[ejabberd] access_commands in ejabberd.cfg and vhosts (ejabberd2.1)

Badlop badlop at gmail.com
Mon Jun 1 22:35:33 MSD 2009


2009/5/31 Pablo Platt <pablo.platt at yahoo.com>:
> I'm using the trunk version ejabberd2.1
>
> I have two vhosts example1.com and example2.com
> I want to configure mod_rest to allow admin1 from example1.com to execute
> commands only related to host example1.com
> and the same for admin2 from example2.com to be able to execute commands
> only related to host example2.com

I found a bug in mod_rest, another in ejabberd_commands and another in
your python test script. Update ejabberd trunk and mod_rest to get the
fixes.

The problem in your python script is that you must send the HTTP call
to the correct host: example1.com or example2.com, not localhost.

The configuration you passed to me was correct. Anyway, I reproduce
again here the working config I tried:

In ejabberd.cfg listen section:
{listen, [
  {8080, ejabberd_http, [
                         {request_handlers, [
                                             {["rest"], mod_rest}
                                            ]}
                        ]},
  ...

]}.

At the bottom of ejabberd.cfg :
{include_config_file, "/etc/ejabberd/custom1.cfg"}.
{include_config_file, "/etc/ejabberd/custom2.cfg"}.

Optionally, instead of the previous lines you may want to put a more
restrictive:
{include_config_file, "/etc/ejabberd/custom1.cfg", [{allow_only,
[host_config]}]}.
{include_config_file, "/etc/ejabberd/custom2.cfg", [{allow_only,
[host_config]}]}.

Content of custom1.cfg :
{host_config, "example1.com",
 [
  {acl, admin1, {user, "admin1", "example1.com"}},
  {access, rest1, [{allow, admin1}]},
  {{add, modules},
   [
    {mod_rest,
     [
      {access_commands,
       [
        {rest1, all, [{host, "example1.com"}]}
       ]}
     ]}
   ]}
 ]}.

Content of custom2.cfg
{host_config, "example2.com",
 [
  {acl, admin2, {user, "admin2", "example2.com"}},
  {access, rest2, [{allow, admin2}]},
  {{add, modules},
   [
    {mod_rest,
     [
      {access_commands,
       [
        {rest2, all, [{host, "example2.com"}]}
       ]}
     ]}
   ]}
 ]}.

Then create two accounts:
  admin1 at example1.com with password pass1
  admin2 at example2.com with password pass2

And finally, to test this setup, try this simple script:

echo "*** This works:"
echo ""
echo "--auth admin1 example1.com pass1 registered_users example1.com" >aa
echo "---" >>aa
cat aa | lynx http://example1.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This works:"
echo ""
echo "--auth admin2 example2.com pass2 registered_users example2.com" >aa
echo "---" >>aa
cat aa | lynx http://example2.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This doesn't work:"
echo ""
echo "--auth admin1 example1.com pass1 registered_users example2.com" >aa
echo "---" >>aa
cat aa | lynx http://example1.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This doesn't work:"
echo ""
echo "--auth admin1 example1.com pass1 registered_users example2.com" >aa
echo "---" >>aa
cat aa | lynx http://example2.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This doesn't work:"
echo ""
echo "--auth admin1 example1.com pass1 registered_users example1.com" >aa
echo "---" >>aa
cat aa | lynx http://example2.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This doesn't work:"
echo ""
echo "--auth admin2 example2.com pass2 registered_users example1.com" >aa
echo "---" >>aa
cat aa | lynx http://example1.com:8080/rest/ -mime_header -post_data -
echo ""
echo ""

echo "*** This doesn't work:"
echo ""
echo "--auth admin2 example2.com pass2 registered_users example1.com" >aa
echo "---" >>aa
cat aa | lynx http://example2.com:8080/rest/ -mime_header -post_data -
echo ""


---
Badlop
ProcessOne


More information about the ejabberd mailing list