Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation for first time users #187

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Improve documentation for first time users #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2976eb4
Getting Started: Update security remarks for docker and database
sseide Aug 1, 2024
6d2916a
Getting Started: Update OIDC documentation
sseide Aug 1, 2024
be3b9dd
User-Guide: Update help for cli management command parameters
sseide Aug 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/getting-started/advanced/databases.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ services:
!!! danger ""
Set strong passwords if the database is exposed to an external network. Never expose your database to the public Internet in this way, for example, if it is running on a cloud server.

For increased security do not allow the "photoprism" user to access the database from every host (`'photoprism'@'%'`) but restrict it to the hosts photoprism is accessing the database from (e.g. `'photoprism'@'192.168.1.2'` or `'photoprism'@'192.168.1.%'` for entire subnet).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing ports would be better? It would limit access to the Docker network.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your hint implies running mysql with docker-compose in the same setup.

My suggestion is much more generic and preferred for all kind of database setups (not only Photoprism).
And you would not believe how much people i talked to do not even thought it is easily possible to restrict access in this way. So document it here might people start thinking about it...

Running MariaDB inside docker is (performance wise) the lease favored (aka slowest) variant. It is much better to use a common db host on real iron with some bit of tuning to get much faster SQL responses. And it is easier to maintain/backup/monitor than a dozen different DB container. For these setup restricting "ports " will not help.
And we do not talk about failover cluster or similar here... Or you can use a DBaaS from some places if you host the app somewhere else. Restricting access to defined IP addresses is also helpful not using docker at all but running Photoprism as "native" app.

Alternative: Running it in the same compose setup or running DB directly on the docker host a setup sharing Unix domain sockets (e.g. /var/run/mysql/mysqld.socket) would be much better than ports restriction to prevent foreign logins.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your hint implies running mysql with docker-compose in the same setup.

Yes a docker-compose setup is shown on the lines before this change.

About using or not using Docker, that may go in a different section since right now it only describes the common installation with a container for the database.

https://github.com/photoprism/photoprism/blob/9f1eee6b1e7e6fadac55bb3b6098714648f81bf8/compose.mariadb.yaml#L16-L17

If ports are removed, the access from the host or external network won't work anymore, but Photoprism will work without any issue since it's on the same Docker network.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - the code snipped above shows the docker-compose-all-in-one setup. But this is also the exact place to configure the database connection properties using Photoprism only as docker image and with some external database.

And most of the other information are valid for combined compose setup as well as an divided setup.
Here its up to you if you want one file with database hints or different one for compose and others or just create different sections... I don't hang to, just realized its good to give people different hints on how to secure their setups. Some do, some do not...

And your remark about the port is good - this should be added to the compose file - either as active by default or uncommented and some comments added , similar to many other parameter and env vars within this compose file you can download for fast setup. And mentioned in the database readme here.


