Central MySQL database with different usernames & passwords
#1
Hi,

I have a small server here that holds some content, mostly TV shows.
The clients (RPi's) can connect only via SSH (SFTP) to stream the content.
In order to have some control about the content one can access (mostly because I don't want the kids to be able to watch all TV shows)
I'm working with user authentications at the server.

Now here is the problem:
I would like to setup a central MySQL database to avoid those long content-scraping tasks on the Raspberry Pi's.
The problem is that within the database (I guess it is the "path" column) the usernames and passwords are stored (sftp://username:[email protected]/TV/...)
That's why I'm struggling to setup such a centralized solution.

I have tried playing with passwords.xml already, but no luck. It seems that it ignores it (I guess it's for SMB shares only - isn't it?!).
I also tried leaving the username + password out while creating the share because I thought XBMC might ask for the password afterwards, but it didn't.

Anybody out there that managed to build this up already?
Reply
#2
why don't you restrict content by using profiles in xbmc and use smb path for media?
Image

If my replies help you, please click on my reputation Image below :) thanks :)
Reply
#3
Use a common media storage with splits into folder hierarchy that makes sense (by Movie Rating or by folder)
(e.g. \movies, \musicvideos, \kids)

Load up your media using your master profile

Create a "kids" profile and use a skin that supports menu control by profile (e.g. AEON NOX)

Create a smart playlist called "kidfilms" in the "kids profile" that filters to include \kids and exclude \movies etc.

Create a custom menu called "Kids Movies" using the smart playlist "kidfilms"

Remove menu items (e.g. Movies) to prevent access to grown ups' movies
Reply
#4
(2013-11-21, 20:04)saitoh183 Wrote: why don't you restrict content by using profiles in xbmc and use smb path for media?

This server is used to spread the media among our family, not all living in the same house.
Therefore, I'm not using SMB for security purposes.

(2013-11-21, 20:46)surfinbox Wrote: Use a common media storage with splits into folder hierarchy that makes sense (by Movie Rating or by folder)
(e.g. \movies, \musicvideos, \kids)

Load up your media using your master profile

Create a "kids" profile and use a skin that supports menu control by profile (e.g. AEON NOX)

Create a smart playlist called "kidfilms" in the "kids profile" that filters to include \kids and exclude \movies etc.

Create a custom menu called "Kids Movies" using the smart playlist "kidfilms"

Remove menu items (e.g. Movies) to prevent access to grown ups' movies

Your suggestion is much appreciated.
However, I'm pretty much satisfied with the current user / role management and still looking for a way not to change
the whole directory structure but send the user+pass along with the request to the server.
Is there any other way?
Reply
#5
Do your access from elsewhere via a secure tunnel and use the same protocol everywhere.
If I have helped you or increased your knowledge, click the 'thumbs up' button to give thanks :) (People with less than 20 posts won't see the "thumbs up" button.)
Reply
#6
(2013-11-22, 07:02)nickr Wrote: Do your access from elsewhere via a secure tunnel and use the same protocol everywhere.

Thats exactly what I'm doing today I guess (client connect via SSH)-
I can't see the relation to my question.
Reply
#7
Explain again your restriction for only SFTP access, is this not a LAN?
Reply
#8
No, it's not LAN. It's basically Internet sharing - that's why I went for the encrypted streaming approach.
Reply
#9
(2013-11-21, 18:40)shudder Wrote: Now here is the problem:
I would like to setup a central MySQL database to avoid those long content-scraping tasks on the Raspberry Pi's.
The problem is that within the database (I guess it is the "path" column) the usernames and passwords are stored (sftp://username:[email protected]/TV/...)
That's why I'm struggling to setup such a centralized solution.
It's not clear to me why this is a problem for you.
Do you want the different users to have a different content?
Or is it purely a security issue, where you don't want the other users to see the u/p?
Reply
#10
Alright, trying to explain it a bit better this time:

Indeed, I want the different users to have different content.
Or with other words: I want some users not being able to see all the content.
That's working perfectly well at the moment, without having a central database.

user A - Restricted
user B - Full Access

If I'm going to populate the DB with user B, user A wouldn't be restricted anymore because
it would use the access credentials of user B (as they are stored in the DB as part of the path).
The other way round, user B would be restricted in case I'm going to populate the DB with user A.

Hope I didn't missed anything. Appreciating a lot your help!
Reply
#11
To achieve that, you'd have to create a set of database (Video + Music) per user, and specify the root name (without the version) in each one advancedsettings.xml.

You can specify the "root" name of the db with the "name" param, e.g.
Code:
<advancedsettings>
    <videodatabase>
        <type>mysql</type>
        <host>***.***.***.***</host>
        <port>3306</port>
        <user>xbmc</user>
        <pass>xbmc</pass>
        <name>[VidDbUserA|VidDbUserB]</name>
    </videodatabase>

    <musicdatabase>
        <type>mysql</type>
        <host>***.***.***.***</host>
        <port>3306</port>
        <user>xbmc</user>
        <pass>xbmc</pass>
        <name>[MusDbUserA|MusDbUserB]</name>
    </musicdatabase>


That will create the following databases in your mysql setup :
VidDbUserA77, VidDbUserB77, MusDbUserA37, MusDbUserB37

Each will be independent from the others.
Reply
#12
I've been struggling with this myself.

In my case, I'm on a Windows domain.

I set up a domain account (XBMCMedia) that has few privileges other than being able to read my media shares, and write to the shared thumbnails directory. Internal clients have "passwords.xml" files that use the XBMCMedia account.

I set up IIS WebDAV sharing to stream my directories using SSL. External clients have "passwords.xml" files that replace the Samba shares with the WebDAV shares. Each external user has their own account, and their own passwords.xml file. The "XBMCMedia" account is not authorized to access the WebDAV shares.

Internally, I use a full-access MySQL account, which is limited to connections from the local network (192.168.1.%). Externally, I use a read-only MySQL account.

I tailor the "sources.xml" and "passwords.xml" file for external users, so that I can remove things like our family photos and home videos. Because the users are in a group which COULD access the missing shares, they could add them if they could guess the WebDAV directory, but these shares have been removed more as a courtesy to the users than as a security measure.

This isn't a perfect setup. I've had no luck - so far - implementing SSL on the database, so that information is sent in the clear, but there's little that anyone could do with any information they did acquire through packet-sniffing.

I'd welcome any thoughts or ideas about what I'm doing right now... it's still a work in progress.
Reply

Logout Mark Read Team Forum Stats Members Help
Central MySQL database with different usernames & passwords0