Mercurial > prosody-modules
comparison mod_privilege/README.markdown @ 4913:3ddab718f717
mod_privilege: update to v0.4:
- now the namespace "urn:xmpp:privilege:2" is exclusively used
- IQ permission implementation
- README update
roster pushes are not implemented yet
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Wed, 11 May 2022 12:43:26 +0200 |
| parents | 8dda3d7d616f |
| children |
comparison
equal
deleted
inserted
replaced
| 4912:b45c23ce24ba | 4913:3ddab718f717 |
|---|---|
| 1 --- | 1 --- |
| 2 labels: | 2 labels: |
| 3 - 'Stage-Alpha' | 3 - 'Stage-Beta' |
| 4 summary: 'XEP-0356 (Privileged Entity) implementation' | 4 summary: 'XEP-0356 (Privileged Entity) implementation' |
| 5 ... | 5 ... |
| 6 | 6 |
| 7 Introduction | 7 Introduction |
| 8 ============ | 8 ============ |
| 9 | 9 |
| 10 Privileged Entity is an extension which allows entity/component to have | 10 Privileged Entity is an extension which allows entity/component to have |
| 11 privileged access to server (set/get roster, send message on behalf of | 11 privileged access to server (set/get roster, send message on behalf of server, |
| 12 server, access presence informations). It can be used to build services | 12 send IQ stanza on behalf of user, access presence information). It can be used |
| 13 independently of server (e.g.: PEP service). | 13 to build services independently of server (e.g.: PEP service). |
| 14 | 14 |
| 15 Details | 15 Details |
| 16 ======= | 16 ======= |
| 17 | 17 |
| 18 You can have all the details by reading the | 18 You can have all the details by reading the |
| 19 [XEP-0356](http://xmpp.org/extensions/xep-0356.html). | 19 [XEP-0356](http://xmpp.org/extensions/xep-0356.html). |
| 20 | |
| 21 Only the latest version of the XEP is implemented (using namespace | |
| 22 `urn:xmpp:privilege:2`), if your component use an older version, please update. | |
| 23 | |
| 24 Note that roster permission is not fully implemented yet, roster pushes are not yet sent | |
| 25 to privileged entity. | |
| 20 | 26 |
| 21 Usage | 27 Usage |
| 22 ===== | 28 ===== |
| 23 | 29 |
| 24 To use the module, like usual add **"privilege"** to your | 30 To use the module, like usual add **"privilege"** to your |
| 31 "privilege"; | 37 "privilege"; |
| 32 } | 38 } |
| 33 | 39 |
| 34 [...] | 40 [...] |
| 35 | 41 |
| 36 Component "youcomponent.yourdomain.tld" | 42 Component "pubsub.yourdomain.tld" |
| 37 component_secret = "yourpassword" | 43 component_secret = "yourpassword" |
| 38 modules_enabled = {"privilege"} | 44 modules_enabled = {"privilege"} |
| 39 | 45 |
| 40 then specify privileged entities **in your host section** like that: | 46 then specify privileged entities **in your host section** like that: |
| 41 | 47 |
| 49 ["juliet@capulet.lit"] = { | 55 ["juliet@capulet.lit"] = { |
| 50 roster = "both"; | 56 roster = "both"; |
| 51 message = "outgoing"; | 57 message = "outgoing"; |
| 52 presence = "roster"; | 58 presence = "roster"; |
| 53 }, | 59 }, |
| 60 ["pubsub.yourdomain.tld"] = { | |
| 61 roster = "get"; | |
| 62 message = "outgoing"; | |
| 63 presence = "roster"; | |
| 64 iq = { | |
| 65 ["http://jabber.org/protocol/pubsub"] = "set"; | |
| 66 }; | |
| 67 }, | |
| 54 } | 68 } |
| 55 | 69 |
| 56 Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and | 70 Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and will |
| 57 will **have presence for any user** of the host, while | 71 **have presence for any user** of the host, while *juliet@capulet.lit* can |
| 58 *juliet@capulet.lit* can **get** and **set** a roster, **send messages** | 72 **get** and **set** a roster, **send messages** on behalf of the server, and |
| 59 on the behalf of the server, and **access presence of anybody linked to | 73 **access presence of anybody linked to the host** (not only people on the |
| 60 the host** (not only people on the server, but also people in rosters of | 74 server, but also people in rosters of users of the server). |
| 61 users of the server). | |
| 62 | 75 |
| 63 **/! Be extra careful when you give a permission to an entity/component, | 76 *pubsub.yourdomain.tld* is a Pubsub/PEP component which can **get** roster of |
| 64 it's a powerful access, only do it if you absoly trust the | 77 anybody on the host, **send messages** on the behalf of the server, **access |
| 65 component/entity, and you know where the software is coming from** | 78 presence of anybody linked to the host**, and **send IQ stanza of type "set" for |
| 79 the namespace "http://jabber.org/protocol/pubsub"** (this can be used to | |
| 80 implement XEP-0376 "Pubsub Account Management"). | |
