comparison mod_privilege/README.markdown @ 4913:3ddab718f717

mod_privilege: update to v0.4: - now the namespace "urn:xmpp:privilege:2" is exclusively used - IQ permission implementation - README update roster pushes are not implemented yet
author Goffi <goffi@goffi.org>
date Wed, 11 May 2022 12:43:26 +0200
parents 8dda3d7d616f
children
comparison
equal deleted inserted replaced
4912:b45c23ce24ba 4913:3ddab718f717
1 --- 1 ---
2 labels: 2 labels:
3 - 'Stage-Alpha' 3 - 'Stage-Beta'
4 summary: 'XEP-0356 (Privileged Entity) implementation' 4 summary: 'XEP-0356 (Privileged Entity) implementation'
5 ... 5 ...
6 6
7 Introduction 7 Introduction
8 ============ 8 ============
9 9
10 Privileged Entity is an extension which allows entity/component to have 10 Privileged Entity is an extension which allows entity/component to have
11 privileged access to server (set/get roster, send message on behalf of 11 privileged access to server (set/get roster, send message on behalf of server,
12 server, access presence informations). It can be used to build services 12 send IQ stanza on behalf of user, access presence information). It can be used
13 independently of server (e.g.: PEP service). 13 to build services independently of server (e.g.: PEP service).
14 14
15 Details 15 Details
16 ======= 16 =======
17 17
18 You can have all the details by reading the 18 You can have all the details by reading the
19 [XEP-0356](http://xmpp.org/extensions/xep-0356.html). 19 [XEP-0356](http://xmpp.org/extensions/xep-0356.html).
20
21 Only the latest version of the XEP is implemented (using namespace
22 `urn:xmpp:privilege:2`), if your component use an older version, please update.
23
24 Note that roster permission is not fully implemented yet, roster pushes are not yet sent
25 to privileged entity.
20 26
21 Usage 27 Usage
22 ===== 28 =====
23 29
24 To use the module, like usual add **"privilege"** to your 30 To use the module, like usual add **"privilege"** to your
31 "privilege"; 37 "privilege";
32 } 38 }
33 39
34 [...] 40 [...]
35 41
36 Component "youcomponent.yourdomain.tld" 42 Component "pubsub.yourdomain.tld"
37 component_secret = "yourpassword" 43 component_secret = "yourpassword"
38 modules_enabled = {"privilege"} 44 modules_enabled = {"privilege"}
39 45
40 then specify privileged entities **in your host section** like that: 46 then specify privileged entities **in your host section** like that:
41 47
49 ["juliet@capulet.lit"] = { 55 ["juliet@capulet.lit"] = {
50 roster = "both"; 56 roster = "both";
51 message = "outgoing"; 57 message = "outgoing";
52 presence = "roster"; 58 presence = "roster";
53 }, 59 },
60 ["pubsub.yourdomain.tld"] = {
61 roster = "get";
62 message = "outgoing";
63 presence = "roster";
64 iq = {
65 ["http://jabber.org/protocol/pubsub"] = "set";
66 };
67 },
54 } 68 }
55 69
56 Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and 70 Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and will
57 will **have presence for any user** of the host, while 71 **have presence for any user** of the host, while *juliet@capulet.lit* can
58 *juliet@capulet.lit* can **get** and **set** a roster, **send messages** 72 **get** and **set** a roster, **send messages** on behalf of the server, and
59 on the behalf of the server, and **access presence of anybody linked to 73 **access presence of anybody linked to the host** (not only people on the
60 the host** (not only people on the server, but also people in rosters of 74 server, but also people in rosters of users of the server).
61 users of the server).
62 75
63 **/! Be extra careful when you give a permission to an entity/component, 76 *pubsub.yourdomain.tld* is a Pubsub/PEP component which can **get** roster of
64 it's a powerful access, only do it if you absoly trust the 77 anybody on the host, **send messages** on the behalf of the server, **access
65 component/entity, and you know where the software is coming from** 78 presence of anybody linked to the host**, and **send IQ stanza of type "set" for
79 the namespace "http://jabber.org/protocol/pubsub"** (this can be used to
80 implement XEP-0376 "Pubsub Account Management").
81
82 **/!\\ Be extra careful when you give a permission to an entity/component, it's
83 a powerful access, only do it if you absolutely trust the component/entity, and
84 you know where the software is coming from**
66 85
67 Configuration 86 Configuration
68 ============= 87 =============
88
89 roster
90 ------
69 91
70 All the permissions give access to all accounts of the virtual host. 92 All the permissions give access to all accounts of the virtual host.
71 93
72 -------- ------------------------------------------------ ---------------------- 94 -------- ------------------------------------------------ ----------------------
73 roster none *(default)* No access to rosters 95 roster none *(default)* No access to rosters
74 get Allow **read** access to rosters 96 get Allow **read** access to rosters
75 set Allow **write** access to rosters 97 set Allow **write** access to rosters
76 both Allow **read** and **write** access to rosters 98 both Allow **read** and **write** access to rosters
77 -------- ------------------------------------------------ ---------------------- 99 -------- ------------------------------------------------ ----------------------
100
101 Note that roster implementation is incomplete at the moment, roster pushes are not yet
102 send to privileged entity.
78 103
79 message 104 message
80 ------- 105 -------
81 106
82 ------------------ ------------------------------------------------------------ 107 ------------------ ------------------------------------------------------------
90 ------------------ ------------------------------------------------------------------------------------------------ 115 ------------------ ------------------------------------------------------------------------------------------------
91 none *(default)* Do not have extra presence information 116 none *(default)* Do not have extra presence information
92 managed\_entity Receive presence stanzas (except subscriptions) from host users 117 managed\_entity Receive presence stanzas (except subscriptions) from host users
93 roster Receive all presence stanzas (except subsciptions) from host users and people in their rosters 118 roster Receive all presence stanzas (except subsciptions) from host users and people in their rosters
94 ------------------ ------------------------------------------------------------------------------------------------ 119 ------------------ ------------------------------------------------------------------------------------------------
120
121 iq
122 --
123
124 IQ permission is a table mapping allowed namespaces to allowed stanza type. When
125 a namespace is specified, IQ stanza of the specified type (see below) can be
126 sent if and only if the first child element of the IQ stanza has the specified
127 namespace. See https://xmpp.org/extensions/xep-0356.html#iq for details.
128
129 Allowed stanza type:
130
131 -------- -------------------------------------------
132 get Allow IQ stanza of type **get**
133 set Allow IQ stanza of type **set**
134 both Allow IQ stanza of type **get** and **set**
135 -------- -------------------------------------------
95 136
96 Compatibility 137 Compatibility
97 ============= 138 =============
98 139
99 If you use it with Prosody 0.9 and with a component, you need to patch 140 If you use it with Prosody 0.9 and with a component, you need to patch
116 157
117 Then, at the root of prosody, enter: 158 Then, at the root of prosody, enter:
118 159
119 `patch -p1 < /tmp/component.patch` 160 `patch -p1 < /tmp/component.patch`
120 161
121 ----- ---------------------------------------------------- 162 ----- --------------------------------------------------
163 trunk Works
164 0.12 Works
165 0.11 Works
122 0.10 Works 166 0.10 Works
123 0.9 Need a patched core/mod\_component.lua (see above) 167 0.9 Need a patched core/mod\_component.lua (see above)
124 ----- ---------------------------------------------------- 168 ----- --------------------------------------------------
125 169
126 Note 170 Note
127 ==== 171 ====
128 172
129 This module is often used with mod\_delegation (c.f. XEP for more 173 This module is often used with mod\_delegation (c.f. XEP for more details)
130 details)