Variable Environment Management_User usage


#1

I am in need of adding a management user and password similar to what is discussed in the write up “Deploy a digital signage application with Screenly OSE and resin.io”.
Where it says “It is also recommended that you enable authentication as mentioned above to further improve security. You can do this either on a per-device basis (“Device Configuration”), or fleet-wide (“Fleet Configuration”). You just need to create two different keys:
MANAGEMENT_USER
MANAGEMENT_PASSWORD
Do note, however, that the password is in plain text, so anyone with access to your resin.io account is able to see the credentials. Also, this will overwrite your authentication settings in screenly.conf, so you need to either put them by hand in the file or use this approach.” Under the “Security considerations with Screenly OSE”.
I’m trying to figure out which variable or prefix I need to add to the “Management_User” in the device configuration tab. Is is something like [Resin_xxxx_management_user] then of course the name of user. Just not clear on how to go about adding this. Want to make it more secure along with the pi’s being on a different vlan in our current network.


#4

@tbctech so it looks like the issue you’re running into stems from the fact that this blog post was released before the multicontainer upgrades. Now the options you have are to apply it to either service environment variables, device service environment variables, application environment variables or device environment variables. Each type of variable is applied to a specific part of your application, be that fleet-wide, device-wide or service-only.

Configuration variables are now solely to control more bare-bones aspects of resinOS and the supervisor. Does this help?


#5

Well, I was really wanting to know how to add the variable to the environment variable section. I added the management_user and management_password as the variable and put in a value of for each of those variables, ie name and a password for each of the corresponding variables, but nothing changed when I would go to the local site on the network to view/change things on the software of the pi. I thought that by adding those variables it would ask for a username and password if I was to put those in the environment variables sections of either the fleet or device configuration. nothing happens when I put those in. The end goal is to have some sort of security when trying to log into unit to make changes. I will be moving the units I have to a vlan network for added security, but I was wanting to have a little more security. Thank you for your time and your reply. I really do appreciate the help.


#6

How did you add those variables? It should be done on the Device Service Variables, such as this:

You can test that these values are properly applied, by connecting to the application container and running something like:

env | grep MANAGEMENT

And that should show the values you have set. In that case the variable setting worked fine.

How these variables are used depends on Screenly itself, so as long as the above step is okay, the rest is on the Screenly side. This is the relevant code:


#7

Thank you for that info. I do have those variables in the correct place, like you mentioned. I will check to see if the container has the correct values for them. I was under the impression when you add those variables that when you go to the screenly side to add assets is where you would enter the username and password info at. Am I mistaken on this is where the “management” variable get checked? Since there is a small security risk on the screenly side in my opinion any. My devices will be on a separate vlan so as not to be associated with the main lan, I was just wanting to have more security on the backend if all possible. Thank you again for the helpful info.


#8

Mine looks identical to this after looking back at it after your first reply post to my issue. If I want any kind of management do I have to change the script on the screenly side like what is posted above? Do I enter the user and password info some where in this section of the script or leave as is? Thank you again for all of the info and help!


#9

I don’t think you should need to change the script on the Screenly side, the setup should work as it is…

Out of curiosity, I just tried a Raspberry Pi, pushing the current Screenly OSE, added MANAGEMENT_USER and MANAGEMENT_PASSWORD

and it was working totally fine. When visiting the management endpoint (either the local network IP, or the Public Device URL), I get the password prompt:

After entering the password, I get the management interface…

So I wonder how’s your setup different than what I’ve just tried here…


#10

I’m really not for sure what would be different. I reloaded the sd card with the original build, but before adding the resin build to the card I went and added the management to the settings and then pushed the resin build and it worked, but as soon as I set up a static ip for the unit it stopped working. Wasn’t sure why unless it is somehow tied to the ip it gets from dhcp. Also I could not figure out how to push an updated build out to the current unit I have set up, so that was the reason why I pretty much started from scratch. I tried removing the static ip settings so it would get the same ip from dhcp as it did when it first got connected and when the management was working correctly, but no luck with that. Even though those settings are not in there anymore, it will not get an ip from dhcp. The ip stays the same from when I assigned it statically. Weird to me or I’m not fully understanding something with this. Any help would greatly appreciated. Thank you again for all of the help given so far!!