| <?xml version="1.0" encoding="UTF-8"?> |
| |
| <chapter xml:id="mysql-auth" xmlns="http://docbook.org/ns/docbook" version="5.0" xml:lang="en" |
| xmlns:xi="http://www.w3.org/2001/XInclude"> |
| <title>MySQL authentication</title> |
| <indexterm> |
| <primary>MySQL</primary> |
| </indexterm> |
| <indexterm> |
| <primary>load balancing</primary> |
| </indexterm> |
| <para>Guacamole supports MySQL authentication through an extension available from the project |
| website. This extension allows users and connections to be managed from within the web |
| application. Unlike the default, XML-driven authentication module, all changes to users and |
| connections take effect immediately; users need not logout and back in in order to see new |
| connections.</para> |
| <para>The official MySQL authentication also supports load balancing through the use of |
| "balancing groups". When a balancing group is created, it can be used like any other |
| connection, but will use the least used of its underlying connections, spreading load evenly |
| across any connections contained within.</para> |
| <section xml:id="installing-mysql-auth"> |
| <title>Installing MySQL authentication</title> |
| <para>The MySQL authentication module is not included in the main Guacamole bundle nor is it |
| enabled by default. You must use the download link provided in the downloads section of |
| the main Guacamole site.</para> |
| <para>The downloaded <filename>.tar.gz</filename> file will contain several |
| directories:</para> |
| <variablelist> |
| <varlistentry> |
| <term><filename>lib/</filename></term> |
| <listitem> |
| <para>Contains all <filename>.jar</filename> files required for the MySQL |
| authentication module to work, including the module itself. <emphasis>The |
| MySQL JDBC connector is not included.</emphasis></para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><filename>schema/</filename></term> |
| <listitem> |
| <para>Contains all SQL scripts required to set up the MySQL database.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| <para>The contents of <filename>lib/</filename> must be copied into the classpath of |
| Guacamole, which is the directory specified by the <property>lib-directory</property> |
| property in <filename>guacamole.properties</filename>. If this property is not |
| specified, simply add it. On Linux servers, |
| <filename>/var/lib/guacamole/classpath</filename> is a good choice, but it can be |
| whatever you like.</para> |
| <para>In addition to the files from <filename>lib/</filename>, you must also copy |
| <filename>.jar</filename> file from the MySQL "Connector-J" JDBC archive. The |
| archive containing this <filename>.jar</filename> can be downloaded from <link |
| xmlns:xlink="http://www.w3.org/1999/xlink" |
| xlink:href="http://dev.mysql.com/downloads/connector/j/">MySQL's |
| website</link>.</para> |
| <para>After copying the files in place, check to make sure everything looks sane. The |
| contents should match at least the files shown here:</para> |
| <informalexample> |
| <screen><prompt>$</prompt> ls <replaceable>/var/lib/guacamole/classpath</replaceable> |
| <computeroutput>aopalliance-1.0.jar javax.inject-1.jar |
| commons-logging-1.1.1.jar mybatis-3.1.1.jar |
| google-collections-1.0.jar mybatis-guice-3.2.jar |
| guacamole-auth-mysql-0.8.0.jar mysql-connector-java-5.1.23-bin.jar |
| guice-3.0.jar slf4j-api-1.6.1.jar |
| guice-multibindings-3.0.jar slf4j-jcl-1.6.1.jar</computeroutput> |
| <prompt>$</prompt></screen> |
| </informalexample> |
| <para>Each of the <filename>.jar</filename> files above is either the MySQL authentication |
| module itself (<filename>guacamole-auth-mysql-0.8.0.jar</filename>) or a dependency. |
| They must all be placed in Guacamole's lib-directory for the MySQL authentication to |
| work.</para> |
| <important> |
| <para>If you do not see <filename>mysql-connector-java-5.1.23-bin.jar</filename> (or a |
| similar file with a different version) present in the same directory as the other |
| <filename>.jar</filename> files, then you have not copied MySQL Connector-J |
| properly.</para> |
| <para>Be sure to download MySQL Connector-J from the <link |
| xmlns:xlink="http://www.w3.org/1999/xlink" |
| xlink:href="http://dev.mysql.com/downloads/connector/j/">MySQL website</link>. |
| Extract the downloaded archive, and copy the <filename>.jar</filename> file into the |
| same directory as shown above. <emphasis>If this is not done, MySQL authentication |
| will not work.</emphasis> Guacamole will be unable to connect to your MySQL |
| database.</para> |
| </important> |
| <section> |
| <title>Creating a database and user</title> |
| <indexterm> |
| <primary>default user</primary> |
| </indexterm> |
| <para>The MySQL authentication module will need a database to store all authentication |
| data and a user to use only for data access and manipulation. You could use an |
| existing database and existing user, but for the sake of simplicity and security, |
| these instructions assume you will be creating a new database and new user that will |
| be used only by Guacamole and only for this authentication module.</para> |
