Adguardhome: User Accounts for AdGuardHome

Created on 11 Sep 2019  路  7Comments  路  Source: AdguardTeam/AdGuardHome

Enhance AGHome as a multi-user system that handles multiple simultaneous active sessions with role of administrators and standard users.

Benefits

  • Configure non-privilege users (view mode) to access query logs, dashboard and settings.
  • Provide non-privilege access to certain device or range. https://github.com/AdguardTeam/AdGuardHome/issues/481
  • Configure administrator access to certain 'IPs, CIDR, MACs' https://github.com/AdguardTeam/AdGuardHome/issues/809 for manage data and change settings (change DNS https://github.com/AdguardTeam/AdGuardHome/issues/821, filters https://github.com/AdguardTeam/AdGuardHome/issues/435 etc)
    _(this way we can keep provide 'Client' feature for such administrator)_

Screenshot_247
_(Source: Ntopng)_

https://www.ntop.org/products/traffic-analysis/ntop/
https://github.com/ntop/ntopng

_Any other reasons?
To prevent implement https://github.com/AdguardTeam/AdGuardHome/issues/628_

Above mentioned user roles seems extend the development task too much due other adguardhome users various expectations then i prefer suggest to discard user roles and use custom permissions method with 'Client Settings' for user accounts.

64710761-b839bd80-d4e2-11e9-85fc-427c68adf2cf

  1. Allowed networks - the range provide to certain user
    (that user also able to create sub-accounts for someone else, it reduce the fever falls to server administrator)
  2. Allow create accounts
    (additional option but it helps to avoid unwanted users. ex: avoid kids, co-workers create accounts for strangers)
  3. Use default settings
    (if no intention to add clients then it helps to keep current account default settings rather than no protection but it still possible to override)
  4. Lock button
    (just lock all settings and we might need to use that individually for)

    • each main settings - safe search, safe browsing, parental control

    • each filter list - so we can prevent disable some filters

    • dns servers tab

    • blocked services tab

Preference
(this's an another column necessary to add next to 'main settings', 'block services', 'upstream servers')

Filters
(it's possible to keep that under client settings too, so we can add necessary filter lists) https://github.com/AdguardTeam/AdGuardHome/issues/435

Locked settings effect
Screenshot_1

High enhancement
Source
picture ghost

All 7 comments

First we need to decide whether we can use the same UI for both administrator and a regular user. The problem is that currently if the server starts to respond with an error to all requests except get /querylog UI will show tons of error messages. So either:

  • UI must know what is allowed to a regular user and make only allowed requests
  • or UI must handle access errors to any request and ignore it silently (and show empty data everywhere)
  • or UI needs a whole new interface for a regular user
szolin picture szolin on 5 Nov 2019
👍1

@szolin re-assigned this task to v0.103, I think it's too early for us to go this deep with users management.

ameshkov picture ameshkov on 7 Nov 2019
😄1

I didn't quite get the point of adding the "Language" settings into this panel. Based on my experience of the current version, obtaining language from the browser's request is quite enough.

AngelFalse picture AngelFalse on 14 Nov 2019

Regarding https://github.com/AdguardTeam/AdGuardHome/issues/1235#issuecomment-562979662

i think user account more convenient to preserve any changes, settings properly than simplified web panel without authentication and hold an account is not that much complex as https://github.com/AdguardTeam/AdGuardHome/issues/1235#issuecomment-563309566 mentioned. optionally able to use simple password, saved logins or without clear cookies etc.

non-authentication accesses also make trouble when user needs to give personal desktop, mobile for someone else temporally or public devices in schools, classes, cafe etc.

ghost picture ghost on 9 Dec 2019

Like this idea - as a second iteration of this it could be nice to be able to have users authenticate through some SSO or LDAP service rather than having to manage them manually

mountainsandcode picture mountainsandcode on 9 Jan 2020
👍1

@szolin
First we need to decide whether we can use the same UI for both administrator and a regular user.

Please refer new changes above; i forgot to mention

ghost picture ghost on 9 Jan 2020

Like this idea - as a second iteration of this it could be nice to be able to have users authenticate through some SSO or LDAP service rather than having to manage them manually

Agreed. OAuth 2.0 / OpenID Connect and SAML support would be amazing. There's a ton of awesome ready to go libraries out there.

timcappalli picture timcappalli on 11 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thb007 picture thb007  路  3Comments
TXC picture TXC  路  3Comments
alexpovel picture alexpovel  路  3Comments
sosp picture sosp  路  3Comments
ajongsma picture ajongsma  路  3Comments