.. _users: ************************************** Role and User Management ************************************** .. rubric:: In this chapter: .. contents:: :local: .. _predefined-roles: Predefined Roles ================================= FindFace provides the following predefined roles: * Administrator is granted full access to the FindFace functionality, integrative and administrative tools. .. important:: Whatever the role, the first administrator (Super Administrator) cannot be deprived of its rights. * Operator is granted full access to the FindFace functionality. * User is granted rights to modify their profile and manage cases. The other functions are available read-only. You can change the predefined roles privileges, as well as create various custom roles. .. _create-role: Create Custom Role ================================ To create a custom role, do the following: #. Navigate :guilabel:`Settings` -> :guilabel:`Roles`. #. Click :guilabel:`+ Add new role`. |create_role_en| .. |create_role_en| image:: /_static/create_role_en.png :scale: 50% .. |create_role_ru| image:: /_static/create_role_ru.png :scale: 50% #. On the :guilabel:`Information` tab, specify the role name. Save the role. |role_information_en| .. |role_information_en| image:: /_static/role_information_en.png :scale: 50% .. |role_information_ru| image:: /_static/role_information_ru.png :scale: 50% #. After saving the role, you will see the following tabs appear next to the :guilabel:`Information` tab: |role_watchlists_en| .. |role_watchlists_en| image:: /_static/role_watchlists_en.png :scale: 65% .. |role_watchlists_ru| image:: /_static/role_watchlists_ru.png :scale: 65% * :guilabel:`Watch Lists`: role privileges for specific watch lists * :guilabel:`Camera Groups`: role privileges for specific camera groups * :guilabel:`Permissions`: role privileges for entire system functions and entities Set role privileges, subject to your needs. Note that there is a distinction between role privileges for a specific watch list/camera group and a system entity with the name ``watchlist``/``cameragroup``. For example, if you set ``Off`` for a certain camera group on the :guilabel:`Camera Groups` tab, users with this role won't be able to work with **this** very group of cameras. Unchecking all checkboxes for the ``cameragroup`` entity on the :guilabel:`Permissions` tab will prevent users from viewing and working with **all** camera groups. The full list of the FindFace entities is as follows: * ``case``: case file * ``caseattachment``: uploading attachments to a case * ``faceobject``: face photo in a :ref:`record ` * ``deviceblacklistrecord``: :ref:`blocklist ` * ``watchlist``: :ref:`watch list ` * ``cameragroup``: :ref:`camera group ` * ``uploadlist``: list of photos in :ref:`bulk upload ` * ``upload``: item (photo) in bulk record upload * ``user``: :ref:`user ` * ``report``: :ref:`report ` * ``all_own_sessions``: all :ref:`sessions ` of the current user on different devices .. note:: If relevant permissions for this entity are set, users will be able to view (``view``) and close (``delete``) all their sessions on different devices. Otherwise, users will be only allowed to view and close their session on the current device. Working with sessions takes place on the :guilabel:`Sessions` tab (:guilabel:`Settings`). * ``humancard``: :ref:`record of an individual ` You can also enable and disable rights for the following functionality: * ``configure_ntls``: configuration of the ``findface-ntls`` :ref:`license server ` * ``batchupload_cards``: :ref:`bulk record upload ` * ``view_runtimesetting``: viewing the FindFace :ref:`general preferences ` * ``change_runtimesetting``: changing the FindFace general preferences * ``view_auditlog``: viewing and working with the :ref:`audit logs `. #. Save the changes. Primary and Additional User Privileges ======================================== You assign privileges to a user by using roles: * :guilabel:`Primary role`: main user role, mandatory for assignment. You can assign only one primary role to a user. * :guilabel:`Role`: additional user role, optional for assignment. You can assign several roles to one user. The rights associated with the additional roles will be added to the primary privileges. All users belonging to a particular primary role automatically get access to camera groups (and video archives within the group) and watch lists (and records in the watch list) created by a user with the same primary role, subject to the privileges defined by their additional role(s). .. seealso:: :ref:`create-user` .. _create-user: Create User Account Manually =============================== To create a user account manually, do the following: #. Navigate :guilabel:`Settings` -> :guilabel:`Users`. #. Click :guilabel:`+ Create new user`. |create_user_en| .. |create_user_en| image:: /_static/create_user_en.png :scale: 70% .. |create_user_ru| image:: /_static/create_user_ru.png :scale: 70% #. On the :guilabel:`Information` tab, specify user data such as name, login, and password. If necessary, add a comment. #. From the :guilabel:`Roles` drop-down menu, select one or several user roles. Set one of them as the :guilabel:`Primary role`. #. On the :guilabel:`Photos` tab, attach the user's photo. #. Save