| <para>At this point, you need MySQL installed and the root MySQL user configured. If |
| this is not the case, install MySQL now. Most distributions will provide a |
| convenient MySQL package which will set up everything for you, including the root |
| user. After MySQL is installed, create the new database and user:</para> |
| <informalexample> |
| <screen><prompt>$</prompt> mysql -u root -p |
| <prompt>Enter password:</prompt> <userinput><replaceable>password</replaceable></userinput> |
| <computeroutput>Welcome to the MySQL monitor. Commands end with ; or \g. |
| Your MySQL connection id is 233 |
| Server version: 5.5.29-0ubuntu0.12.10.1 (Ubuntu) |
| |
| Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
| |
| Oracle is a registered trademark of Oracle Corporation and/or its |
| affiliates. Other names may be trademarks of their respective |
| owners. |
| |
| Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
| </computeroutput> |
| <prompt>mysql></prompt> <userinput>CREATE DATABASE <replaceable>guacamole</replaceable>;</userinput> |
| <computeroutput>Query OK, 1 row affected (0.00 sec)</computeroutput> |
| |
| <prompt>mysql></prompt> <userinput>CREATE USER '<replaceable>guacamole'</replaceable>@'localhost' IDENTIFIED BY '<replaceable>some_password</replaceable>';</userinput> |
| <computeroutput>Query OK, 0 rows affected (0.00 sec)</computeroutput> |
| |
| <prompt>mysql></prompt> <userinput>GRANT SELECT,INSERT,UPDATE,DELETE ON <replaceable>guacamole</replaceable>.* TO '<replaceable>guacamole'</replaceable>@'localhost';</userinput> |
| <computeroutput>Query OK, 0 rows affected (0.00 sec)</computeroutput> |
| |
| <prompt>mysql></prompt> <userinput>FLUSH PRIVILEGES;</userinput> |
| <computeroutput>Query OK, 0 rows affected (0.02 sec)</computeroutput> |
| |
| <prompt>mysql></prompt> <userinput>quit</userinput> |
| <computeroutput>Bye</computeroutput> |
| <prompt>$</prompt></screen> |
| </informalexample> |
| <para>The database and user can be named whatever you like, but these instructions will |
| refer to both as "guacamole". Naturally, you should choose a real password for your |
| user rather than the string "some_password" shown above.</para> |
| </section> |
| <section> |
| <title>Running the SQL scripts</title> |
| <indexterm> |
| <primary>SQL scripts</primary> |
| </indexterm> |
| <para>The SQL scripts that create the database schema and default administrator user are |
| included in the archive you downloaded within the <filename>schema/</filename> |
| directory. They are named such that they can be run in order with one |
| command:</para> |
| <informalexample> |
| <screen><prompt>$</prompt> <userinput>ls schema/</userinput> |
| <computeroutput>001-create-schema.sql 002-create-admin-user.sql upgrade</computeroutput> |
| <prompt>$</prompt> <userinput>cat schema/*.sql | mysql -u root -p <replaceable>guacamole</replaceable></userinput> |
| <computeroutput><prompt>Enter password:</prompt></computeroutput> <userinput><replaceable>password</replaceable></userinput> |
| <prompt>$</prompt></screen> |
| </informalexample> |
| <para>If the operation is successful, all tables have been created successfully, and the |
| database is now ready for use. All that is left now is to configure Guacamole to use |
| the database we've created.</para> |
| <important> |
| <para>If you are upgrading from an older version that lacked support for connection |
| groups, you should instead run the upgrade script located within the |
| <filename>upgrade/</filename> directory:</para> |
| <informalexample> |
| <screen><prompt>$</prompt> <userinput>ls schema/upgrade/</userinput> |
| <computeroutput>upgrade-pre-0.8.2.sql</computeroutput> |
| <prompt>$</prompt> <userinput>mysql -u root -p <replaceable>guacamole</replaceable> < schema/upgrade/upgrade-pre-0.8.2.sql</userinput> |
| <computeroutput><prompt>Enter password:</prompt></computeroutput> <userinput><replaceable>password</replaceable></userinput> |
| <prompt>$</prompt></screen> |
| </informalexample> |
| </important> |
| </section> |
| <section> |
| <title>Configuring Guacamole</title> |
| <indexterm> |
| <primary>configuring MySQL</primary> |
| </indexterm> |
| <para>Now that the database and user is created, and the SQL scripts have been run, we |
| need to add a few properties to <filename>guacamole.properties</filename> such that |
| Guacamole can connect to MySQL when authenticating users:</para> |
| <informalexample> |
| <programlisting># Auth provider class |
| auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider |
| |
| # MySQL properties |
| mysql-hostname: localhost |
| mysql-port: 3306 |
| mysql-database: <replaceable>guacamole</replaceable> |
| mysql-username: <replaceable>guacamole</replaceable> |
| mysql-password: <replaceable>some_password</replaceable></programlisting> |
| </informalexample> |
| <indexterm> |
| <primary>concurrent use</primary> |
| </indexterm> |
| <para>Be sure to specify the correct password for the MySQL user you created, and |
| specify the correct database and username if you didn't use "guacamole". If you wish |
| to only allow one user at a time to access any single connection, you can also limit |
| concurrent access to connections:</para> |
