sulu: Use static roles and UserInterface

2025-12-10 07:44:50 +01:00 · 2024-05-23 18:07:00 +05:30 · 2024-05-23 18:07:00 +05:30 · 08ce89a394
commit 08ce89a394
parent e4416db22b
9 changed files with 747 additions and 119 deletions
--- a/sulu/sulu-builder/Makefile
+++ b/sulu/sulu-builder/Makefile
@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=sulu-builder
-PKG_VERSION:=3.1.59
+PKG_VERSION:=3.1.60
 PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
@ -145,9 +145,12 @@ define Package/sulu/install/Default
 	$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
 	$(INSTALL_DATA) ./files/etc/sulu/nginx.locations $(1)/etc/sulu/

+	$(INSTALL_DIR) $(1)/etc/users/roles
+	$(INSTALL_DATA) ./files/etc/users/roles/*.json $(1)/etc/users/roles/
+
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/etc/uci-defaults/99-fix-sulu-config $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/40-add-sulu-nginx-config $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/40-add-sulu-userinterface-config $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/01-update-nginx-uci-template $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/10-add-mqtt-config $(1)/etc/uci-defaults/
 ifeq ($(CONFIG_SULU_PWA_APP),y)
--- a/sulu/sulu-builder/files/etc/config/sulu
+++ b/sulu/sulu-builder/files/etc/config/sulu
@ -1,4 +1,2 @@
 config global 'global'
-	option SessionMode 'Allow'
-	list user 'admin'
-	list user 'user'
+	option enabled '1'
--- a/sulu/sulu-builder/files/etc/init.d/sulu
+++ b/sulu/sulu-builder/files/etc/init.d/sulu
@ -6,7 +6,6 @@ START=60
 STOP=01

 . /lib/functions.sh
-. /etc/sulu/sulu.sh

 log() {
 	echo "${@}"|logger -t sulu.init -p debug
@ -15,12 +14,11 @@ log() {
 validate_sulu_global_section()
 {
 	uci_validate_section sulu global global \
-		'enabled:bool:1' \
-		'enable_system_credentials:bool:1'
+		'enabled:bool:1'
 }

 start_service() {
-	local enabled enable_system_credentials
+	local enabled

 	config_load sulu
 	procd_open_instance sulu
@ -33,8 +31,8 @@ start_service() {
 	fi

 	update_nginx_template
-	configure_sulu "${enable_system_credentials}" 1
-	generate_sulu_conn_config
+
+	/etc/sulu/sulu.sh -r
 	procd_close_instance
 }

@ -45,5 +43,5 @@ reload_service() {

 service_triggers()
 {
-	procd_add_reload_trigger "sulu" "nginx"
+	procd_add_reload_trigger "sulu" "userinterface"
 }
--- a/sulu/sulu-builder/files/etc/sulu/sulu.sh
+++ b/sulu/sulu-builder/files/etc/sulu/sulu.sh
@ -3,7 +3,9 @@
 # format using "shfmt"

 . /lib/functions.sh
+. /usr/share/libubox/jshn.sh

+RESTART_REQ=0
 _RESTART_SERVICES="0"

 mkdir -p /tmp/sulu/
@ -39,8 +41,20 @@ function _get_endpoint_id() {
 	fi
 }

-function _get_sulu_users() {
-	echo "$(uci -q get sulu.global.user)"
+function _get_sulu_user_roles() {
+	roles=$(uci -q get userinterface._sulu_s.role)
+
+	for role in ${roles}; do
+		if [ -f "/etc/users/roles/$role.json" ]; then
+			sulu_user_roles="${sulu_user_roles} ${role}"
+		fi
+	done
+
+	if [ -n "${sulu_user_roles}" ]; then
+		sulu_user_roles=$(echo -e "${sulu_user_roles// /\\n}" | sort | uniq)
+	fi
+
+	echo ${sulu_user_roles}
 }

 function _get_sulu_root() {
@ -91,7 +105,7 @@ function update_nginx_template() {
 	port="$(_get_usp_upstream_port)"
 	if ! grep -q "upstream websocket { server 127.0.0.1:${port}; }" ${UCI_TEMPLATE}; then
 		sed -i "s/upstream websocket { server 127.0.0.1:[0-9]\+; }/upstream websocket { server 127.0.0.1:${var}; }/" ${UCI_TEMPLATE}
-		log "Restarting nginx"
+		slog "Restarting nginx"
 		ubus call uci commit '{"config":"nginx"}'
 	fi
 }
@ -99,7 +113,7 @@ function update_nginx_template() {
 function generate_sulu_conn_config() {
 	local users SCONFIG session

