From 2976eb4c9877ca0233d4b9a11092fa957590dba7 Mon Sep 17 00:00:00 2001 From: Stefan Seide Date: Thu, 1 Aug 2024 20:48:32 +0200 Subject: [PATCH 1/3] Getting Started: Update security remarks for docker and database --- docs/getting-started/advanced/databases.md | 2 ++ docs/getting-started/advanced/docker-security.md | 3 +++ 2 files changed, 5 insertions(+) diff --git a/docs/getting-started/advanced/databases.md b/docs/getting-started/advanced/databases.md index 4d1532be5d..e022b8ec32 100644 --- a/docs/getting-started/advanced/databases.md +++ b/docs/getting-started/advanced/databases.md @@ -59,6 +59,8 @@ services: !!! danger "" Set strong passwords if the database is exposed to an external network. Never expose your database to the public Internet in this way, for example, if it is running on a cloud server. +For increased security do not allow the "photoprism" user to access the database from every host (`'photoprism'@'%'`) but restrict it to the hosts photoprism is accessing the database from (e.g. `'photoprism'@'192.168.1.2'` or `'photoprism'@'192.168.1.%'` for entire subnet). + ## Schema Migrations An index schema migration is performed automatically every time PhotoPrism is (re)started. The following instructions may be helpful in special cases, such as when a temporary problem has prevented a successful migration: diff --git a/docs/getting-started/advanced/docker-security.md b/docs/getting-started/advanced/docker-security.md index dce045fb7d..8938bf57e0 100644 --- a/docs/getting-started/advanced/docker-security.md +++ b/docs/getting-started/advanced/docker-security.md @@ -48,6 +48,9 @@ docker compose stop docker compose up -d ``` +Please keep in mind that the _numeric_ user and group ids are shared between the local docker host and the docker container (user/group _names_ are not). That means the user running inside the container can read and write all files on the host with the same user id as photoprism is running at. The container runtime tries restricts the available paths but as soon as a security vulnerability circumvents this docker imposed restrictions full access to the entire host with this user id is possible. Threfore nover run as root or with a low user id of regular users of the docker host. + + ## Remove Passwords From the Environment Passwords specified directly in a `docker-compose.yml` file or otherwise passed to the container environment may pose a security risk. As an alternative, they can be set in an [options.yml](../config-files/index.md) file located in the _config_ [storage folder](../docker-compose.md#photoprismstorage): From 6d2916a43907122746b0bf83767916e7041f1d8f Mon Sep 17 00:00:00 2001 From: Stefan Seide Date: Thu, 1 Aug 2024 20:48:50 +0200 Subject: [PATCH 2/3] Getting Started: Update OIDC documentation --- .../getting-started/advanced/openid-connect.md | 2 +- docs/getting-started/config-files/index.md | 2 ++ docs/getting-started/faq.md | 18 +++++++++++++++--- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/advanced/openid-connect.md b/docs/getting-started/advanced/openid-connect.md index 32fe3476f6..5b6f37f398 100644 --- a/docs/getting-started/advanced/openid-connect.md +++ b/docs/getting-started/advanced/openid-connect.md @@ -20,7 +20,7 @@ | PHOTOPRISM_DISABLE_OIDC | --disable-oidc | | disable single sign-on via OpenID Connect, even if an identity provider has been configured | !!! note "" - Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled. + Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) config used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled. ## Identity Providers diff --git a/docs/getting-started/config-files/index.md b/docs/getting-started/config-files/index.md index 81a9208e46..e5431a594b 100644 --- a/docs/getting-started/config-files/index.md +++ b/docs/getting-started/config-files/index.md @@ -5,6 +5,8 @@ convenient to use an `options.yml` file located in your *config path*, for examp installed [through an app store](../nas/asustor.md) or with the [installation packages we provide](https://dl.photoprism.app/pkg/linux/README.html). +Settings inside the `options.yml` file overwrite values from `defaults.yml` and in turn are overwritten by command flags and environment variables. + You can specify a custom *config path* by adding the `ConfigPath` option to a ↪ [`defaults.yml`](defaults.md) file in the `/etc/photoprism` directory (requires root privileges). It is also possible to use the command flag `--config-path` or the environment variable `PHOTOPRISM_CONFIG_PATH` for this. By default, it is a subdirectory of the [*storage diff --git a/docs/getting-started/faq.md b/docs/getting-started/faq.md index 28a89530b9..652b28bcdf 100644 --- a/docs/getting-started/faq.md +++ b/docs/getting-started/faq.md @@ -483,9 +483,21 @@ it