Users in GRR¶
GRR has a concept of users of the system. The GUI supports authentication and this verfication of user identity is used in all auditing functions (so for example GRR can properly record which user accessed which client, and who executed flows on clients).
A GRR user may be marked as “admin”. This is only important if the approval-based workflow is turned on, since only “admin” users can approve hunts.
To add the user joe as an admin:
db@host:~$ sudo grr_config_updater add_user joe Using configuration <ConfigFileParser filename="/etc/grr/grr-server.conf"> Please enter password for user 'joe': Updating user joe Username: joe Labels: Password: set
To list all users:
db@host:~$ sudo grr_config_updater show_user Using configuration <ConfigFileParser filename="/etc/grr/grr-server.conf"> Username: test Labels: Password: set Username: admin Labels: admin Password: set
To update a user (useful for setting labels or for changing passwords):
db@host:~$ sudo grr_config_updater update_user joe --add_labels admin,user Using configuration <ConfigFileParser filename="/etc/grr/grr-server.conf"> Updating user joe Username: joe Labels: admin,user Password: set
The AdminUI uses HTTP Basic Auth authentication by default, based on the passwords within the user objects stored in the data store, but we don’t expect you to use this in production (see Securing Access for more details).
There is so much diversity and customization in enterprise
authentication schemes that there isn’t a good way to provide a solution that
works for a majority of users. Large enterprises most likely already have internal webapps
that use authentication, this is just one more. Most people have found the
easiest approach is to sit Apache (or similar) in front of the GRR Admin UI as
a reverse proxy and use an existing SSO plugin that already works for that
platform. Alternatively, with more work you can handle auth inside GRR by
writing a Webauth Manager (
AdminUI.webauth_manager config option) that uses an
SSO or SAML based authentication mechanism.