docs: add RBAC endpoints, OIDC group mapping, and update Pro terminology

- Add RBAC/role management endpoints to API.md - Document OIDC group-to-role mapping feature in OIDC.md - Add missing config files to CONFIGURATION.md (audit.db, AI files) - Add OIDC_GROUP_ROLE_MAPPINGS env var documentation - Fix "enterprise" -> "Pro" terminology in TROUBLESHOOTING.md - Refocus TEMPERATURE_MONITORING.md on agent method, collapse legacy proxy docs
2026-02-18 00:17:39 +01:00 · 2026-01-10 13:59:50 +00:00
parent a970a6e5ee
commit 80729408c1
5 changed files with 110 additions and 3 deletions
--- a/docs/API.md
+++ b/docs/API.md
@@ -352,6 +352,52 @@ Initiate OIDC login flow.

 ---

+## 👥 RBAC / Role Management (Pro)
+
+Role-based access control endpoints for managing roles and user assignments. Requires admin access and the `rbac` license feature.
+
+### List Roles
+`GET /api/admin/roles`
+Returns all defined roles.
+
+### Create Role
+`POST /api/admin/roles`
+```json
+{
+  "id": "operator",
+  "name": "Operator",
+  "description": "Can view and manage alerts",
+  "permissions": [
+    { "action": "read", "resource": "alerts" },
+    { "action": "write", "resource": "alerts" }
+  ]
+}
+```
+
+### Update Role
+`PUT /api/admin/roles/{id}`
+Update an existing role's name, description, or permissions.
+
+### Delete Role
+`DELETE /api/admin/roles/{id}`
+
+### List Users
+`GET /api/admin/users`
+Returns all users with their role assignments.
+
+### Assign Role to User
+`POST /api/admin/users/{username}/roles`
+```json
+{ "role_id": "operator" }
+```
+
+### Remove Role from User
+`DELETE /api/admin/users/{username}/roles/{role_id}`
+
+> **Note**: OIDC group-to-role mapping can automatically assign roles on login. See [OIDC.md](OIDC.md) for configuration.
+
+---
+
 ## 🤖 Pulse AI *(v5)*

 **Pro gating:** endpoints labeled "(Pro)" require a Pulse Pro license and return `402 Payment Required` if the feature is not licensed.
--- a/docs/CONFIGURATION.md
+++ b/docs/CONFIGURATION.md
@@ -29,6 +29,12 @@ Pulse uses a split-configuration model to ensure security and flexibility.
 | `sessions.json` | Persistent sessions (includes OIDC refresh tokens) | 🔒 **Sensitive** |
 | `update-history.jsonl` | Update history log (in-app updates) | 📝 Standard |
 | `metrics.db` | Persistent metrics history (SQLite) | 📝 Standard |
+| `audit.db` | Audit log database (Pulse Pro, SQLite) | 🔒 **Sensitive** |
+| `baselines.json` | AI baseline data for anomaly detection | 📝 Standard |
+| `ai_correlations.json` | AI correlation analysis cache | 📝 Standard |
+| `ai_patterns.json` | AI pattern detection data | 📝 Standard |
+| `ai_remediations.json` | AI remediation suggestions | 📝 Standard |
+| `ai_incidents.json` | AI incident tracking | 📝 Standard |

 All files are located in `/etc/pulse/` (Systemd) or `/data/` (Docker/Kubernetes) by default.

@@ -93,6 +99,7 @@ Environment overrides (lock the corresponding UI fields):
 | `OIDC_ALLOWED_GROUPS` | Allowed groups (space or comma-separated) |
 | `OIDC_ALLOWED_DOMAINS` | Allowed email domains (space or comma-separated) |
 | `OIDC_ALLOWED_EMAILS` | Allowed emails (space or comma-separated) |
+| `OIDC_GROUP_ROLE_MAPPINGS` | Group-to-role mappings (Pro). Format: `group1=role1,group2=role2` |
 | `OIDC_CA_BUNDLE` | Custom CA bundle path |
 </details>

--- a/docs/OIDC.md
+++ b/docs/OIDC.md
@@ -34,6 +34,38 @@ Restrict access to specific users or groups:
 *   **Allowed Domains**: Restrict to specific email domains (e.g., `example.com`).
 *   **Allowed Emails**: Allow specific email addresses.

+### Group-to-Role Mapping (Pro)
+
+Automatically assign Pulse roles based on OIDC group membership. When a user logs in, Pulse checks their groups claim and assigns the corresponding roles.
+
+**Configuration via UI:**
+Go to **Settings → Security → Single Sign-On → Group Role Mappings** and add mappings like:
+- `oidc-admins` → `admin`
+- `oidc-operators` → `operator`
+- `oidc-viewers` → `viewer`
+
+**Configuration via Environment:**
+```bash
+# Format: group1=role1,group2=role2
+OIDC_GROUP_ROLE_MAPPINGS="oidc-admins=admin,oidc-operators=operator"
+```
+
+**How it works:**
+- On each login, Pulse reads the user's groups from the configured groups claim.
+- For each group that matches a mapping, the corresponding role is assigned.
+- Multiple groups can map to multiple roles (user gets all matching roles).
+- Role assignments are updated on every login to reflect current group membership.
+- Role changes are logged to the audit log for compliance tracking.
+
+**Example:**
+If a user has groups `["oidc-admins", "developers"]` and you have mappings:
+- `oidc-admins` → `admin`
+- `developers` → `operator`
+
+The user will be assigned both `admin` and `operator` roles.
+
+> **Note**: Ensure your IdP includes the `groups` scope and that the groups claim is properly configured. Some providers use `groups`, others use `roles` or custom claims.
+
 ### Long-Lived Sessions with `offline_access`
 For persistent sessions that don't require frequent re-authentication:

--- a/docs/TEMPERATURE_MONITORING.md
+++ b/docs/TEMPERATURE_MONITORING.md
@@ -40,6 +40,26 @@ Install the unified agent on each Proxmox host with Proxmox integration enabled
 ### 2. Enable temperature monitoring (optional)
 Go to **Settings → Proxmox → [Node] → Advanced Monitoring** and enable "Temperature monitoring" if you want to collect temperatures for that node.

+---
+
+## Troubleshooting
+
+**No temperature data appearing:**
+1. Ensure `lm-sensors` is installed: `apt install lm-sensors && sensors-detect`
+2. Verify the agent is running: `systemctl status pulse-agent`
+3. Check agent logs: `journalctl -u pulse-agent -f`
+4. Confirm `--enable-proxmox` flag is set
+
+**Temperatures show as `--` or missing:**
+1. Run `sensors` on the host to verify sensor detection
+2. Some hardware may not expose temperature sensors
+3. Check if the agent has permission to read sensor data
+
+---
+
+<details>
+<summary><strong>Legacy: pulse-sensor-proxy (deprecated, click to expand)</strong></summary>
+
 ## Deprecated: pulse-sensor-proxy (existing installs only)

 This section is retained for existing installations during the migration window.
@@ -773,3 +793,5 @@ If temperature monitoring isn't working:
   - Proxy logs
   - Pulse logs
   - Output of manual SSH test
+
+</details>
--- a/docs/TROUBLESHOOTING.md
+++ b/docs/TROUBLESHOOTING.md
@@ -49,9 +49,9 @@ sudo pulse bootstrap-token
 - **Fix**: Set `PULSE_AUDIT_SIGNING_KEY` and restart Pulse Pro. Newly created events will be signed; existing unsigned events remain unsigned.

 **Audit Log is empty**
- **Symptom**: Audit Log shows zero events or “Console Logging Only.”
- **Root cause**: OSS build uses console logging only, or enterprise audit logging is not enabled.
- **Fix**: Use Pulse Pro with enterprise audit logging enabled, then generate new audit events (logins, token creation, password changes).
+- **Symptom**: Audit Log shows zero events or "Console Logging Only."
+- **Root cause**: OSS build uses console logging only, or Pulse Pro audit logging is not enabled.
+- **Fix**: Use Pulse Pro with audit logging enabled, then generate new audit events (logins, token creation, password changes).

 **Audit Log verification fails for older events**
 - **Symptom**: Older events fail verification while newer events pass.