Table of Contents

• 1 Introduction
  
• 2 User Accounts
  
  • 2.1 Creating a User Account
    
  • 2.2 Superuser Accounts
    
  • 2.3 Changing a User Password
    
  • 2.4 Destroying a User Account
    

• 3 Resource Holders
  • 3.1 Creating a Resource Holder
  • 3.2 Destroying a Resource Holder

• 4 Modifying the User ACL

1 Introduction

The Web Portal provides a GUI interface to managing the Configuration Authority system.

The Web Portal distinguishes users from the actions they may take. A User is an entity that is granted permission to use the Web Portal. A Resource Holder is an entity that has authority to manage a set of Internet number resources. A Resource Holder is, effectively, a role. Separating these entities allows a user to act in several roles, depending on the actions that must be taken. This document discussed management of the User and Resource-Holder entities.

This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD

2 User Accounts

A User is an entity that is granted permission to use the Web Portal. Each user account has an associated password used to log in to the Web Portal.

The Web Portal maintains an access control list that specifies which Resource Holders the user is allowed to manage. If a user is authorized to manage more than a single Resource Holder, the user will be presented with a list of the Resource Holders upon login.

User data are stored in the irdbd.auth_user and irdbd.app_confacl database tables.

2.1 Creating a User Account

When logged into the Web Portal with a superuser account, select the web users link in the sidebar, and then click on the create button at the bottom of the page. You may optionally select one or more Resource Holders that this user is granted authorization to manage.

Creating a user does not create a matching Resource Holder. See the Creating a Resource Holder section for information on creating Resource Holders.

2.2 Superuser Accounts

A user account with the superuser bit set has the special capability that it may assume the role of any Resource Holder managed by the local RPKI service. Superusers are created with the command line interface:

    $ rpki-manage createsuperuser

2.3 Changing a User Password

The password for a user may be changed in the Web Portal or on the command line:

    $ rpki-manage changepassword

2.4 Destroying a User Account

When logged into the Web Portal with a #superuser account, select the web users link in the sidebar, and then click on the Delete icon next to the user you wish to delete.

Note that this action does not remove any of the Resource Holders the user is granted authorization to manage.

3 Resource Holders

Resource holders are entities that have authority to manage a set of Internet number resources. When a user logs into the Web Portal, they select which Resource Holder role to assume. The user may choose to assume the role of a different Resource Holder by clicking on the select identity link in the sidebar.

The list of Resource Holders managed by the local RPKI service can be viewed with a #superuser account by clicking on the Resource Holders link in the sidebar of the Web Portal. From this page the super can manage the Resource Holders.

Resource-Holder data are stored in the irdbd.irdb_resourceholderca database table (via the irdbd.app_conf proxy model.)

3.1 Creating a Resource Holder

Note that creating a new Resource Holder does not create a user account. See #create-user.

3.1.1 GUI

When logged into the Web Portal with a #superuser account, select the Resource Holders link in the sidebar, and then click on the create button at the bottom of the page.

If the new Resource Holder is going to be a child of another Resource Holder hosted by the local RPKI service, you may optionally select the parent Resource Holder from the dropdown box, and the parent-child relationship will automatically be established when the new Resource Holder is created.

Additionally, one or more #users authorized to manage the new Resource Holder may be selected from the Users list on the creation form.

3.1.2 Command Line

You can also create Resource Holders on the command line:

    $ rpkic -i  initialize
    $ rpkic synchronize

where HANDLE is the name of new Resource Holder. Note that this new Resource Holder will initially only be allowed to be managed by #superuser accounts. You may wish to create a matching user account, but the name of the user need not be the same as the handle of the Resource Holder. Additionally, you can manage the list of users allowed to manage this Resource Holder via the Web Portal; click on the Edit icon next to the Resource Holder, and select the users you wish to grant permission to manage.

3.2 Destroying a Resource Holder

Deleting a Resource Holder does not remove any user accounts.

3.2.1 GUI

When logged into the Web Portal with a #superuser account, select the Resource Holders link in the sidebar, and then click on the delete button next to the Resource Holder you wish to delete.

3.2.2 Command Line

Or you may use the command line interface:

    $ rpkic -i  delete_self
    $ rpkic synchronize

where HANDLE is the name of the Resource Holder you wish to destroy.

4 Modifying the User ACL

Each Resource Holder may be managed by one or more User accounts. The list of Users authorized to assume the role of a particular Resource Holder may be changed in the Web Portal. When logged into the Web Portal with a #superuser account, select the Resource Holders link in the sidebar, and then click on the Edit icon next to the Resource Holder, and select the Users you wish to grant permission to manage.

---

Sections of this document are derived or taken verbatim from Dragon Research Lab's RPKI Tools Manual.

Copyright (c) 2015, Parsons, Inc
All rights reserved