-	users="$(_get_sulu_users)"
+	users="$(_get_sulu_user_roles)"
 	session="$(_get_sulu_session_mode)"
 	SCONFIG="$(_get_sulu_connection_config)"

@ -139,32 +153,34 @@ function generate_sulu_conn_config() {
 	json_dump >${SCONFIG}
 }

-function _remove_obuspa_config() {
-	local restart session
+cleanup_sulu_usp_config() {
+	local users sec stype tmp

-	restart=0
-	if [ "$(uci_get obuspa localmqtt)" == "mqtt" ]; then
-		uci_remove obuspa localmqtt
-		restart=1
+	sec="${1}"
+	stype="${2}"
+	users="${3}"
+
+	if [[ "${sec}" == "${stype}_sulu_"* ]]; then
+		tmp="${sec//${stype}_sulu_/}"
+
+		val="$(echo ${users}|grep -w -o $tmp)"
+		if [ -z "$val" ]; then
+			_remove_sulu_section "${sec}"
+			RESTART_REQ=1
+		fi
 	fi
-	if [ "$(uci_get obuspa agent_mtp)" == "mtp" ]; then
-		uci_remove obuspa agent_mtp
-		restart=1
-	fi
-	if [ "$(uci_get obuspa localcontroller)" == "controller" ]; then
-		uci_remove obuspa localcontroller
-		restart=1
-	fi
-	return "${restart}"
 }

 function _update_obuspa_config_rbac() {
-	local agent users restart session
+	local agent users session

 	agent="$(_get_agent_id)"
-	users="$(_get_sulu_users)"
+	users="$(_get_sulu_user_roles)"
 	session="$(_get_sulu_session_mode)"
-	restart=0
+
+	config_foreach cleanup_sulu_usp_config controller controller "${users}"
+	config_foreach cleanup_sulu_usp_config mtp mtp "${users}"
+	config_foreach cleanup_sulu_usp_config mqtt mqtt "${users}"

 	for user in ${users}; do
 		local section
@ -176,7 +192,7 @@ function _update_obuspa_config_rbac() {
 			uci_set obuspa ${section} BrokerAddress "127.0.0.1"
 			uci_set obuspa ${section} BrokerPort "1883"
 			uci_set obuspa ${section} TransportProtocol "TCP/IP"
-			restart=1
+			RESTART_REQ=1
 		fi

 		# Add mtp
@ -186,7 +202,7 @@ function _update_obuspa_config_rbac() {
 			uci_set obuspa ${section} Protocol "MQTT"
 			uci_set obuspa ${section} ResponseTopicConfigured "/usp/${agent}/${user}/endpoint"
 			uci_set obuspa ${section} mqtt "mqtt_sulu_$user"
-			restart=1
+			RESTART_REQ=1
 		fi

 		# Add controller
@ -198,16 +214,15 @@ function _update_obuspa_config_rbac() {
 			uci_set obuspa ${section} Topic "/usp/${agent}/${user}/controller"
 			uci_set obuspa ${section} mqtt "mqtt_sulu_$user"
 			uci_set obuspa ${section} assigned_role_name "$user"
-			restart=1
+			RESTART_REQ=1
 		fi

 		obMode="$(uci_get obuspa ${section} SessionMode)"
 		if [ "${session}" != "${obMode}" ]; then
 			uci_set obuspa ${section} SessionMode "${session}"
-			restart=1
+			RESTART_REQ=1
 		fi
 	done
-	return "${restart}"
 }

 function _remove_sulu_section() {
@ -221,10 +236,10 @@ function _remove_sulu_section() {
 }

 function _create_acl() {
-	local agentid users restart
+	local agentid users
 	local ACL_FILE

-	restart="0"
+	RESTART_REQ="0"

 	ACL_FILE="$(_get_sulu_acl_file)"
 	if [ -z "${ACL_FILE}" ]; then
@ -236,7 +251,7 @@ function _create_acl() {
 	fi
 	touch "${ACL_FILE}"

-	users="$(_get_sulu_users)"
+	users="$(_get_sulu_user_roles)"
 	agentid="$(_get_agent_id)"
 	for user in ${users}; do
 		if ! grep -q "user $user" ${ACL_FILE}; then
@ -245,47 +260,45 @@ function _create_acl() {
 			echo "topic write /usp/${agentid}/${user}/endpoint/#" >>${ACL_FILE}
 			echo "topic read  /usp/${agentid}/${user}/controller/#" >>${ACL_FILE}
 			echo "" >>${ACL_FILE}
-			restart="1"
+			RESTART_REQ="1"
 		fi
 	done