| <informalexample> |
| <programlisting>mysql-disallow-simultaneous-connections: true</programlisting> |
| </informalexample> |
| <para>This is not required, but with the above property in place, users attempting to |
| use a connection that is currently in use by another user will be denied access. By |
| default, concurrent access is allowed.</para> |
| <para>You can also limit whether a single user is allowed to connect to the same |
| connection or group concurrently. By default, this is enabled, as it has security |
| implications when balancing groups are used, but you can explicitly disable this if |
| you want to allow duplicate connections:</para> |
| <informalexample> |
| <programlisting>mysql-disallow-duplicate-connections: false</programlisting> |
| </informalexample> |
| <para>Now just restart Tomcat (or whatever servlet container you are using) and |
| authentication will use MySQL.</para> |
| </section> |
| <section> |
| <title>Logging in</title> |
| <indexterm> |
| <primary>default user</primary> |
| </indexterm> |
| <indexterm> |
| <primary>guacadmin</primary> |
| </indexterm> |
| <para>After the MySQL authentication module is installed, you need to log in and change |
| your password, and add whatever connections and additional users you need.</para> |
| <para>The default user is "<token>guacadmin</token>", with the default password of |
| "<token>guacadmin</token>". You can change your password by editing your own |
| user in the administration screen.</para> |
| <para>More detailed instructions for managing users and connections is given in <xref |
| linkend="using-guacamole"/> in <xref linkend="guacamole-admin-ui"/>.</para> |
| </section> |
| </section> |
| <section xml:id="mysql-auth-schema"> |
| <title>Modifying data manually</title> |
| <indexterm> |
| <primary>schema</primary> |
| </indexterm> |
| <para>If necessary, it is possible to modify the data backing the MySQL authentication |
| module manually by executing SQL statements against the database. In general use, this |
| will not be common, but if you need to bulk-insert a large number of users or |
| connections, or you wish to translate an existing configuration automatically, you will |
| need to know how everything is laid out at a high level.</para> |
| <para>This section assumes knowledge of SQL and MySQL, and that whatever you need to do can |
| be accomplished if only you had high-level information about Guacamole's SQL |
| schema.</para> |
| <section> |
| <title>Users</title> |
| <indexterm> |
| <primary><classname>guacamole_user</classname></primary> |
| </indexterm> |
| <para>Every user has a corresponding entry in the <classname>guacamole_user</classname> |
| table. Each user has a corresponding unique username and salted password. The salted |
| password is split into two columns: one containing the salt, and the other |
| containing the password hashed with SHA-256.</para> |
| <para>The <classname>guacamole_user</classname> table contains the following |
| columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The unique integer associated with each user. This value is generated |
| automatically when a new entry is inserted into the |
| <classname>guacamole_user</classname> table.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>username</property></term> |
| <listitem> |
| <para>The unique name associated with each user. This value must be |
| specified manually, and must be different from any existing username in |
| the table. References to users in other tables use the value from |
| <property>user_id</property>, not |
| <property>username</property>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>password_hash</property></term> |
| <listitem> |
| <para>The result of hashing the user's password concatenated with the |
| contents of <property>password_salt</property> using SHA-256. The salt |
| is appended to the password prior to hashing.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>password_salt</property></term> |
| <listitem> |
| <para>A 32-byte random value. When a new user is created from the web |
| interface, this value is randomly generated using a |
| cryptographically-secure random number generator.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| <para>If creating a user manually, the main complication is the salt, which must be |
| determined before the <command>INSERT</command> statement can be constructed, but |
| this can be dealt with using variables:</para> |
| <informalexample> |
| <programlisting>-- Generate salt |
| SET @salt = UNHEX(SHA2(UUID(), 256)); |
| |
| -- Create user and hash password with salt |
| INSERT INTO guacamole_user (username, password_salt, password_hash) |
| VALUES ('myuser', @salt, UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)));</programlisting> |
| </informalexample> |
| <para>This sort of statement is useful for both creating new users or for changing |
| passwords, especially if all administrators have forgotten theirs.</para> |
| <para>Note that versions of MySQL earlier than 5.5.5 do not have the |
| <methodname>SHA2</methodname> function. If you are using one of these versions, |
