dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c0ce5d02bd448c51bdfc7368e6ad68dcb9ef27a9
lmxopcua/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/RoleGrants.razor
T
Joseph Doherty 74161f9460
v2-ci / unit-tests (tests/Core/ZB.MOM.WW.OtOpcUa.Cluster.Tests) (push) Has been cancelled
Details
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests) (push) Has been cancelled
Details
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests) (push) Has been cancelled
Details
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.Runtime.Tests) (push) Has been cancelled
Details
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests) (push) Has been cancelled
Details
v2-ci / integration (push) Has been cancelled
Details
v2-ci / build (push) Has been cancelled
Details
feat(adminui): F15 Phase D — logic + ops pages 
- ClusterAudit (/clusters/{id}/audit) — reads ConfigAuditLog with the
  EventId/CorrelationId columns added in F3; shown as a Cluster tab
- VirtualTags (/virtual-tags)            — fleet-wide read view
- ScriptedAlarms (/scripted-alarms)      — fleet-wide read view
- Scripts (/scripts)                     — fleet-wide; expandable code preview
- RoleGrants (/role-grants)              — per Q4, surfaces the fleet-wide
                                           LDAP-group → role mapping from
                                           Authentication:Ldap:GroupToRole
                                           (read-only; reload via host restart)
- Certificates (/certificates)           — own/trusted/issuer/rejected store
                                           contents resolved against
                                           OpcUa:PkiStoreRoot config (F13a)
- Reservations (/reservations)           — ExternalIdReservation table
- AlarmsHistorian (/alarms-historian)    — live HistorianAdapterActor sink
                                           status via the F11 GetStatus query;
                                           5s polling

ScriptLog deferred (needs the F16-deferred ScriptLogHub bridge).
ClusterNav extended with the Audit tab.

Adds an AdminUI → Runtime project reference so the historian status page can
inject IRequiredActor<HistorianAdapterActorKey>. NuGet audit suppression for
the transitive Opc.Ua.Core advisory mirrored from the Runtime project.

All 104 v2 tests still green.
2026-05-26 08:01:23 -04:00

82 lines
3.5 KiB
Plaintext
Raw Blame History

@page "/role-grants"
@* Per Q4 of the AdminUI rebuild plan, v2 replaced v1's per-cluster RoleGrants table with a
fleet-wide LDAP-group → role map. This page surfaces the mapping read-only; the source of
truth is Authentication:Ldap:GroupToRole in appsettings (editable on the host filesystem, not
from the UI yet). *@
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@rendermode RenderMode.InteractiveServer
@using Microsoft.Extensions.Options
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
@inject IOptionsSnapshot<LdapOptions> Ldap
<div class="d-flex justify-content-between align-items-center mb-3">
<h4 class="mb-0">Role grants</h4>
</div>
<section class="panel notice rise" style="animation-delay:.02s">
LDAP group membership determines fleet roles. Edit the mapping in
<span class="mono">appsettings.json</span> under <span class="mono">Authentication:Ldap:GroupToRole</span>
and restart the admin node (or sign out + back in for cached claims to refresh). UI-driven
editing of the mapping is deferred — it implies a config-reload mechanism that doesn't exist
yet.
</section>
@if (_options is null)
{
<p>Loading…</p>
}
else
{
<section class="card-grid rise mt-3" style="animation-delay:.08s">
<div class="metric-card">
<div class="panel-head">LDAP binding</div>
<div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
<div class="kv"><span class="k">Server</span><span class="v mono">@_options.Server:@_options.Port</span></div>
<div class="kv"><span class="k">UseTls</span><span class="v">@_options.UseTls</span></div>
<div class="kv"><span class="k">SearchBase</span><span class="v mono small">@_options.SearchBase</span></div>
@if (!_options.UseTls && _options.AllowInsecureLdap)
{
<div class="kv"><span class="k">Warning</span><span class="v"><span class="chip chip-alert">Plaintext credentials over LDAP — dev mode only</span></span></div>
}
</div>
</section>
<section class="panel rise mt-3" style="animation-delay:.14s">
<div class="panel-head">Group → role mapping (@(_options.GroupToRole?.Count ?? 0))</div>
@if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
{
<div style="padding:1rem" class="text-muted">
No mapping configured. Every authenticated user lands with zero roles —
the fallback authorization policy will refuse every request. Add a
<span class="mono">GroupToRole</span> entry before deploying.
</div>
}
else
{
<div class="table-wrap">
<table class="data-table">
<thead><tr><th>LDAP group</th><th>Resolved role</th></tr></thead>
<tbody>
@foreach (var kvp in _options.GroupToRole.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase))
{
<tr>
<td><span class="mono">@kvp.Key</span></td>
<td><span class="chip chip-idle">@kvp.Value</span></td>
</tr>
}
</tbody>
</table>
</div>
}
</section>
}
@code {
private LdapOptions? _options;
protected override void OnInitialized()
{
_options = Ldap.Value;
}
}
Reference in New Issue View Git Blame Copy Permalink