• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Is there a way to restrict FOG menu access to specific users?

Scheduled Pinned Locked Moved Solved
FOG Problems
2
4
225
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jblomquist
    last edited by Mar 27, 2023, 7:09 PM

    I’d like to allow a particular user to be able to deploy an image, but not quick delete a host through the PXE menu.
    I could hide all the main menu options behind the PXE advanced menu secured with login, leaving deploy tasks to be created without login, but I would rather not allow individuals to deploy without having to pass credentials. I have an example PXE Advanced Menu file here that I’m thinking of trying to use, I’m wondering if there is any way I can use this (or any other mechanism) to control PXE Menu access on a user-by-user basis. If anyone has an idea, please let me know!

    #!ipxe
    set fog-ip 192.168.112.116
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://192.168.112.116/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    item --gap Host is NOT registered!
    item --gap -- -------------------------------------
    item fog.local Boot from hard disk
    item fog.memtest Run Memtest86+
    item fog.reginput Perform Full Host Registration and Inventory
    item fog.reg Quick Registration and Inventory
    item fog.deployimage Deploy Image
    item fog.multijoin Join Multicast Session
    item fog.sysinfo Client System Information (Compatibility)
    item fog.advanced Advanced Menu
    item os.Debian.10.7L Debian 10.7 Live
    item fog.keyenroll FOG Secure Boot Enrollment
    choose --default fog.local --timeout 3000 target && goto ${target}
    :fog.local
    sanboot --no-describe --drive 0x80 || goto MENU
    :fog.memtest
    kernel memdisk initrd=memtest.bin iso raw
    initrd memtest.bin
    boot || goto MENU
    :fog.reginput
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.reg
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.deployimage
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param qihost 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.multijoin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param sessionJoin 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.sysinfo
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
    imgfetch init_32.xz
    boot || goto MENU
    :fog.advanced
    chain -ar http://192.168.112.116/fog/service/ipxe/advanced.php || goto MENU
    :os.Debian.10.7L
    kernel tftp://${fog-ip}/debian/10.7L/vmlinuz
    initrd tftp://${fog-ip}/debian/10.7L/initrd
    imgargs vmlinuz dhcp boot=live components fetch=http://${fog-ip}/os/debian/10.7L/filesystem.squashfs
    boot || goto MENU
    param sysuuid ${uuid}
    :fog.keyenroll
    chain tftp:/${fog-ip}/EnrollKeys.efi
    echo Rebooting the system in 8 seconds
    sleep 5
    reboot
    param sysuuid ${uuid}
    :bootme
    chain -ar http://192.168.112.116/fog/service/ipxe/boot.php##params ||
    goto MENU
    autoboot
    
    1 Reply Last reply Reply Quote 1
    • J
      jblomquist
      last edited by jblomquist Mar 28, 2023, 10:24 AM Mar 28, 2023, 4:19 PM

      Alright so I made some progress. I dont know PHP or C, and I’m just learning how iPXE is working.

      I was using the template above, which I retrieved from https://forums.fogproject.org/topic/15969/securing-fog-boot-options/17?sort=oldest_to_newest

      But, I don’t really know where that is from, so I wanted to find my own menu template. I was able to find that by putting http://<My FOG IP address>/fog/service/ipxe/boot.php? into my web browser.