the user account. |user_en| .. |user_en| image:: /_static/user_en.png :scale: 65% .. |user_ru| image:: /_static/user_ru.png :scale: 65% Integrate with Active Directory for Auto User Creation ============================================================= If there are many users in FindFace, it can be inconvenient to create their accounts one by one. One of the ways to facilitate the user creation is to harness the FindFace integration with Active Directory. To do so, follow the step-by-step instructions below, minding the sequence. Install and Configure Kerberos --------------------------------------- First of all, install and configure the Kerberos authentication protocol on the FindFace principal server. Do the following: #. Install the ``krb5-kdc`` package. .. code:: sudo apt-get install krb5-kdc .. important:: During the installation, you will have to enter the realm name. It must be equal to the Active Directory domain name, but spelled in upper case (``TESTNTL.LOCAL`` in the example below). It's ok to skip all other installation windows by pressing :kbd:`Enter`. #. Find the ``realms`` section in the Kerberos configuration file ``/etc/krb5.conf``. Specify the Active Directory domain in it. .. code:: sudo vi /etc/krb5.conf [realms] TESTNTL.LOCAL = { kdc = testntl.local default_domain = testntl.local } ... #. Append the following string to the ``/etc/hosts`` file: `` ``. .. code:: sudo vi /etc/hosts ... 192.168.0.5 testntl.local Generate Keytab File --------------------------- Log-in into the Active Directory server and do the following: #. Create a new user account in the Active Directory domain to use as a service account. Do the following: #. Open Active Directory. Click :guilabel:`Start`, point to :guilabel:`Administrative Tools`, and then click :guilabel:`Active Directory Users and Computers`. #. Click the domain name and then expand the contents. Right-click :guilabel:`Users`, point to :guilabel:`New`, and then click :guilabel:`User`. You will see a user creation form. #. Fill-in the fields in the form at your discretion. On the second tab, check the :guilabel:`Password never expires` checkbox. #. Click :guilabel:`Next`. Review the information that you provided, and if everything is correct, click :guilabel:`Finish`. #. Right-click the just created user account, and then navigate :guilabel:`Properties` -> :guilabel:`Member Of` -> :guilabel:`Add`. #. In the :guilabel:`Select Groups` dialog box, add the :guilabel:`Domain Administrators` and :guilabel:`Domain Users` groups to the list, and then click :guilabel:`OK`. #. Click :guilabel:`OK` to finish. #. Register a Service Principal Name (SPN) for the service account that you created. To do so, open PowerShell as administrator and execute the following command, specifying your actual ``SERVICE USER NAME`` and domain: .. code:: setspn -A HTTP/.testntl.local@TESTNTL.LOCAL #. In the same PowerShell window, generate a Keytab file by executing the command below with your actual ``SERVICE USER NAME``, domain, and desirable ``KEYTAB FILE NAME``. .. code:: ktpass.exe -princ HTTP/.testntl.local@TESTNTL.LOCAL -mapuser -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out c:\.keytab To check the result, navigate to the root directory of the ``C`` drive. You will see a keytab file with the relevant name. #. Move the keytab file that you created to the FindFace server. #. Check the keytab file on the FindFace server. To do so, execute the following command on the console, specifying your actual ``SERVICE USER NAME``, domain, and ``KEYTAB FILE NAME``. .. code:: kinit -5 -V -k -t .keytab> HTTP/.testntl.local If everything is alright, you will see the message ``Authenticated to Kerberos v5``. Rebuild NGINX on FindFace Server to Support Kerberos -------------------------------------------------------------- To successfully establish a link between FindFace and Active Directory, you need to enable the Kerberos support in NGINX installed on the FindFace principal server. It can be done by rebuilding NGINX with a third-party module ``spnego-http-auth-nginx-module``. .. important:: To download ``spnego-http-auth-nginx-module``, you will need Git. Do the following: #. Download the NGINX source code of the same version as in FindFace. It's currently ``nginx-1.14.0``, click `here `_ to download. #. Unzip the downloaded archive. .. code:: tar -xf nginx_1.14.0.orig.tar.gz #. Browse to the resulting directory. Clone the ``spnego-http-auth-nginx-module`` module into it. .. code:: git clone https://github.com/stnoonan/spnego-http-auth-nginx-module #. Install an auxiliary package ``libkrb5-dev``, essential for the ``spnego-http-auth-nginx-module`` work. .. code:: sudo apt-get install -y libkrb5-dev #. Install the building toolset. .. code:: sudo apt-get install build-essential #. Install a set of packages, essential for NGINX rebuilding. .. code:: sudo apt-get install libpcre3 libpcre3-dev openssl libssl-dev zlib1g zlib1g-dev libxslt-dev libgd-dev libgeoip-dev #. On the console, execute the following command and copy somewhere the argument list that will appear in the output (everything that goes after ``configure arguments``). .. code:: nginx -V nginx version: nginx/1.14.0 (Ubuntu) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KgqPmI/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module #. Add the ``spnego-http-auth-nginx-module`` module to the rebuilding components. To do so, reconfigure NGINX by invoking the ``configure`` utility with the ``--add-dynamic-module=spnego-http-auth-nginx-module`` option placed before the argument list. .. rubric:: Briefly: .. code:: sudo ./configure --add-dynamic-module=spnego-http-auth-nginx-module .. rubric:: Example: .. code:: sudo ./configure --add-dynamic-module=spnego-http-auth-nginx-module --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KgqPmI/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module #. Wait until the NGINX reconfiguration is completed and initiate NGINX rebuilding by executing the following commands: .. code:: sudo make sudo make install A new file ``/usr/lib/nginx/modules/ngx_http_auth_spnego_module.so`` will be created as a result. #. In the ``/etc/nginx/modules-enabled/`` directory, create a new configuration file ``spnego-http-auth-nginx-module.conf`` with a string ``load_module '/usr/lib/nginx/modules/ngx_http_auth_spnego_module.so';`` inside. .. code:: sudo vi spnego-http-auth-nginx-module.conf load_module '/usr/lib/nginx/modules/ngx_http_auth_spnego_module.so'; #. Restart NGINX. .. code:: sudo systemctl reload nginx #. Open the ``/etc/nginx/sites-available/ffsecurity-nginx.conf`` configuration file. Find the ``location /users/me/ad`` section and uncomment it. Fill in the section by analogy with the example below, placing your actual variables in the strings with comments (``#``). The variables to specify are the following: * ``auth_gss_realm``: realm name in Kerberos * ``auth_gss_keytab``: location of the keytab file on the FindFace Server * ``auth_gss_service_name``: full service user name in Active Directory, including the name of the domain it belongs to .. code:: sudo vi /etc/nginx/sites-available/ffsecurity-nginx.conf location /users/me/ad { proxy_pass http://192.168.0.3/auth/ad_login/; # e.g http://127.0.0.1/auth/ad_login/; proxy_method POST; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; proxy_no_cache 1; proxy_cache_bypass 1; auth_gss on; auth_gss_realm TESTNTL.LOCAL; # Realm name in Kerberos; auth_gss_keytab /home/ubuntu/.keytab; # e.g. /var/lib/web.keytab auth_gss_service_name HTTP/.testntl.local; # e.g. HTTP/web.testntl.local; auth_gss_allow_basic_fallback on; } #. Restart NGINX once again. .. code:: sudo systemctl reload nginx Finalize FindFace Configuration --------------------------------- To finalize the FindFace integration with Active Directory, perform the following configuration steps on the FindFace side: #. Open the ``/etc/findface-security/config.py`` configuration file. .. code:: sudo vi /etc/findface-security/config.py #. In the ``SERVICES`` section, set ``"active_directory": True``. .. code:: SERVICES = { ... "active_directory": True, ... } } #. Fill in the ``ACTIVE_DIRECTORY_CONFIG`` section as follows: * ``AUTH_LDAP_SERVER_URI``: ``ldap: `` * ``AUTH_LDAP_BIND_DN``: the name of the service user that you created in Active Directory * ``AUTH_LDAP_BIND_PASSWORD``: the service user password * ``SEARCH_GROUPS``: Active Directory organization units which FindFace will search for user accounts .. code:: # Specify server credentials ACTIVE_DIRECTORY_CONFIG = { 'AUTH_LDAP_SERVER_URI': 'ldap://192.168.0.5', # Domain Administrator user 'AUTH_LDAP_BIND_DN': '', # Domain Administrator user password 'AUTH_LDAP_BIND_PASSWORD': 'SERVICE USER NAME PASSWORD', # Specify organization units where users search will be executed. # Follow pattern (e.g. OU=DEV,DC=domain,DC=com) 'SEARCH_GROUPS': 'OU=DEV,DC=testntl,DC=local', } #. Restart the ``findface-security`` service. .. code:: sudo systemctl restart findface-security.service .. note:: Check the output. The list of services should feature the LDAP Server. Manage FindFace Users via Active Directory --------------------------------------------------------- If the FindFace integration with Active Directory is enabled, you will be able to set one of the Active Directory groups for a role you are creating or editing. |ad_role_en| .. |ad_role_en| image:: /_static/ad_role_en.png :scale: 60% .. |ad_role_ru| image:: /_static/ad_role_ru.png :scale: 60% Once a user from the selected Active Directory group logs-in into FindFace for the first time, they will be automatically added to the FindFace user list. |ad_userlist_en| .. |ad_userlist_en| image:: /_static/ad_userlist_en.png :scale: 60% .. |ad_userlist_ru| image:: /_static/ad_userlist_ru.png :scale: 60% To log-in with Active Directory, a user must click the :guilabel:`Log in with Active Directory` button in the authentication window, specify their Active Directory credentials, and click :guilabel:`Sign in`. |ad_login_en| .. |ad_login_en| image:: /_static/ad_login_en.png :scale: 50% .. |ad_login_ru| image:: /_static/ad_login_ru.png :scale: 50% Deactivate or Delete Users ========================================= In order to deactivate a user, unset :guilabel:`Active` on the user list (:menuselection:`Settings -> Users`). If you are going to deactivate multiple users, select them on the user list and then click :guilabel:`Deactivate selected`. To delete users from FindFace, select them on the user list and then click :guilabel:`Delete selected`.