## Schema Migrations

An index schema migration is performed automatically every time PhotoPrism is (re)started. The following instructions may be helpful in special cases, such as when a temporary problem has prevented a successful migration:
Expand Down
3 changes: 3 additions & 0 deletions docs/getting-started/advanced/docker-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ docker compose stop
docker compose up -d
```

Please keep in mind that the _numeric_ user and group ids are shared between the local docker host and the docker container (user/group _names_ are not). That means the user running inside the container can read and write all files on the host with the same user id as photoprism is running at. The container runtime tries restricts the available paths but as soon as a security vulnerability circumvents this docker imposed restrictions full access to the entire host with this user id is possible. Threfore nover run as root or with a low user id of regular users of the docker host.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please share an example of this security vulnerability?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good writeup to test/understand this user feature can be found here:
https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

A way to "use" this (and get root) is written here:
https://flast101.github.io/docker-privesc/

Even as the examples above use root / UID 0. it is the same for docker running with all user ids - the process inside the container can potentially access all files outside available to the same user id. Using (for example) UID 1000 or 1001 will give potential access to the files of the primary Linux user (as most Linux distributions start numbering with 1000 for regular users).

Using a high user id not used anywhere else on the docker host is a forward-looking security technique to not get owned if there is a security vulnerability found inside the Linux kernel or Docker daemon or some other software running inside the container. And all Docker security best practices mention a privilege escalation attack as possible scenario to take care of.

There is no real attack right now but you never now - better safe than sorrow..

e.g.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a note: restricting the UID to some specific values prevents Photoprism from running inside OpenShift Clusters as OpenShift automatically assigns a high random user id to every container started. I have not tested it right now but would assume its not working there...
https://www.redhat.com/en/blog/a-guide-to-openshift-and-uids



## Remove Passwords From the Environment

Passwords specified directly in a `docker-compose.yml` file or otherwise passed to the container environment may pose a security risk. As an alternative, they can be set in an [options.yml](../config-files/index.md) file located in the _config_ [storage folder](../docker-compose.md#photoprismstorage):
Expand Down
2 changes: 1 addition & 1 deletion docs/getting-started/advanced/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
| PHOTOPRISM_DISABLE_OIDC | --disable-oidc | | disable single sign-on via OpenID Connect, even if an identity provider has been configured |

!!! note ""
Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled.
Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) config used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled.

## Identity Providers

Expand Down
2 changes: 2 additions & 0 deletions docs/getting-started/config-files/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ convenient to use an `options.yml` file located in your *config path*, for examp
installed [through an app store](../nas/asustor.md) or with
the [installation packages we provide](https://dl.photoprism.app/pkg/linux/README.html).

Settings inside the `options.yml` file overwrite values from `defaults.yml` and in turn are overwritten by command flags and environment variables.

You can specify a custom *config path* by adding the `ConfigPath` option to a ↪ [`defaults.yml`](defaults.md) file in
the `/etc/photoprism` directory (requires root privileges). It is also possible to use the command flag `--config-path`
or the environment variable `PHOTOPRISM_CONFIG_PATH` for this. By default, it is a subdirectory of the [*storage
Expand Down
18 changes: 15 additions & 3 deletions docs/getting-started/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,9 +483,21 @@ it includes all the details including root and rootless modes, user mapping and

### Any plans to add support for Active Directory, LDAP or other centralized account management options?

There is no single sign-on support yet as we didn't consider it essential for our initial release.
Our team is currently working on [OpenID Connect](https://github.com/photoprism/photoprism/issues/782),
which will be available in a future release.
For Single-SignOn OpenID Connect is available. It is possible to connect to any OIDC compliant provider to centrally manage your user identities. This can be a external service like Google or a locally hosted one like Keycloak or other.

The documentation on how to set it up can be found at [OpenID Connect](../getting-started/advanced/openid-connect.md).

### Login of new user is not possible via OpenID Connect
1. When OpenID Connect is enabled new users can be automatically created on first login. For that OIDC register must be activated (env var `PHOTOPRISM_OIDC_REGISTER` or `--oidc-register` flag).

2. If a user was registered and deleted afterwards the next login of this user does not re-register this user. The login fails with an generic "invalid credentials" error message presented to the user.

Looking at the login audit log ([`photoprism audit logins`](./users/cli/#viewing-login-attempts)) an "account disabled" error message can be seen because OIDC accounts not fully deleted but only deleted partially and disabled.

To restore a previously deleted account, admins can [create a new account](users/cli.md#creating-a-new-account) with the same *username* through the [Admin Web UI](users/index.md#adding-a-new-user) or the [`photoprism users add`](users/cli.md#creating-a-new-account) command.

See [Deleting Accounts](../getting-started/advanced/openid-connect.md#deleting-accounts) on OpenID Connect setup page


### Your app is really terrible, can I tell you how bad it is?

Expand Down
14 changes: 8 additions & 6 deletions docs/user-guide/users/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,16 @@ As an alternative to the [web user interface](index.md), you can [run the follow

| CLI Command | Description |
|---------------------------------------------|----------------------------------------------|
| `photoprism users ls [search]` | Searches existing user accounts |
| `photoprism users legacy [search]` | Searches legacy user accounts |
| `photoprism users ls [options] [search]` | Searches existing user accounts |
| `photoprism users legacy [options] [search]` | Searches legacy user accounts |
| `photoprism users add [options] [username]` | Adds a new user account |
| `photoprism users show [username]` | Displays user account information |
| `photoprism users mod [options] [username]` | Modifies an existing user account |
| `photoprism users rm [username]` | Removes a user account |
| `photoprism users show [options] [username]` | Displays user account information |
| `photoprism users mod [options] [username]` | Modifies an existing user account |
| `photoprism users rm [options] [username]` | Removes a user account |
| `photoprism users reset --yes` | Removes all accounts and resets the database |

To get a list of all possible options run the commands with `--help` flag.

!!! tldr ""
Users who experience login problems after upgrading from [development builds](../../getting-started/updates.md#development-preview), or [old releases prior to November 2022](../../known-issues.md#new-user-management), can run the `photoprism users reset --yes` command to [recreate the session](#session-management) and user management database tables so they are compatible with the current version. Note that any [client access tokens](client-credentials.md#access-tokens) and [app passwords](../settings/account.md#apps-and-devices) that users may have created will also be deleted and must be recreated.

Expand Down Expand Up @@ -129,7 +131,7 @@ You can combine it with these flags to change the output format and the maximum
| Client IP | Username | Realm | Status | Last Login | Failed At |
|------------|----------|-------|--------|---------------------|-----------|
| 172.19.0.1 | user | api | OK | 2023-02-03 07:17:46 | |
| 172.19.0.1 | viewer | api | OK | 2023-02-03 07:16:55 | |
| 172.19.0.1 | viewer | api | error: account disabled | 2023-01-12 17:30:55 | 2023-02-03 07:16:55 |
| 172.19.0.1 | admin | api | OK | 2023-02-03 06:55:06 | |

!!! tldr ""
Expand Down