includes all the details including root and rootless modes, user mapping and ### Any plans to add support for Active Directory, LDAP or other centralized account management options? -There is no single sign-on support yet as we didn't consider it essential for our initial release. -Our team is currently working on [OpenID Connect](https://github.com/photoprism/photoprism/issues/782), -which will be available in a future release. +For Single-SignOn OpenID Connect is available. It is possible to connect to any OIDC compliant provider to centrally manage your user identities. This can be a external service like Google or a locally hosted one like Keycloak or other. + +The documentation on how to set it up can be found at [OpenID Connect](../getting-started/advanced/openid-connect.md). + +### Login of new user is not possible via OpenID Connect +1. When OpenID Connect is enabled new users can be automatically created on first login. For that OIDC register must be activated (env var `PHOTOPRISM_OIDC_REGISTER` or `--oidc-register` flag). + +2. If a user was registered and deleted afterwards the next login of this user does not re-register this user. The login fails with an generic "invalid credentials" error message presented to the user. + + Looking at the login audit log ([`photoprism audit logins`](./users/cli/#viewing-login-attempts)) an "account disabled" error message can be seen because OIDC accounts not fully deleted but only deleted partially and disabled. + + To restore a previously deleted account, admins can [create a new account](users/cli.md#creating-a-new-account) with the same *username* through the [Admin Web UI](users/index.md#adding-a-new-user) or the [`photoprism users add`](users/cli.md#creating-a-new-account) command. + + See [Deleting Accounts](../getting-started/advanced/openid-connect.md#deleting-accounts) on OpenID Connect setup page + ### Your app is really terrible, can I tell you how bad it is? From be3b9dd3bad422e4771c871b27057a8e643f8ec9 Mon Sep 17 00:00:00 2001 From: Stefan Seide Date: Thu, 1 Aug 2024 20:49:07 +0200 Subject: [PATCH 3/3] User-Guide: Update help for cli management command parameters --- docs/user-guide/users/cli.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/user-guide/users/cli.md b/docs/user-guide/users/cli.md index 38b9e396fc..1c8c8956c8 100644 --- a/docs/user-guide/users/cli.md +++ b/docs/user-guide/users/cli.md @@ -35,14 +35,16 @@ As an alternative to the [web user interface](index.md), you can [run the follow | CLI Command | Description | |---------------------------------------------|----------------------------------------------| -| `photoprism users ls [search]` | Searches existing user accounts | -| `photoprism users legacy [search]` | Searches legacy user accounts | +| `photoprism users ls [options] [search]` | Searches existing user accounts | +| `photoprism users legacy [options] [search]` | Searches legacy user accounts | | `photoprism users add [options] [username]` | Adds a new user account | -| `photoprism users show [username]` | Displays user account information | -| `photoprism users mod [options] [username]` | Modifies an existing user account | -| `photoprism users rm [username]` | Removes a user account | +| `photoprism users show [options] [username]` | Displays user account information | +| `photoprism users mod [options] [username]` | Modifies an existing user account | +| `photoprism users rm [options] [username]` | Removes a user account | | `photoprism users reset --yes` | Removes all accounts and resets the database | +To get a list of all possible options run the commands with `--help` flag. + !!! tldr "" Users who experience login problems after upgrading from [development builds](../../getting-started/updates.md#development-preview), or [old releases prior to November 2022](../../known-issues.md#new-user-management), can run the `photoprism users reset --yes` command to [recreate the session](#session-management) and user management database tables so they are compatible with the current version. Note that any [client access tokens](client-credentials.md#access-tokens) and [app passwords](../settings/account.md#apps-and-devices) that users may have created will also be deleted and must be recreated. @@ -129,7 +131,7 @@ You can combine it with these flags to change the output format and the maximum | Client IP | Username | Realm | Status | Last Login | Failed At | |------------|----------|-------|--------|---------------------|-----------| | 172.19.0.1 | user | api | OK | 2023-02-03 07:17:46 | | -| 172.19.0.1 | viewer | api | OK | 2023-02-03 07:16:55 | | +| 172.19.0.1 | viewer | api | error: account disabled | 2023-01-12 17:30:55 | 2023-02-03 07:16:55 | | 172.19.0.1 | admin | api | OK | 2023-02-03 06:55:06 | | !!! tldr ""