Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
Matthew Weier O’Phinney
Companies have a variety of software access restriction requirements, and these often extend to tools like ZendHQ. In this blog, we'll dive in on the new role-based authentication features in ZendHQ, show how to administer permissions, and discuss what those changes mean for ZendHQ users.
Since we introduced ZendHQ almost two years ago, the GUI has operated under a single-role paradigm, with a single set of credentials, offering full administrative access to ZendHQ. Several of our customers have communicated a need for more robust and granular access controls to suit their organizational needs. As examples:
Earlier this week, we released version 1.6.0 of ZendHQ, which provides identity and access management for ZendHQ. This feature provides the ability to define your own groups, assign permissions to each service ZendHQ exposes, and to assign users to groups. Let's take a look.
At the highest level, you can can create groups, assign groups permissions to ZendHQ services, and then define users and assign them to groups. When logging into ZendHQ, users will use the credentials provided to them by their ZendHQ administrator, and features of ZendHQ will either be omitted from the GUI, or disabled, if they are not accessible to them.
The general workflow for an administrator will be:
Users can be assigned to multiple groups. If they are, they will have access to features based on the greatest access allowed to any group to which they are assigned. For instance, if a user is assigned to a group that provides read-only access to all features, and also to another group that provides write access to Z-Ray, the user will be able to initiate Z-Ray sessions (as that permission is provided with write access to Z-Ray).
ZendHQ now ships with a new command-line tool, zendhqctl. This tool provides an "access" module that allows listing services and permission information related to them, managing groups, and managing users.
The services exposed by ZendHQ are as folllows.
Permissions are created using a bitmask. While these can be expressed as integers, you can also reference them using notation you're already familiar with: unix file permissions. For example, if you wanted to provide read-only access to monitoring, you'd use +r mon. If you wanted to provide the ability to initialize Z-Ray sessions and view history, you'd use +rw zray. To provide full access to JobQueue, you'd use +rwx jq.
A common request is to be able to define a read-only role. Let's create that, and assign it to a couple of users, Bob and Alice.
zendhqctl access group add readonly --permissions +r conf,mon,ct,zray,jq -c "Read-only group"
Breaking this down, we're creating the group "readonly". When we do, we're setting initial permissions to include "read" permissions to each of the services exposed. We are also providing a comment to associate with the group; this will be printed any time we print information for the group.
Now, let's define some users and assign them to this group:
zendhqctl access user add bob
zendhqctl access user password bob #prompts to set the password
zendhqctl access user add alice
zendhqctl access user password alice # prompts to set the password
zendhqctl access group add-user readonly alice,bob
First we create each user, and assign them a password. Then we add both users to the "read-only" group.
There are a lot of different commands exposed by zendhqctl, and each contains copious documentation. Additionally, there are often multiple ways to accomplish something. For instance, in the above example, we could have instead called zendhqctl access user add-group alice readonly to add Alice to the read-only group. Read the zendhqctl access reference for full-details.
So, we know some basics of administering identity and access management in ZendHQ, but what does that mean when using the GUI administration tool?
First, for users who are upgrading to the new version, there's only one change that you'll notice at first. When you login, instead of having just the Hostname/IP and Token inputs:
You will now see a "User name" input, and "Token" becomes "User token" as well:
But ZendHQ didn't have usernames previously! How do you login? For those upgrading, you can login without the username, using the configured ZendHQ token as you did previously. (Alternatively, you can specify the username "admin"!) ZendHQ is configured such that an "admin" role is already configured mimicing the permissions previously used, and using the admin token as configured by default with the service.
Once you have created users, you can now login as one of those users! To best see how this plays out in practice, view the following video.
Different organizations have different access management needs for their developer and production tooling. The new role-based access support provided with ZendHQ allows organizations to define their own roles and the associated permissions. One side-benefit not mentioned previously is that users do not need to share credentials any longer, which also allows organizations to revoke access without having to change access for all users of the tool.
This is the first of a series of security features planned for ZendHQ. Future releases will build on the identity and access management provided with this release, enabling integration with business user directories.
Experience ZendHQReady to see ZendHQ monitoring, debugging, and automatiion features in person? Try free today with a ZendPHP/ZendHQ trial, or schedule a custom demo via the links below.Try ZendHQ for Free Schedule a Demo
Ready to see ZendHQ monitoring, debugging, and automatiion features in person? Try free today with a ZendPHP/ZendHQ trial, or schedule a custom demo via the links below.
Try ZendHQ for Free Schedule a Demo
Zend Product Manager, Zend by Perforce
Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.