diff --git a/docs/API.md b/docs/API.md index ed9b2f831..5d1e3ed3f 100644 --- a/docs/API.md +++ b/docs/API.md @@ -352,6 +352,52 @@ Initiate OIDC login flow. --- +## πŸ‘₯ RBAC / Role Management (Pro) + +Role-based access control endpoints for managing roles and user assignments. Requires admin access and the `rbac` license feature. + +### List Roles +`GET /api/admin/roles` +Returns all defined roles. + +### Create Role +`POST /api/admin/roles` +```json +{ + "id": "operator", + "name": "Operator", + "description": "Can view and manage alerts", + "permissions": [ + { "action": "read", "resource": "alerts" }, + { "action": "write", "resource": "alerts" } + ] +} +``` + +### Update Role +`PUT /api/admin/roles/{id}` +Update an existing role's name, description, or permissions. + +### Delete Role +`DELETE /api/admin/roles/{id}` + +### List Users +`GET /api/admin/users` +Returns all users with their role assignments. + +### Assign Role to User +`POST /api/admin/users/{username}/roles` +```json +{ "role_id": "operator" } +``` + +### Remove Role from User +`DELETE /api/admin/users/{username}/roles/{role_id}` + +> **Note**: OIDC group-to-role mapping can automatically assign roles on login. See [OIDC.md](OIDC.md) for configuration. + +--- + ## πŸ€– Pulse AI *(v5)* **Pro gating:** endpoints labeled "(Pro)" require a Pulse Pro license and return `402 Payment Required` if the feature is not licensed. diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index db53b8eb5..0ec4a163d 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -29,6 +29,12 @@ Pulse uses a split-configuration model to ensure security and flexibility. | `sessions.json` | Persistent sessions (includes OIDC refresh tokens) | πŸ”’ **Sensitive** | | `update-history.jsonl` | Update history log (in-app updates) | πŸ“ Standard | | `metrics.db` | Persistent metrics history (SQLite) | πŸ“ Standard | +| `audit.db` | Audit log database (Pulse Pro, SQLite) | πŸ”’ **Sensitive** | +| `baselines.json` | AI baseline data for anomaly detection | πŸ“ Standard | +| `ai_correlations.json` | AI correlation analysis cache | πŸ“ Standard | +| `ai_patterns.json` | AI pattern detection data | πŸ“ Standard | +| `ai_remediations.json` | AI remediation suggestions | πŸ“ Standard | +| `ai_incidents.json` | AI incident tracking | πŸ“ Standard | All files are located in `/etc/pulse/` (Systemd) or `/data/` (Docker/Kubernetes) by default. @@ -93,6 +99,7 @@ Environment overrides (lock the corresponding UI fields): | `OIDC_ALLOWED_GROUPS` | Allowed groups (space or comma-separated) | | `OIDC_ALLOWED_DOMAINS` | Allowed email domains (space or comma-separated) | | `OIDC_ALLOWED_EMAILS` | Allowed emails (space or comma-separated) | +| `OIDC_GROUP_ROLE_MAPPINGS` | Group-to-role mappings (Pro). Format: `group1=role1,group2=role2` | | `OIDC_CA_BUNDLE` | Custom CA bundle path | diff --git a/docs/OIDC.md b/docs/OIDC.md index ec3b0a124..0a0bc5118 100644 --- a/docs/OIDC.md +++ b/docs/OIDC.md @@ -34,6 +34,38 @@ Restrict access to specific users or groups: * **Allowed Domains**: Restrict to specific email domains (e.g., `example.com`). * **Allowed Emails**: Allow specific email addresses. +### Group-to-Role Mapping (Pro) + +Automatically assign Pulse roles based on OIDC group membership. When a user logs in, Pulse checks their groups claim and assigns the corresponding roles. + +**Configuration via UI:** +Go to **Settings β†’ Security β†’ Single Sign-On β†’ Group Role Mappings** and add mappings like: +- `oidc-admins` β†’ `admin` +- `oidc-operators` β†’ `operator` +- `oidc-viewers` β†’ `viewer` + +**Configuration via Environment:** +```bash +# Format: group1=role1,group2=role2 +OIDC_GROUP_ROLE_MAPPINGS="oidc-admins=admin,oidc-operators=operator" +``` + +**How it works:** +- On each login, Pulse reads the user's groups from the configured groups claim. +- For each group that matches a mapping, the corresponding role is assigned. +- Multiple groups can map to multiple roles (user gets all matching roles). +- Role assignments are updated on every login to reflect current group membership. +- Role changes are logged to the audit log for compliance tracking. + +**Example:** +If a user has groups `["oidc-admins", "developers"]` and you have mappings: +- `oidc-admins` β†’ `admin` +- `developers` β†’ `operator` + +The user will be assigned both `admin` and `operator` roles. + +> **Note**: Ensure your IdP includes the `groups` scope and that the groups claim is properly configured. Some providers use `groups`, others use `roles` or custom claims. + ### Long-Lived Sessions with `offline_access` For persistent sessions that don't require frequent re-authentication: diff --git a/docs/TEMPERATURE_MONITORING.md b/docs/TEMPERATURE_MONITORING.md index 9edeec266..732b1e2ce 100644 --- a/docs/TEMPERATURE_MONITORING.md +++ b/docs/TEMPERATURE_MONITORING.md @@ -40,6 +40,26 @@ Install the unified agent on each Proxmox host with Proxmox integration enabled ### 2. Enable temperature monitoring (optional) Go to **Settings β†’ Proxmox β†’ [Node] β†’ Advanced Monitoring** and enable "Temperature monitoring" if you want to collect temperatures for that node. +--- + +## Troubleshooting + +**No temperature data appearing:** +1. Ensure `lm-sensors` is installed: `apt install lm-sensors && sensors-detect` +2. Verify the agent is running: `systemctl status pulse-agent` +3. Check agent logs: `journalctl -u pulse-agent -f` +4. Confirm `--enable-proxmox` flag is set + +**Temperatures show as `--` or missing:** +1. Run `sensors` on the host to verify sensor detection +2. Some hardware may not expose temperature sensors +3. Check if the agent has permission to read sensor data + +--- + +
+Legacy: pulse-sensor-proxy (deprecated, click to expand) + ## Deprecated: pulse-sensor-proxy (existing installs only) This section is retained for existing installations during the migration window. @@ -773,3 +793,5 @@ If temperature monitoring isn't working: - Proxy logs - Pulse logs - Output of manual SSH test + +
diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index c80d5f059..833f5a091 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -49,9 +49,9 @@ sudo pulse bootstrap-token - **Fix**: Set `PULSE_AUDIT_SIGNING_KEY` and restart Pulse Pro. Newly created events will be signed; existing unsigned events remain unsigned. **Audit Log is empty** -- **Symptom**: Audit Log shows zero events or β€œConsole Logging Only.” -- **Root cause**: OSS build uses console logging only, or enterprise audit logging is not enabled. -- **Fix**: Use Pulse Pro with enterprise audit logging enabled, then generate new audit events (logins, token creation, password changes). +- **Symptom**: Audit Log shows zero events or "Console Logging Only." +- **Root cause**: OSS build uses console logging only, or Pulse Pro audit logging is not enabled. +- **Fix**: Use Pulse Pro with audit logging enabled, then generate new audit events (logins, token creation, password changes). **Audit Log verification fails for older events** - **Symptom**: Older events fail verification while newer events pass.