Read/write based on realm


#1

On all the serve remotes, it would be good to be able to control the permission levels of users based on the realm. I have remotes (specifically webdav in my use case but FTP itself could benefit) that i’d like to hand to a few people but the issue currently is they will have access to not only access the data but delete it. My proposal is the default is the normal read/write but based on a few flags and the realm in the passwd files we can control the methods allowed to be executed.

Something like (default is always ALL)
–realms=READREALM:GET,PROPFIND,HEAD;WRITEREALM:ALL

This could be simplified also to just read write instead of defining the actual methods like:
–realms=READREALM:RO,WRITEREALM:RW

If we didn’t want to use realm to control this, then we could also just flag the users like this but this is a bit cumbersome as you’d have to marry those user names to the password file when rclone is started. Using the realm, it would become dynamic.
–ro_users=user1,user2 --rw_users=user3,user4

Without this, I’m currently forced to run multiple rclone instances on different ports specifying the ‘read-only’ flag is the remote itself and directing the different users to the different ports.


#2

The htpasswd files I’m familiar with don’t have a realm

Are you using an htdigest file?

Neat work-around :smile:


#3

Ah yes. :face_with_hand_over_mouth: I was looking at my nginx password files rather than rclone which is using basic. That tosses realm out unless rclone is moved to digest and we’d be stuck with a more cumbersome approach of:

–ro_users=user1,user2 --rw_users=user3,user4

which would then need to match the users in the basic password file. Any thoughts on moving to digest? Nothing like scope creep.

Unless multiple password files are defined by realm.
–htpasswd=READREALM:/my/.passwordread;WRITEREALM:/my/.passwordwrite;
–realms=READREALM:RO,WRITEREALM:RW


#4

Would Caddy be an option? I use caddy and Google Auth for my stuff and I think you can get down to that level.


#5

Funny I was just looking at that. It is. It is quite capable of this as a work around.Still would be nice to have rclone have basic control of RO and RW functions especially in a DAVS/FTP serve.


#6

Makes sense. I’ve moved over to using Caddy over Nginx for the pure simplicity of Caddy.


#7

I should have said " I think it is". Im not 100% sure yet if it will work by restricting certain methods by login. I might be able to proxy to different ports based on the user though which will at least give the users a front-end on the same port but still requires two rclones to proxy to (one read and one read/write).


#8

They have a very active forum as well as I used that when I got my setup going.


#9

Might have to ask this there. I’d be happy with at least a single port with two backend rclones. Would be better to be able to simply restrict users by method though. We’ll see.


#10

Caddy won’t be able to do what I want. @ncw any chance on getting

something like that implemented to separate read from read write in DAVS especially.


#11

Can you write up a new issue on github and I’ll take a look at it over the holiday season! I’m not 100% sure that it will easy to implement but it deserves more investigation.

Do you think the permissions should be finer diced than just read-only and full?


#12

I created an issue here to discuss.


#13

Thank you :smile:

A scheme that is useful for all the “serve” commands would be perfect.