-	if [ "${restart}" -gt "0" ]; then
+	if [ "${RESTART_REQ}" -gt "0" ]; then
 		slog "Restarting mosquitto..."
 		ubus call uci commit '{"config":"mosquitto"}'
 	fi
 }

 function update_obuspa_config() {
-	local restart
-
-	restart=0

+	RESTART_REQ=0
 	uci_load obuspa
-	_remove_obuspa_config
-	restart="$((restart + $?))"
 	_update_obuspa_config_rbac
-	restart="$((restart + $?))"
 	uci_commit obuspa

-	if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -gt "0" ]; then
+	if [ "${_RESTART_SERVICES}" -eq "1" -a "${RESTART_REQ}" -gt "0" ]; then
 		slog "Restarting obuspa..."
 		ubus call uci commit '{"config":"obuspa"}'
 	fi
 }

 function configure_sulu() {
-	local sys_cred restart
-
-	sys_cred="${1}"
-	restart="${2:-0}"
-
-	if [ -z "${sys_cred}" ]; then
-		slog "Invalid inputs"
-		return 0
-	fi
-
-	_RESTART_SERVICES="${restart}"
-
 	update_obuspa_config
 	_create_acl
+	generate_sulu_conn_config
 }
+
+while getopts ":r" opt; do
+	case ${opt} in
+	r)
+		_RESTART_SERVICES="1"
+		;;
+	*)
+		slog "Invalid option: ${OPTARG}"
+		exit 1
+		;;
+	esac
+done
+
+configure_sulu
--- a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-nginx-config
+++ b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-nginx-config
@ -1,49 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-add_sulu_nginx_uci()
-{
-	uci_load nginx
-
-	if ! uci_get nginx _sulu_s >/dev/null 2>&1; then
-		uci_add nginx server _sulu_s
-		uci_set nginx _sulu_s root '/sulu'
-		uci_add_list nginx _sulu_s listen "8443 ssl default_server"
-		uci_add_list nginx _sulu_s listen "[::]:8443 ssl default_server"
-		uci_set nginx _sulu_s server_name '_sulu_s'
-		uci_add_list nginx _sulu_s include '/etc/sulu/nginx.locations'
-		uci_set nginx _sulu_s uci_manage_ssl 'self-signed'
-        	uci_set nginx _sulu_s ssl_certificate '/etc/nginx/conf.d/_lan.crt'
-	        uci_set nginx _sulu_s ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
-	        uci_set nginx _sulu_s ssl_session_cache 'none'
-		uci_set nginx _sulu_s access_log 'off; # logd openwrt'
-		uci_set nginx _sulu_s error_log '/dev/null'
-	fi
-
-	# To host on http, disable _suluredirect and enable _sulu_http
-	if ! uci_get nginx _suluredirect >/dev/null 2>&1; then
-		uci_add nginx server _suluredirect
-		uci_add_list nginx _suluredirect listen "8080"
-		uci_add_list nginx _suluredirect listen "[::]:8080"
-		uci_set nginx _suluredirect server_name '_suluredirect'
-		uci_set nginx _suluredirect return '302 https://$host:8443$request_uri'
-	fi
-	
-	if uci_get nginx _sulu_http >/dev/null 2>&1; then
-		uci_remove nginx _sulu_http
-	fi
-#	if ! uci_get nginx _sulu_http >/dev/null 2>&1; then
-#		uci_add nginx server _sulu_http
-#		uci_set nginx _sulu_http root '/sulu'
-#		uci_add_list nginx _sulu_http listen "8080"
-#		uci_add_list nginx _sulu_http listen "[::]:8080"
-#		uci_set nginx _sulu_http server_name '_sulu_http'
-#		uci_add_list nginx _sulu_http include '/etc/sulu/nginx.locations'
-#	        uci_set nginx _sulu_http ssl_session_cache 'none'
-#		uci_set nginx _sulu_http access_log 'off; # logd openwrt'
-#	fi
-}
-
-
-add_sulu_nginx_uci
--- a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-userinterface-config
+++ b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-userinterface-config
@ -0,0 +1,32 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+add_sulu_userinterface_uci()
+{
+	uci_load userinterface
+
+	if ! uci_get userinterface _sulu_s >/dev/null 2>&1; then
+		uci_add userinterface http_access _sulu_s
+		uci_set userinterface _sulu_s path_prefix '/sulu'
+		uci_set userinterface _sulu_s port '8443'
+		uci_add_list userinterface _sulu_s _nginx_include '/etc/sulu/nginx.locations'
+		uci_set userinterface _sulu_s _nginx_uci_manage_ssl 'self-signed'
+        	uci_set userinterface _sulu_s _nginx_ssl_certificate '/etc/nginx/conf.d/_lan.crt'
+	        uci_set userinterface _sulu_s _nginx_ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
+	        uci_set userinterface _sulu_s _nginx_ssl_session_cache 'none'
+	        uci_set userinterface _sulu_s protocol 'HTTPS'
+		uci_add_list userinterface _sulu_s role 'admin'
+		uci_add_list userinterface _sulu_s role 'user'
+	fi
+
+	if ! uci_get userinterface _suluredirect >/dev/null 2>&1; then
+		uci_add userinterface http_access _suluredirect
+		uci_set userinterface _suluredirect redirect '_sulu_s'
+	        uci_set userinterface _suluredirect protocol 'HTTP'
+		uci_set userinterface _suluredirect port "8080"
+	fi
+}
+
+
+add_sulu_userinterface_uci
--- a/sulu/sulu-builder/files/etc/uci-defaults/99-fix-sulu-config
+++ b/sulu/sulu-builder/files/etc/uci-defaults/99-fix-sulu-config
@ -1,9 +1,3 @@
 #!/bin/sh

