[hobbit] Securing hobbit

[Henrik Stoerner]

On Mon, Oct 01, 2007 at 09:41:36AM -0500, Aaron Kincaid wrote:
> Hi, we have been setting up hobbit for our company over the last couple
> of weeks and it is a brilliant product!  We were originally planning on
> allowing anyone within the company to see the pages, but now we have
> been asked to limit access to each department head and the department
> heads can only see the results for equipment in their department.  We
> have divided the bb-hosts file up using the PAGE function, but wanted to
> know if there is a way to explicitly allow one or two people to see the
> page for a specific department.  
> 
> We also want to publish the site and use authentication to get to it,
> what is the best way to meet both these goals?

Hobbit doesn't have any access controls built-in, so you need to
configure this through your webservers' access control mechanism.
These usually make it relatively straight-forward to secure access
to certain directories to a limited group of users. In Apache,
you'd put something like this in your config:

AuthType Basic
AuthName "Hobbit"
AuthUserfile "/etc/hobbit/users"
AuthGroupfile "/etc/hobbit/groups"

Alias /hobbit/  "/var/lib/hobbit/www/"
<Directory "/var/lib/hobbit/www">
    Options Indexes FollowSymLinks Includes MultiViews
    Order allow,deny
    Allow from all
    Require group admins
</Directory>

<Directory "/var/lib/hobbit/www/dept1/">
    Require group admins dept1users
</Directory>


Note that you can also use .htaccess files to control this.

Then use the htpasswd utility to create users, and add users
to the "/etc/hobbit/group" file like

  dept1users: john mick
  admins: aaron


Regards,
Henrik