How to allow full unauthenticated access to the server #50
Description
Unauthenticated public access to the server should be disabled in production deployments. It was intentionally made inconvenient to enable to prevent security issues. Basic anonymous access is enabled by setting authentication/allow_anonymous_access in the config file, but the default permissions only allows reading status of the server, which is generally safe. But since there is some interest in running the server without authentication in local test environments, the documentation should include the instructions how to do it. The following config file allows anonymous access and adds all API scopes to unauthenticated_public group. This allows unauthenticated access to all API. Remove scopes from the list to block access to respective API.
The example also shows how to specify control and info addresses (0MQ sockets) of RE Manager.
qserver_zmq_configuration:
control_address: tcp://localhost:60615
info_address: tcp://localhost:60625
authentication:
allow_anonymous_access: True
api_access:
policy: bluesky_httpserver.authorization:BasicAPIAccessControl
args:
roles:
unauthenticated_public:
scopes_add:
- read:status
- read:queue
- read:history
- read:resources
- read:config
- read:monitor
- read:console
- read:lock
- read:testing
- write:queue:edit
- write:queue:control
- write:manager:control
- write:plan:control
- write:execute
- write:history:edit
- write:permissions
- write:scripts
- write:config
- write:lock
- write:manager:stop
- write:testing
- user:apikeys
- admin:apikeys
- admin:read:principals
- admin:metrics