-. /etc/sulu/sulu.sh
-
-config_load sulu
-config_get enable_system_credentials global enable_system_credentials 1
-
-configure_sulu "${enable_system_credentials}" 0
-generate_sulu_conn_config
+/etc/sulu/sulu.sh
--- a/sulu/sulu-builder/files/etc/users/roles/admin.json
+++ b/sulu/sulu-builder/files/etc/users/roles/admin.json
@ -0,0 +1,538 @@
+{
+  "tr181": {
+    "permission": [
+      {
+        "object": "Device.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.Reboot()",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.SelfTestDiagnostics()",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.FactoryReset()",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.DeviceInfo.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Time.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.UPnP.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Bridging.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Ethernet.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.DHCPv4.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.DHCPv4.Server.Pool.{i}.StaticAddress.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.DHCPv6.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Hosts.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.{BBF_VENDOR_PREFIX}URLFilter.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.{BBF_VENDOR_PREFIX}OpenVPN.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.NAT.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.PPP.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Routing.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.IEEE1905.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.InterfaceStack.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.DynamicDNS.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.LANConfigSecurity.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Security.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.RouterAdvertisement.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Services.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.UserInterface.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.PeriodicStatistics.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.SoftwareModules.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Users.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.LocalAgent.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.LocalAgent.Subscription.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.WiFi.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.DNS.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.IP.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.SSH.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SET",
+          "PERMIT_ADD",
+          "PERMIT_DEL",
+          "PERMIT_OPER",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      }
+    ]
+  }
+}
--- a/sulu/sulu-builder/files/etc/users/roles/user.json
+++ b/sulu/sulu-builder/files/etc/users/roles/user.json
@ -0,0 +1,101 @@
+{
+  "tr181": {
+    "permission": [
+      {
+        "object": "Device.",
+        "perm": [
+          "PERMIT_NONE"
+        ]
+      },
+      {
+        "object": "Device.DeviceInfo.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.Hosts.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.IEEE1905.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.DynamicDNS.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object":"Device.PeriodicStatistics.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.LocalAgent.Subscription.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_ADD",
+          "PERMIT_SET",
+          "PERMIT_DEL",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.WiFi.",
+        "perm": [
+          "PERMIT_GET",
+          "PERMIT_GET_INST",
+          "PERMIT_OBJ_INFO",
+          "PERMIT_CMD_INFO",
+          "PERMIT_SUBS_VAL_CHANGE",
+          "PERMIT_SUBS_OBJ_ADD",
+          "PERMIT_SUBS_OBJ_DEL"
+        ]
+      },
+      {
+        "object": "Device.WiFi.AccessPoint.{i}.WPS.InitiateWPSPBC()",
+        "perm": [
+          "PERMIT_OPER",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      },
+      {
+        "object": "Device.WiFi.DataElements.Network.SetSSID()",
+        "perm": [
+          "PERMIT_OPER",
+          "PERMIT_SUBS_EVT_OPER_COMP"
+        ]
+      }
+    ]
+  }
+}