How do I turn off acces controll

Hello, when I first did the setup for octoprint(1.3.10 on a pi) I decided to turn on access control but now I would want to turn it off but I haven't found any "guide" on how to do that. Was hoping that there would be a line in the config.yaml file where I could simply disable it but I didn't find any. So could someone please tell me how to disable it?

Assuming you have your Octoprint server on a secure local-only network, you should be able to do with the accessControl and firstRun changes listed here.

1 Like

Thanks but the only thing I see under the access control section is the salt id.

You'll have to add those settings.

Hello, im new with Octoprint and want to Rerun the first setup but i don't know where i can find the config.yaml file. Is it in the root of the sd card?

@janiboy7665 You can find the config.yaml file in the .octoprint subdirectory of the home directory of whatever user octoprint is running as. On my OctoPi installation this is the pi user, and the absolute path of the config.yaml file is /home/pi/.octoprint/config.yaml

@Calania (and anyone else who wants to disable access control): As of Octoprint 1.5 the ability to disable access control was, unfortunately, deliberately removed by the author of OctoPrint. I consider this to be an extremely unfortunate decision, and it cost me quite a few hours of time and effort to resolve.

However, there is, in fact, a relatively straightforward way to achieve the equivalent of disabled access control. Up until now the full solution to disable all security wasn't documented anywhere, but will soon be available here: https://docs.octoprint.org/en/master/features/accesscontrol.html

@muchsimpler3d Hi :wave: I'm the author of OctoPrint. I'm the one who made the decision to make Access Control mandatory after ensuring that the autologin feature put in back in 2013 and documented since then was in fact still working fine and available to use to achieve the exact same behaviour as with disabled access control, for those users who have restricted their instances properly to their LAN and whose workflows require passwordless entry. And @Charlie_Powell was so kind to make this feature even more easier to access through the help of a plugin. To make sure everyone updating would know about that I put it in the 1.5.0 release notes, 1.5.0 release announcement, linked back to those from the 1.5.1 and 1.5.2 release notes and announcements with a strong reminder to check them, and created a guide explaining everything.

So... it looks like you have an interesting definition of "crippled". Crippling would have been to filter out 0.0.0.0/0 and ::/0 from the autologin subnet specs. Which I actually briefly thought about to reduce the likelihood of someone putting that in without knowing what it does after reading it on the net somewhere, and still having their port forwarded instance exposed for everyone to abuse, but finally decided against because I figured that would indeed be crippling the platform :wink:

Maybe next time, instead of immediately bashing the author of a piece of open source software you use for a change they introduced in an update (as your very first interaction ever to boot), you should try to understand why it was done and read the available docs on what alternative was put in place or already existed. Chances are high there's a valid reason and a viable workaround, and it's not pure malice and spite from the OSS maintainer :roll_eyes:

3 Likes

While the local networks of 0.0.0.0/0 and ::/0 has been pointed out as terrible choices for the local network, I believe the guide doesn't do a very good job of helping the user discover the right choice(s) for the local networks. Charlie's plugin does a better job.

However, since you can ask the host what the answer should be with:
ip route | grep src | grep eth0 | awk '{print $1}' or
ip route | grep src | grep wlan0 | awk '{print $1}'

perhaps that command should be incorporated into both the guide and the plugin.

BTW, ip -6 route gives the IPV6 answers. The above can be combined into:
ip route | grep src | grep -P 'eth0|wlan0' | awk '{print $1}'

1 Like

@b-morgan if you have a better suggestion than to point the user at the current network configuration of a device they want to access OctoPrint from, I'm always happy for edits (it's a wiki node). I couldn't think of anything more straightforward for manual configuration, and for everything else there's now the plugin.

@foosel I edited the wiki node to add these commands and opened a feature request issue for the plugin. Upon a second reading, the wiki guide link (I'm guilty of not seeing the "blue" text) is sufficient and I withdraw my "doesn't do a very good job" :smile: