuser
param password ${password}
param delhost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme

        Then, I go to FOG Configuration>iPXE New Menu Entry and name the menu item, enter the description, copy the parameters from whatever other menu item I want to mimic, and then change the ${username} to the username I want to restrict that menu option to.

        1 Reply Last reply Reply Quote 0
        • S
          Sebastian Roth Moderator
          last edited by Mar 30, 2023, 9:31 PM

          @jblomquist said in Is there a way to restrict FOG menu access to specific users?:

          I’d like to allow a particular user to be able to deploy an image, but not quick delete a host through the PXE menu.

          Which version of FOG do you use?

          The quick delete option is secured in the iPXE menu in FOG 1.5.10 (github commit).

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          1 Reply Last reply Reply Quote 1
          • [[undefined-on, S Sebastian Roth, Mar 30, 2023, 9:32 PM]]
          • 1 / 1
          1 / 1
          • First post
            2/4
            Last post

          203

          Online

          12.0k

          Users

          17.3k

          Topics

          155.2k

          Posts
          Copyright © 2012-2024 FOG Project