| you will need to calculate the SHA-256 value manually (by using the |
| <command>sha256sum</command> command, for example).</para> |
| </section> |
| <section> |
| <title>Connections and parameters</title> |
| <indexterm> |
| <primary><classname>guacamole_connection</classname></primary> |
| </indexterm> |
| <indexterm> |
| <primary><classname>guacamole_connection_parameter</classname></primary> |
| </indexterm> |
| <para>Each connection has an entry in the <classname>guacamole_connection</classname> |
| table, with a one-to-many relationship to parameters, stored as name/value pairs in |
| the <classname>guacamole_connection_parameter</classname> table.</para> |
| <para>The <classname>guacamole_connection</classname> table is simply a pairing of a |
| unique and descriptive name with the protocol to be used for the connection. It |
| contains the following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>connection_id</property></term> |
| <listitem> |
| <para>The unique integer associated with each connection. This value is |
| generated automatically when a new entry is inserted into the |
| <classname>guacamole_connection</classname> table.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>connection_name</property></term> |
| <listitem> |
| <para>The unique name associated with each connection. This value must be |
| specified manually, and must be different from any existing connection |
| name in the same connection group. References to connections in other |
| tables use the value from <property>connection_id</property>, not |
| <property>connection_name</property>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>protocol</property></term> |
| <listitem> |
| <para>The protocol to use with this connection. This is the name of the |
| protocol that should be sent to guacd when connecting, for example "vnc" |
| or "rdp".</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>parent_id</property></term> |
| <listitem> |
| <para>The unique integer associated with the connection group containing |
| this connection, or <constant>NULL</constant> if this connection is |
| within the root group.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| <para>As there are potentially multiple parameters per connection, where the names of |
| each parameter are completely arbitrary and determined only by the protocol in use, |
| every parameter for a given connection has an entry in table |
| <classname>guacamole_connection_parameter</classname> table associated with its |
| corresponding connection. This table contains the following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>connection_id</property></term> |
| <listitem> |
| <para>The <property>connection_id</property> value from the connection this |
| parameter is for.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>parameter_name</property></term> |
| <listitem> |
| <para>The name of the parameter to set. This is the name listed in the |
| documentation for the protocol specified in the associated |
| connection.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>parameter_value</property></term> |
| <listitem> |
| <para>The value to assign to the parameter named. While this value is an |
| arbitrary string, it must conform to the requirements of the protocol as |
| documented for the connection to be successful.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| <para>Adding a connection and corresponding parameters is relatively easy compared to |
| adding a user as there is no salt to generate nor password to hash:</para> |
| <informalexample> |
| <programlisting>-- Create connection |
| INSERT INTO guacamole_connection (connection_name, protocol) VALUES ('<replaceable>test</replaceable>', '<replaceable>vnc</replaceable>'); |
| SET @id = LAST_INSERT_ID(); |
| |
| -- Add parameters |
| INSERT INTO guacamole_connection_parameter VALUES (@id, 'hostname', '<replaceable>localhost</replaceable>'); |
| INSERT INTO guacamole_connection_parameter VALUES (@id, 'port', '<replaceable>5901</replaceable>');</programlisting> |
| </informalexample> |
| <section> |
| <title>Usage history</title> |
| <indexterm> |
| <primary><classname>guacamole_connection_history</classname></primary> |
| </indexterm> |
| <para>When a connection is initiated or terminated, a corresponding entry in the |
| <classname>guacamole_connection_history</classname> table is created or |
| updated respectively. Each entry is associated with the user using the |
| connection, the connection itself, and the time the connection started. If the |
| connection has ended, the end time is also stored.</para> |
| <para>It is very unlikely that a user will need to update this table, but knowing |
| the structure is potentially useful if you wish to generate a report of |
| Guacamole usage. The <classname>guacamole_connection_history</classname> table |
| has the following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>history_id</property></term> |
| <listitem> |
| <para>The unique integer associated with each history record. This value |
| is generated automatically when a new entry is inserted into the |
| <classname>guacamole_connection_history</classname> |
