OPNsense Forum

Hello everyone,

I have created an admin user on OPNsense without "All pages" but with rights for Kea. Unfortunately, I was missing some menu entries for Kea DHCP. After some searching, I came across the topic ACL and customised the ACL for Kea.

root@fw05:~ # cat /usr/local/opnsense/mvc/app/models/OPNsense/Kea/ACL/ACL.xml
<acl>
    <page-dhcp-kea-v4>
        <name>Services: DHCP: Kea(v4)</name>
        <description>Allow access to the KEA dhcp4 server</description>
        <patterns>
            <pattern>ui/kea/dhcp/v4</pattern>
            <pattern>ui/kea/dhcp/ctrl_agent</pattern>
            <pattern>ui/kea/dhcp/leases4</pattern>
            <pattern>ui/diagnostics/log/core/kea</pattern>
            <pattern>api/kea/dhcpv4/*</pattern>
            <pattern>api/kea/ctrl_agent/*</pattern>
            <pattern>api/kea/leases4/*</pattern>
            <pattern>api/kea/service/*</pattern>
        </patterns>
    </page-dhcp-kea-v4>
</acl>

This works for me so far. Unfortunately, the ACL is overwritten during the update.
Can I make the change persistent? Or can you apply the changes?

For testing purposes, I created a user with all privileges except "All pages" and compared it with the root user. If I have understood this correctly, the two users should be identical. Except for Kea, other menu entries are missing, too.

System - Log Files - Audit
System - Log Files - Boot
System - Diagnostics - Statistics
VPN - IPsec - Pre-Shared Keys
VPN - IPsec - Advanced Settings
VPN - IPsec - Lease Status
VPN - WireGuard - Log File
Services - DHCRelay - Log File
Services - Monit - Log File
Services - Network Time - GPS
Services - Network Time - PPS

Thanks in advance

Greetings Michael

Everything that can be updated via GUI/API will eventually be overwritten with data coming from the config.xml file.

In this case, there is a privilege for Kea.
The privileges dropdown has an entry called "Services: DHCP: Kea(v4)" that sounds promising.

Hello Eric,

thank you for your reply.

Quote from: EricPerl on April 01, 2025, 09:09:07 PMEverything that can be updated via GUI/API will eventually be overwritten with data coming from the config.xml file.

In this case, there is a privilege for Kea.
The privileges dropdown has an entry called "Services: DHCP: Kea(v4)" that sounds promising.

In my post i mean exactly this entry in the dropdown, but the acl behind it is not correct.
I have changed the ACL on the cli via ssh as above.

The original file looks like this:

<acl>
    <page-dhcp-kea-v4>
        <name>Services: DHCP: Kea(v4)</name>
        <description>Allow access to the KEA dhcp4 server</description>
        <patterns>
            <pattern>ui/kea/dhcp/v4</pattern>
            <pattern>api/kea/dhcpv4/*</pattern>
            <pattern>api/kea/leases4/*</pattern>
            <pattern>api/kea/service/*</pattern>
        </patterns>
    </page-dhcp-kea-v4>
</acl>

cu Michael

I'll test if there's an issue.

https://github.com/opnsense/core/issues/8518

We patched it, you can use this until it hits a main release. It will survive reboots, but if you do an update/upgrade it goes away. Probably needs a reboot after patch.

opnsense-patch https://github.com/opnsense/core/commit/ef1c4e07c86f5f03f643c89218bacf9e91956243

Hi Cedrik,

Thank you for solving my problem. The patch worked perfectly.
Is the change included in the next update?

Did you see the list of other menu items in my post that are still missing?
These are not important for me, but I noticed them while searching.

Have a nice day
Michael

Hello Michael,

open the commit link in a browser and you can see the diff.

All of them should have been added.

I dont know when it will be included, but the next update seems likely.