From aa7e0c6c9e60c2b046d227ffee64d99ae103a17d Mon Sep 17 00:00:00 2001
From: Simon <simon@guigui.uk>
Date: Mon, 4 Dec 2023 09:00:17 +0100
Subject: [PATCH] Enhance Ubus Integration Documentation & Refine ACL
 Permissions (#30121)

* Enhance Ubus Integration Documentation & Refine ACL Permissions

The current documentation does not contain enough information to start using the ubus integration, and the current ACL config file gives more permission than is actually needed.

This change explains how to add a system user `hass` and documents the configuration of `/etc/config/rpcd` configuration file. Those steps are missing from the current configuration.

Credits for those valuable steps go to: https://github.com/kvj/hass_openwrt.

Further more, the current ACLs config file gives more permission than is actually needed to make the integration work.

* Tiny style tweaks

* Update source/_integrations/ubus.markdown

* Update source/_integrations/ubus.markdown

---------

Co-authored-by: c0ffeeca7 <38767475+c0ffeeca7@users.noreply.github.com>
---
 source/_integrations/ubus.markdown | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/source/_integrations/ubus.markdown b/source/_integrations/ubus.markdown
index a5f1549a946..4571e82e39e 100644
--- a/source/_integrations/ubus.markdown
+++ b/source/_integrations/ubus.markdown
@@ -20,17 +20,33 @@ opkg update
 opkg install rpcd-mod-file uhttpd-mod-ubus
 ```
 
-And create on your OpenWrt device a read-only user to be used by setting up the ACL file `/usr/share/rpcd/acl.d/user.json`.
+Add a new system user `hass` (or do it in any other way that you prefer):
+
+- Add line to /etc/passwd: hass:x:10001:10001:hass:/var:/bin/false
+- Add line to /etc/shadow: hass:x:0:0:99999:7:::
+
+Edit the `/etc/config/rpcd` and add the following lines:
+
+```yaml
+config login
+        option username 'hass'
+        option password '$p$hass'
+        list read hass
+        list read unauthenticated
+        list write hass
+```
+
+Then, create an ACL file at `/usr/share/rpcd/acl.d/hass.json` for the user `hass`:
 
 ```json
 {
-  "user": {
-    "description": "Read only user access role",
+  "hass": {
+    "description": "Access role for OpenWrt ubus integration",
     "read": {
       "ubus": {
-        "*": [ "*" ]
+        "hostapd.*": ["get_clients"],
+        "uci": ["get"]
       },
-      "uci": [ "*" ]
     },
     "write": {}
   }