Fix base system docs (#539)

* Retain obsolete details for old systems Fix shell override note for SSH: the note applies to versions up to 7.7. New installations starting from 7.8 do not need that detail, however I wouldn't delete it, to avoid loosing that historycal information. * Fix Shell Policy section The switch is expected to be used in one-way only: from disabled to enabled, during the upgrade from 7.7 releases. Many new features are available only if the user's shell il /bin/bash. The legacy setting should not be used any more. * Fix Role delegation section - "local" groups are actually just groups - add reference to admin user & group configuration - use "guilabel" to refer to UI parts - Fix reference to the "Delegations" action - Explict shell access is required up to version 7.7: retain the information for historical reason * Fix 2FA section - Add ``/user-settings`` method - Add OpenVPN to 2FA apps list * Code review suggestion * fixup! Fix Shell Policy section
NethServer · Nov 10, 2020 · aa341f5 · aa341f5
1 parent 5d88eb0
commit aa341f5
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 26 deletions.
diff --git a/administrator-manual/en/base_system2.rst b/administrator-manual/en/base_system2.rst
@@ -112,11 +112,16 @@ administrative group (``Domain Admins``).
 It is possible to selectively grant SSH and :index:`SFTP` access to some groups,
 while administrators are always granted access to SSH and SFTP.
 
-SSH and SFTP permissions are available once the :guilabel:`System > Settings >
-Shell policy > Override the shell of users` has been enabled.
-If :guilabel:`Override the shell of users` is disabled, only users with :guilabel:`Shell`
-option can access the Server Manager, and delegation is not required any more.
+.. note::
 
+    For |product| up to version 7.7:
+
+    SSH and SFTP permissions are available once the :guilabel:`System > Settings >
+    Shell policy > Override the shell of users` has been enabled.
+    If :guilabel:`Override the shell of users` is disabled, only users with :guilabel:`Shell`
+    option can access the Server Manager, and delegation is not required any more.
+
+    See :ref:`relnotes-ns78` for more information.
 
 .. _settings-section:
 
@@ -177,9 +182,15 @@ The settings page also includes a panel to let users change their password, incl
 Shell policy
 ^^^^^^^^^^^^
 
-This setting can be used to enable or disable the shell that is needed to use new Server Manager
-and the SSH service. If this option is enabled the user's shell setting under the :guilabel:`Users and Groups` page is ignored
-and it is considered always enabled.
+This setting was added since |product| 7.8, to select how the user's shell is configured.
+
+If the :guilabel:`Override the shell of users` option is enabled, the old user's :guilabel:`Shell`
+setting under the :guilabel:`Users & Groups` page is hidden and it is considered always enabled.
+
+This is required by some features introduced starting from |product| 7.8, like the new Server Manager based
+on Cockpit, the :guilabel:`User settings page` and the fine grained SSH and SFTP permissions.
+See :ref:`relnotes-78` for details.
+
 
 .. _user-settings-section:
 
@@ -268,30 +279,38 @@ The shell and the processes will run with the user privileges.
 Role delegation
 ===============
 
-On complex environments, the *root* user can :index:`delegate` the access of some section
-to specific groups of local users.
+In complex environments, the *root* user can :index:`delegate` the access of some Server Manager
+pages to specific groups of users.
 
-A local user can be delegated to access:
+The *admin* user and the *domains admins* group are implicitly delegated to all pages.
+See also :ref:`admin-account-section` for more information.
 
-* one or more pages of the *System* section
+Other groups can be delegated to access:
+
+* one or more pages under the :guilabel:`System` section
 * one or more installed applications
-* one or more main sections between *Subscription*, *Software Center*
+* the :guilabel:`Subscription` page
+* the :guilabel:`Software Center` page
+
+To create a new delegation, go to the :guilabel:`System > User & Groups > List > [Groups]`
+section then select the :guilabel:`Delegations` action of an existing group.
+Pick one or more items from the :guilabel:`System views` and :guilabel:`Applications` menus.
+
+The following pages are implicitly added to the delegated set:
+
+* :guilabel:`Dashboard`
+* :guilabel:`Applications`
+* :guilabel:`Terminal`
 
-Role delegation is based on local groups, each user belonging to the group will be delegated.
-Users inside the *domains admins* are automatically delegated to all panels.
+.. note::
 
-To create a new delegation, access the :guilabel:`User & Groups` page under the group section,
-then edit an existing group or create a new one.
-Select one or more items from the :guilabel:`System views` and :guilabel:`Applications` menus.
+   For |product| up to version 7.7:
 
-Even if a user has been delegated, it must be explicitly granted the shell access before
-being able to log into the Server Manager.
+   Even if a user has been delegated, it must be explicitly granted the shell access before
+   being able to log into the Server Manager.
 
-The following pages are always accessible to all users:
+   See :ref:`relnotes-ns78` for more information.
 
-* dashboard
-* applications
-* terminal
 
 .. _2fa-section:
 
@@ -302,15 +321,16 @@ Two-factor authentication (2FA) can be used to add an extra layer of security re
 First, users will enter user name and password, then they will be required to provide a temporary verification code
 generated by an application running on their smartphone.
 
-2FA is disabled by default. Each user can enable it by accessing the :guilabel:`Two-factor authentication` section
-under :guilabel:`Settings` page, then following these steps:
+2FA is disabled by default. Users can enable it by themselves, accessing the :guilabel:`Two-factor authentication`
+section under their :guilabel:`System > Settings` page or by pointing the web browser to the ``/user-settings`` URL
+as explained in :ref:`user-settings-page`. Thereafter they have to follow these steps:
 
 1. download and install the preferred 2FA application inside the smartphone
 2. scan the QR code with the 2FA application
 3. generate a new code and copy it inside :guilabel:`Verification code` field, than click :guilabel:`Check code`
 4. if the verification code is correct, click on the :guilabel:`Save` button
 
-Two-factor authentication can be enabled for:
+Two-factor authentication can be enabled for the following core applications:
 
 - the new Server Manager
 - SSH when using username and password (access with public key will never require 2FA)

diff --git a/administrator-manual/en/release_notes.rst b/administrator-manual/en/release_notes.rst
@@ -30,6 +30,8 @@ Release notes |version|
 
     - CentOS 7 will receive security updates until 2024-06-30
 
+.. _relnotes-ns78:
+
 Major changes on 2020-05-05
 ---------------------------