| table.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> from the entry in |
| <classname>guacamole_user</classname> associated with the user |
| using the connection.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>connection_id</property></term> |
| <listitem> |
| <para>The value of the <property>connection_id</property> from the entry |
| in <classname>guacamole_connection</classname> associated the |
| connection being used.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>start_date</property></term> |
| <listitem> |
| <para>The time at which the connection was started by the user |
| specified. Despite its name, this column also stores time |
| information in addition to the date.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>end_date</property></term> |
| <listitem> |
| <para>The time at which the connection ended. If the connection is still |
| active, the value in this column will be <constant>NULL</constant>. |
| Despite its name, this column also stores time information in |
| addition to the date.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </section> |
| </section> |
| <section> |
| <title>Connections groups</title> |
| <indexterm> |
| <primary><classname>guacamole_connection_group</classname></primary> |
| </indexterm> |
| <para>Each connection group has an entry in the |
| <classname>guacamole_connection_group</classname> table, with a one-to-many |
| relationship to other groups and connections.</para> |
| <para>The <classname>guacamole_connection_group</classname> table is simply a pairing of |
| a unique and descriptive name with a group type, which can be either |
| <type>ORGANIZATIONAL</type> or <type>BALANCING</type>. It contains the following |
| columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>connection_group_id</property></term> |
| <listitem> |
| <para>The unique integer associated with each connection group. This value |
| is generated automatically when a new entry is inserted into the |
| <classname>guacamole_connection_group</classname> table.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>connection_group_name</property></term> |
| <listitem> |
| <para>The unique name associated with each connection group. This value must |
| be specified manually, and must be different from any existing |
| connection group name in the same connection group. References to |
| connections in other tables use the value from |
| <property>connection_group_id</property>, not |
| <property>connection_group_name</property>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>type</property></term> |
| <listitem> |
| <para>The type of this connection group. This can be either |
| <type>ORGANIZATIONAL</type> or <type>BALANCING</type>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>parent_id</property></term> |
| <listitem> |
| <para>The unique integer associated with the connection group containing |
| this connection group, or <constant>NULL</constant> if this connection |
| group is within the root group.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| <para>Adding a connection group is even simpler than adding a new connection as there |
| are no associated parameters stored in a separate table:</para> |
| <informalexample> |
| <programlisting>-- Create connection group |
| INSERT INTO guacamole_connection_group (connection_group_name, type) VALUES ('<replaceable>test</replaceable>', '<replaceable>ORGANIZATIONAL</replaceable>');</programlisting> |
| </informalexample> |
| </section> |
| <section> |
| <title>Permissions</title> |
| <para>There are three permissions tables in the schema which correspond to the three |
| types of permissions in Guacamole's authentication model: system permissions, which |
| control operations that affect the system as a whole, and user and connection |
| permissions, which control operations that affect specific, existing users or |
| connections respectively.</para> |
| <section> |
| <title>System permissions</title> |
| <indexterm> |
| <primary><classname>guacamole_system_permission</classname></primary> |
| </indexterm> |
| <para>System permissions are defined by entries in the |
| <classname>guacamole_system_permission</classname> table. Each entry grants |
| permission for a specific user to perform a specific system operation.</para> |
| <para>The <classname>guacamole_system_permission</classname> table contains the |
| following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> column of the entry |
| associated with the user owning this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>permission</property></term> |
| <listitem> |
| <para>The permission being granted. This column can have one of three |
| possible values: <constant>ADMINISTER</constant>, which grants the |
| ability to administer the entire system (essentially a wildcard |
| permission), <constant>CREATE_CONNECTION</constant>, which grants |
| the ability to create connections, |
| <constant>CREATE_CONNECTION_GROUP</constant>, which grants the |
| ability to create connections groups, or |
| <constant>CREATE_USER</constant>, which grants the ability to |
| create users.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </section> |
