Differences

This shows you the differences between two versions of the page.

--- x2gobroker:inifilebackend [2013/05/12 22:26]
sunweaver
+++ x2gobroker:inifilebackend [2013/07/02 00:30]
sunweaver [List of ACL rules]
@@ Line 2: / Line 2: @@
 The default version of the ''/etc/x2go/broker/x2gobroker-sessionprofiles.conf'' configuration file can be viewed [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob;f=etc/broker/x2gobroker-sessionprofiles.conf|here]].
+===== Basic Configuration File =====
 The file format is the INI file format. It falls in to a [DEFAULT] section and one or more session profile sections. A minimal setup could look like this.
@@ Line 24: / Line 26: @@
 Note that every X2Go Client parameter not given here gets filled in from a [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob;f=x2gobroker/defaults.py|hard-coded default configuration]].
+===== Filtering through Access Control List =====
+If a user has been successfully authenticated against the X2Go Session Broker (or a user name has been given via the http request for cases where ''check-credentials'' in ''x2gobroker.conf'' is set to ''false'') you can use the user's UID, GID and the client address from that the user connects to filter out session profiles.
+<file>
+[DEFAULT]
+command=XFCE
+fullscreen=true
+[staff-server]
+host=x2go-staff.intern
+acl-groups-allow=staff,admins
+acl-groups-deny=ALL
+acl-any-order=deny-allow
+[student-server]
+host=x2go-student-01.intern
+acl-groups-allow=students,admins
+acl-groups-deny=ALL
+acl-any-order=deny-allow
+[admin-server]
+host=x2go-admin.intern
+fullscreen=false
+width=1280
+height=768
+acl-groups-allow=admins
+acl-groups-deny=ALL
+acl-any-order=deny-allow
+</file>
+==== List of ACL rules ====
+The ACL rules work very similar to Apache ACL rules (allow, deny statements in ''apache2.conf'').
+To set the order (deny, allow vs. allow, deny), use this parameter
+  * ''acl-any-order = {deny-allow|allow-deny}'' (apply order to any ACL)
+  * ''acl-users-order = {deny-allow|allow-deny}'' (apply order to user ACLs only)
+  * ''acl-groups-order = {deny-allow|allow-deny}'' (apply order to group ACLs only)
+  * ''acl-clients-order = {deny-allow|allow-deny}'' (apply order to client ACLs only)
+Furthermore, an aid for selecting the correct order (deny-allow vs. allow-deny):
+**User ACLs:**
+  * ''acl-users-allow = <user1>, <user2>, ..., <userN>''
+  * ''acl-users-deny = ALL''
+**Group ACLs:**
+  * ''acl-groups-allow = <group1>, <group2>, ..., <groupN>''
+  * ''acl-groups-deny = ALL''
+**Client ACLs:**
+  * ''acl-clients-allow = <subnet-or-ip>, <or-dns-hostname>''
+  * ''acl-clients-deny = ALL''
+===== Special Broker Options =====
+Some options in the ''x2gobroker-sessionprofiles.conf'' file are used to tweak the broker itself. The options are:
+  * ''broker-session-autologin'': send a private SSH key to X2Go Client that the client then internally uses for SSH pub/priv key based authentication. The X2Go Session Broker will send the SSH public key via the X2Go Session Broker Agent to the X2Go Server
+  * ''broker-authorized-keys'': full path to the server-side ''authorized_keys'' file (on the X2Go server)

X2Go - everywhere@home

User Tools

Site Tools

Differences

Page Tools