openSUSE:WebYaST Installation/Configuration

Jump to: navigation, search
WebYaST
Home - Installation - Documentation - Architecture - Development

YaST Webservice Configuration

Installation and Configuration

All configurations should be done in the POST install section of the package. After you have installed the package an own nginx server with the YaST-Webservice has been configured which is running with the system account "yastws". This HTTP server is configured as "localhost" only which has the port 4984. This can be changed in the file /etc/yastws/nginx.conf So, you can start the server with: 

rcyastws start

Use the webbrowser with the URL 

http://localhost:4984

Login as "root". While the package installation all access rights has been granted to "root". For another users you will have to grant permission as descibed in the following sections:

API Policies

Each YaST Webservice call has concerning access permissions which can be defined for each user. These permissions are handled by PolicyKit in the file: /usr/share/PolicyKit/policy/org.opensuse.yast.webservice.policy If you are getting a permission error while using the API just have a look to the webserver logfile in order to get the information which permissions are missed: 

Action: org.opensuse.yast.webservice.run-yastmodule User: schubi Result: no
Action: org.opensuse.yast.webservice.run-yastmodule-lan User: schubi Result: yes

These permissions can be set with the call "polkit-auth" like: 

polkit-auth --user schubi --grant org.opensuse.yast.webservice.run-yastmodule-lan

Or can be reset by: 

polkit-auth --user schubi --revoke org.opensuse.yast.webservice.run-yastmodule-lan

In order to cleanup or to grant ALL permissions you can use the ruby script policyKit-rights.rb delivered with this package: 

> policyKit-right.rb
Usage: policyKit-right.rb --user  --action (show|grant|revoke)
NOTE: This programm should be run by user root

This call grant/revoke ALL permissions for the YaST Webservice.
In order to grant/revoke single rights use:
polkit-auth --user  (--grant|-revoke) 

In order to show all possible permissions use:
polkit-action

Hostname and Port

This settings can be changed in /etc/yastws/nginx.conf or /etc/yastwc/nginx.conf 

...
..
.
    server {
      listen 4984;
      server_name localhost;
.
..
...

HTTPS Protocol

SSL

Before we start configuring nginx for the YaST-webclient, we need to get an SSL certificate. If you are creating your own, you can follow this instructions: 

openssl req -new -x509 -keyout host.pem -out host.pem -days 365 -nodes

If you already have a certificate which is a .crt and a .key file, you have to make them snuggle up into a single .pem file: 

cat host.key host.crt > host.pem

Both of these methods result in a single .pem file, usually named host.pem where "host" is the name of the server you are using the certificate for. This file can be stored anywhere you want on your system, since the nginx configuration takes an explicit path to it. Normally certificates are stored in /etc/ssl/certs.

Configure nginx

Add these entries to /etc/yastws/nginx.conf or /etc/yastwc/nginx.conf

e.g.: /etc/yastwc/nginx.conf 

server {
  listen 54984;
  server_name 0.0.0.0;
  root /srv/www/yast/public;
  passenger_enabled on;
  rails_framework_spawner_idle_time 300;
  rails_app_spawner_idle_time 300;
  ssl                  on;
  ssl_certificate      /etc/lighttpd/certs/webyast.pem;
  ssl_certificate_key  /etc/lighttpd/certs/webyast.key;

  ssl_session_timeout  5m;

  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers   on;
}

and restart the server with: 

rcyastws restart

or 

rcyastwc restart

Now you can login with HTTPS protocol.

Retrieved from "https://en.opensuse.org/index.php?title=openSUSE:WebYaST_Installation/Configuration&oldid=32811"