      #!ipxe
      set fog-ip <my fog ip>
      set fog-webroot fog
      set boot-url http://${fog-ip}/${fog-webroot}
      cpuid --ext 29 && set arch x86_64 || set arch i386
      goto get_console
      :console_set
      colour --rgb 0x00567a 1 ||
      colour --rgb 0x00567a 2 ||
      colour --rgb 0x00567a 4 ||
      cpair --foreground 7 --background 2 2 ||
      goto MENU
      :alt_console
      cpair --background 0 1 ||
      cpair --background 1 2 ||
      goto MENU
      :get_console
      console --picture http://<my fog ip>/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
      :MENU
      menu
      colour --rgb 0xff0000 0 ||
      cpair --foreground 1 1 ||
      cpair --foreground 0 3 ||
      cpair --foreground 4 4 ||
      item --gap Host is NOT registered!
      item --gap -- -------------------------------------
      item fog.local Boot from hard disk
      item fog.memtest Run Memtest86+
      item fog.reginput Perform Full Host Registration and Inventory
      item fog.reg Quick Registration and Inventory
      item fog.deployimage Deploy Image
      item fog.multijoin Join Multicast Session
      item fog.sysinfo Client System Information (Compatibility)
      item fog.advancedlogin Advanced Menu
      choose --default fog.local --timeout 3000 target && goto ${target}
      :fog.local
      sanboot --no-describe --drive 0x80 || goto MENU
      :fog.memtest
      kernel memdisk initrd=memtest.bin iso raw
      initrd memtest.bin
      boot || goto MENU
      :fog.reginput
      kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
      imgfetch init_32.xz
      boot || goto MENU
      :fog.reg
      kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
      imgfetch init_32.xz
      boot || goto MENU
      :fog.deployimage
      login
      params
      param mac0 ${net0/mac}
      param arch ${arch}
      param username ${username}
      param password ${password}
      param qihost 1
      isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
      isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
      param sysuuid ${uuid}
      :fog.multijoin
      login
      params
      param mac0 ${net0/mac}
      param arch ${arch}
      param username ${username}
      param password ${password}
      param sessionJoin 1
      isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
      isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
      param sysuuid ${uuid}
      :fog.sysinfo
      kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://<my fog ip>/fog/ consoleblank=0 rootfstype=ext4 storage=<my fog ip>:/images/ storageip=<my fog ip> nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
      imgfetch init_32.xz
      boot || goto MENU
      :fog.advancedlogin
      login
      params
      param mac0 ${net0/mac}
      param arch ${arch}
      param username ${username}
      param password ${password}
      param advLog 1
      isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
      isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
      param sysuuid ${uuid}
      :bootme
      chain -ar http://<my fog ip>/fog/service/ipxe/boot.php##params ||
      goto MENU
      autoboot
      

      The idea here is I want to have two users: one user that can do full registration, quick reg, deploy, quick delete, etc.
      The other user can only deploy.

      How I’m thinking of doing this is limiting the main menu options to Deploy and Advanced menu, only. Deploy (in the main menu) will be locked behind the user2 credentials, while advanced menu will be locked behind the user1 credentials. The advanced menu will contain all of tasks that user1 should have access to: full reg, quick reg, deploy, quick del, etc.

      I have implemented the advanced menu by, essentially, copying and pasting my Main menu template in FOG Configuration>iPXE General Configuration>Advanced Menu settings>Advanced menu command

      Which seems to work, however when I PXE boot and select Full Host Registration and Inventory, it boots me back to the menu because boot fails.

      Now, I’m trying to figure out why boot is failing, to not much avail.

      Edit: the error I’m getting on boot is

      Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
      Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
      Could not boot: Error 0x7f048283 (http://ipxe.org/7f048283)
      Chainloading failed, hit 's' for the iPXE shell; reboot in 10 seconds
      
      1 Reply Last reply Reply Quote 0
      • J
        jblomquist
        last edited by jblomquist Mar 29, 2023, 8:31 AM Mar 29, 2023, 2:00 PM

        So, I was making it so much more complicated than I needed!
        I don’t need an advanced menu to hide options behind – I can just secure all the menu options with the one user and then create another deploy option that is secured with the other, unprivileged user.

        For example, here are the parameters for my default deploy delete task:

        login
        params
        param mac0 ${net0/mac}
        param arch ${arch}
        param username ${username}
        param password ${password}
        param delhost 1
        isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
        isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
        

        So instead of using ${username}, I just replace that with the actual username that I want to be able to be used, like this:

        login
        params
        param mac0 ${net0/mac}
        param arch ${arch}
        param username myadminuser
        param password ${password}
        param delhost 1
        isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
        isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
        

        Then, I go to FOG Configuration>iPXE New Menu Entry and name the menu item, enter the description, copy the parameters from whatever other menu item I want to mimic, and then change the ${username} to the username I want to restrict that menu option to.

        1 Reply Last reply Reply Quote 0
        • S
          Sebastian Roth Moderator
          last edited by Mar 30, 2023, 9:31 PM

          @jblomquist said in Is there a way to restrict FOG menu access to specific users?:

          I’d like to allow a particular user to be able to deploy an image, but not quick delete a host through the PXE menu.

          Which version of FOG do you use?

          The quick delete option is secured in the iPXE menu in FOG 1.5.10 (github commit).

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          1 Reply Last reply Reply Quote 1
          • [[undefined-on, S Sebastian Roth, Mar 30, 2023, 9:32 PM]]
          • 1 / 1
          1 / 1
          • First post
            2/4
            Last post

          149

          Online

          12.0k

          Users

          17.3k

          Topics

          155.2k

          Posts
          Copyright © 2012-2024 FOG Project