Admin system: central ACL-based account manager with named permissions #905
Description
Summary
Implementation of a built-in admin system that is structured, maintainable, and easy for server owners to configure.
The main idea is to introduce a ACL account manager based on named permissions, with per-account authentication, human-readable config, audit-friendly logging, and fast runtime permission checks.
This issue is meant to start the discussion in an official place and serve as a reference point for future implementation and PRs.
From Discord discussion:
A few practical goals that I think of:
- Server owners should be able to create separate admin accounts with separate credentials.
- Each account should have an explicit permission set.
- Permissions should be human-readable, not hidden behind numeric systems.
- Authentication and permission checks should come from one central source of truth, instead of being scattered throughout the codebase.
- Admin actions should leave a clear trail in logs showing who did what.
- The system should be easy to extend.
This is largely inspired by what worked well in Reborn, while avoiding the parts that were less friendly from a usability and maintenance perspective. It seems that this direction was agreed upon on OPM Discord.
Proposed direction
1. Centralized ACL-style permission system
Use named permissions such as:
admin.loginadmin.kickadmin.muteadmin.warnadmin.banadmin.unbanadmin.mapserver.restart
Each admin account would have:
- username
- password hash
- enabled/disabled flag
- assigned permissions
At runtime, these named permissions can be resolved into an internal bitmask for efficient checks.
2. Per-admin logging / audit trail
Administrative actions should be logged with enough detail to answer questions like:
- who logged in
- who kicked/banned/unbanned someone
- who changed map / restarted server
- whether an auth attempt failed
- when an account was disabled or rejected
Configuration format
Current preference that emerged in Discord is a human-readable text config, with YAML looking like the strongest candidate so far.
Reasons:
- easier on the eyes than raw JSON for many users
- supports comments
- naturally suited for nested structures like groups/accounts
- likely friendlier for manual editing by server owners
- We can add groups with rpedefined permissions.
Example barebones YAML:
version: 1
accounts:
- username: "vwz"
enabled: true
password_hash: "hashhere"
note: "full admin"
permissions:
- admin.login
- admin.kick
- admin.mute
- admin.warn
- admin.ban
- admin.unban
- admin.map
- server.restart
- username: "helper1"
enabled: true
password_hash: "hashhere"
note: "chat and player control only"
permissions:
- admin.login
- admin.kick
- admin.mute
- admin.warn
- username: "mapguy"
enabled: true
password_hash: "hashhere"
note: "map and restart access only"
permissions:
- admin.login
- admin.map
- server.restartPassword storage
MD5 should not be used for password storage, I wonder about sha256, but it also seems not suitable for real password protection. A practical workflow could be:
- owner creates or updates admin credentials through console/server command
- server stores only the resulting hash
- config never needs plaintext passwords
The general direction seems agreed enough to justify opening the issue and using it as the base for a draft PR and follow-up discussion.