| <section> |
| <title>User permissions</title> |
| <indexterm> |
| <primary><classname>guacamole_user_permission</classname></primary> |
| </indexterm> |
| <para>User permissions are defined by entries in the |
| <classname>guacamole_user_permission</classname> table. Each entry grants |
| permission for a specific user to perform a specific operation on another |
| existing user.</para> |
| <para>The <classname>guacamole_user_permission</classname> table contains the |
| following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> column of the entry |
| associated with the user owning this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>affected_user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> column of the entry |
| associated with the user <emphasis>affected</emphasis> by this |
| permission. This is the user that would be the object of the |
| operation represented by this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>permission</property></term> |
| <listitem> |
| <para>The permission being granted. This column can have one of four |
| possible values: <constant>ADMINISTER</constant>, which grants the |
| ability to add or remove permissions which affect the user, |
| <constant>READ</constant>, which grants the ability to read data |
| associated with the user, <constant>UPDATE</constant>, which grants |
| the ability to update data associated with the user, or |
| <constant>DELETE</constant>, which grants the ability to delete |
| the user.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </section> |
| <section> |
| <title>Connection permissions</title> |
| <indexterm> |
| <primary><classname>guacamole_connection_permission</classname></primary> |
| </indexterm> |
| <para>Connection permissions are defined by entries in the |
| <classname>guacamole_connection_permission</classname> table. Each entry |
| grants permission for a specific user to perform a specific operation on an |
| existing connection.</para> |
| <para>The <classname>guacamole_connection_permission</classname> table contains the |
| following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> column of the entry |
| associated with the user owning this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>connection_id</property></term> |
| <listitem> |
| <para>The value of the <property>connection_id</property> column of the |
| entry associated with the connection affected by this permission. |
| This is the connection that would be the object of the operation |
| represented by this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>permission</property></term> |
| <listitem> |
| <para>The permission being granted. This column can have one of four |
| possible values: <constant>ADMINISTER</constant>, which grants the |
| ability to add or remove permissions which affect the connection, |
| <constant>READ</constant>, which grants the ability to read data |
| associated with the connection (a prerequisite for connecting), |
| <constant>UPDATE</constant>, which grants the ability to update |
| data associated with the connection, or <constant>DELETE</constant>, |
| which grants the ability to delete the connection.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </section> |
| <section> |
| <title>Connection group permissions</title> |
| <indexterm> |
| <primary><classname>guacamole_connection_group_permission</classname></primary> |
| </indexterm> |
| <para>Connection group permissions are defined by entries in the |
| <classname>guacamole_connection_group_permission</classname> table. Each |
| entry grants permission for a specific user to perform a specific operation on |
| an existing connection group.</para> |
| <para>The <classname>guacamole_connection_group_permission</classname> table |
| contains the following columns:</para> |
| <variablelist> |
| <varlistentry> |
| <term><property>user_id</property></term> |
| <listitem> |
| <para>The value of the <property>user_id</property> column of the entry |
| associated with the user owning this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>connection_group_id</property></term> |
| <listitem> |
| <para>The value of the <property>connection_group_id</property> column |
| of the entry associated with the connection group affected by this |
| permission. This is the connection group that would be the object of |
| the operation represented by this permission.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><property>permission</property></term> |
| <listitem> |
| <para>The permission being granted. This column can have one of four |
| possible values: <constant>ADMINISTER</constant>, which grants the |
| ability to add or remove permissions which affect the connection |
| group, <constant>READ</constant>, which grants the ability to read |
| data associated with the connection group, |
| <constant>UPDATE</constant>, which grants the ability to update |
| data associated with the connection group, or |
| <constant>DELETE</constant>, which grants the ability to delete |
| the connection group (and implicitly its contents).</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </section> |
| </section> |
| </section> |
| </chapter> |