New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allows the supervisor to send a session's user to addon with header X-Remote-User #88472
Conversation
Hey there @home-assistant/supervisor, mind taking a look at this pull request as it has been labeled with an integration ( Code owner commandsCode owners of
|
Can you explain how you plan on this being used? |
As the documentation for addon development already promises, addons get authentication "for free" by the home assistant ingress. However, the addons currently don't know what user is authenticated. With this feature Home Assistant works like a SSO service and allows addons to maintain different users. This could e.g. be used by RaspberryMatic for different users with different permissions or by paperless-ngx to manage documents for select users. This was also requested by multiple threads in the forum: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that make sense for SSO. I had the same idea but not time for it
The name of the user is not static, and can be changed by the user. I think that we should also include the user ID and recommend that to be used as the identifier for the user. |
I find a user ID and two usernames on the Is the "login" username also considered non-static? I would prefer to use that to send to addons. However, if only the actual ID is static, I'll change it to send that. EDIT: nvm, just understood the login-username is just one of many possibble auth-possibilities. So it must be the ID. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs Supervisor PR merged as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NVM, we use _
for API data
@@ -9,6 +9,7 @@ | |||
ATTR_COMPRESSED = "compressed" | |||
ATTR_CONFIG = "config" | |||
ATTR_DATA = "data" | |||
ATTR_SESSION_DATA_USER_ID = "user-id" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ATTR_SESSION_DATA_USER_ID = "user-id" | |
ATTR_SESSION_DATA_USER_ID = "user_id" |
Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍 |
I'm actually wondering now, why don't we just add the hass user ID + is-admin header to every ingress request we forward? that way we don't need a new API. |
It's about the session, giving the possibility to explicitly give access to add-ons at the user base. We should touch the header of forwarding stuff less as possible. For the API itself, yeah we can forward such information and also protocol what or who is using it. But now you mix 2 things together. The API is body driven for features and access are header driven. |
Had a quick call with Pascal. He is right, we should have this information stored in the session itself, as it unlocks other features like user-based access control for ingress. It also should be set here, and not in the frontend as we do not want to allow for impersonation. |
There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. |
Not stale :) |
Related PRs
#88472
home-assistant/frontend#15505
home-assistant/supervisor#4152
Proposed change
This implements a feature that allows the supervisor to send a session's username to an addon. The hassio component will add the username in the body if the command is
/ingress/session
.Type of change
Additional information
Checklist
black --fast homeassistant tests
)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest
.requirements_all.txt
.Updated by running
python3 -m script.gen_requirements_all
..coveragerc
.To help with the load of incoming pull requests: