1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
****** RPKI Web Portal User Model ******
***** Roles *****
The web portal uses a model where users are distinct from resource holders.
**** Users ****
A user is an entity that is granted permission to utilize the web portal. Each
user account has an associated password that is used to log in to the web
portal.
The web portal maintains an access control list that specifies which resource
holders the user is allowed to manage. If a user is authorized to manage more
than a single resource holder, the user will be presented with a list of the
resource holders upon login.
Database tables: irdbd.auth_user and irdbd.app_confacl
*** Changing User Passwords ***
The password for a user may be changed via the web portal, or on the command
line:
$ rpki-manage changepassword <USER>
*** Superuser ***
A user account with the superuser bit set has the special capability that it
may assume the role of any resource holder managed by the local RPKI service.
Superusers are created via the command line interface:
$ rpki-manage createsuperuser
*** Creating user accounts ***
When logged into the web portal with a #superuser account, select the web users
link in the sidebar, and then click on the create button at the bottom of the
page. You may optionally select one or more resource holders that this user is
granted authorization to manage.
Note that creating a user does not create a matching #resource-holder. See
creating resource holders.
*** Destroying user accounts ***
When logged into the web portal with a #superuser account, select the web users
link in the sidebar, and then click on the Delete icon next to the user you
wish to delete.
Note that this action does not remove any of the resource holders the user is
granted authorization to manage.
**** Resource Holders ****
Resource holders are entities that have authority to manage a set of Internet
number resources. When a user logs into the web portal, they select which
resource holder role to assume. The user may choose to assume the role of a
different resource holder by clicking on the select identity link in the
sidebar.
The list of resource holders managed by the local RPKI service can be viewed
with a #superuser account by clicking on the resource holders link in the
sidebar of the web portal. From this page the super can manage the resource
holders.
Database table: irdbd.irdb_resourceholderca (via irdbd.app_conf proxy model)
*** Creating resource holders ***
Note that creating a new resource holder does not create a user account. See
#create-user.
** GUI **
When logged into the web portal with a #superuser account, select the resource
holders link in the sidebar, and then click on the create button at the bottom
of the page.
If the new resource holder is going to be a child of another resource holder
hosted by the local RPKI service, you may optionally select the parent resource
holder from the dropdown box, and the parent-child relationship will
automatically be established when the new resource holder is created.
Additionally, one or more #users authorized to manage the new resource holder
may be selected from the Users list on the creation form.
** Command Line **
You can also create resource holders on the command line:
$ rpkic -i <HANDLE> initialize
$ rpkic synchronize
where HANDLE is the name of new resource holder. Note that this new resource
holder will initially only be allowed to be managed by #superuser accounts. You
may wish to create a matching user account, but the name of the user need not
be the same as the handle of the resource holder. Additionally, you can manage
the list of users allowed to manage this resource holder via the web portal;
click on the Edit icon next to the resource holder, and select the users you
wish to grant permission to manage.
*** Destroying resource holders ***
Note that deleting a resource holder does not remove any user accounts.
** GUI **
When logged into the web portal with a #superuser account, select the resource
holders link in the sidebar, and then click on the delete button next to the
resource holder you wish to delete.
** Command Line **
Or you may use the command line interface:
$ rpkic -i <HANDLE> delete_self
$ rpkic synchronize
where HANDLE is the name of the resource holder you wish to destroy.
*** Modifying the User ACL ***
Each resource holder may be managed by one or more user accounts. The list of
users authorized to assume the role of a particular resource holder may be
changed in the web portal. When logged into the web portal with a #superuser
account, select the resource holders link in the sidebar, and then click on the
Edit icon next to the resource holder, and select the users you wish to grant
permission to manage.
|