| 81 | |
| 82 **/!\\ Be extra careful when you give a permission to an entity/component, it's | |
| 83 a powerful access, only do it if you absolutely trust the component/entity, and | |
| 84 you know where the software is coming from** | |
| 66 | 85 |
| 67 Configuration | 86 Configuration |
| 68 ============= | 87 ============= |
| 88 | |
| 89 roster | |
| 90 ------ | |
| 69 | 91 |
| 70 All the permissions give access to all accounts of the virtual host. | 92 All the permissions give access to all accounts of the virtual host. |
| 71 | 93 |
| 72 -------- ------------------------------------------------ ---------------------- | 94 -------- ------------------------------------------------ ---------------------- |
| 73 roster none *(default)* No access to rosters | 95 roster none *(default)* No access to rosters |
| 74 get Allow **read** access to rosters | 96 get Allow **read** access to rosters |
| 75 set Allow **write** access to rosters | 97 set Allow **write** access to rosters |
| 76 both Allow **read** and **write** access to rosters | 98 both Allow **read** and **write** access to rosters |
| 77 -------- ------------------------------------------------ ---------------------- | 99 -------- ------------------------------------------------ ---------------------- |
| 100 | |
| 101 Note that roster implementation is incomplete at the moment, roster pushes are not yet | |
| 102 send to privileged entity. | |
| 78 | 103 |
| 79 message | 104 message |
| 80 ------- | 105 ------- |
| 81 | 106 |
| 82 ------------------ ------------------------------------------------------------ | 107 ------------------ ------------------------------------------------------------ |
| 90 ------------------ ------------------------------------------------------------------------------------------------ | 115 ------------------ ------------------------------------------------------------------------------------------------ |
| 91 none *(default)* Do not have extra presence information | 116 none *(default)* Do not have extra presence information |
| 92 managed\_entity Receive presence stanzas (except subscriptions) from host users | 117 managed\_entity Receive presence stanzas (except subscriptions) from host users |
| 93 roster Receive all presence stanzas (except subsciptions) from host users and people in their rosters | 118 roster Receive all presence stanzas (except subsciptions) from host users and people in their rosters |
| 94 ------------------ ------------------------------------------------------------------------------------------------ | 119 ------------------ ------------------------------------------------------------------------------------------------ |
| 120 | |
| 121 iq | |
| 122 -- | |
| 123 | |
| 124 IQ permission is a table mapping allowed namespaces to allowed stanza type. When | |
| 125 a namespace is specified, IQ stanza of the specified type (see below) can be | |
| 126 sent if and only if the first child element of the IQ stanza has the specified | |
| 127 namespace. See https://xmpp.org/extensions/xep-0356.html#iq for details. | |
| 128 | |
| 129 Allowed stanza type: | |
| 130 | |
| 131 -------- ------------------------------------------- | |
| 132 get Allow IQ stanza of type **get** | |
| 133 set Allow IQ stanza of type **set** | |
| 134 both Allow IQ stanza of type **get** and **set** | |
| 135 -------- ------------------------------------------- | |
| 95 | 136 |
| 96 Compatibility | 137 Compatibility |
| 97 ============= | 138 ============= |
| 98 | 139 |
| 99 If you use it with Prosody 0.9 and with a component, you need to patch | 140 If you use it with Prosody 0.9 and with a component, you need to patch |
| 116 | 157 |
| 117 Then, at the root of prosody, enter: | 158 Then, at the root of prosody, enter: |
| 118 | 159 |
| 119 `patch -p1 < /tmp/component.patch` | 160 `patch -p1 < /tmp/component.patch` |
| 120 | 161 |
| 121 ----- ---------------------------------------------------- | 162 ----- -------------------------------------------------- |
| 163 trunk Works | |
| 164 0.12 Works | |
| 165 0.11 Works | |
| 122 0.10 Works | 166 0.10 Works |
| 123 0.9 Need a patched core/mod\_component.lua (see above) | 167 0.9 Need a patched core/mod\_component.lua (see above) |
| 124 ----- ---------------------------------------------------- | 168 ----- -------------------------------------------------- |
| 125 | 169 |
| 126 Note | 170 Note |
| 127 ==== | 171 ==== |
| 128 | 172 |
| 129 This module is often used with mod\_delegation (c.f. XEP for more | 173 This module is often used with mod\_delegation (c.f. XEP for more details) |
| 130 details) |