How are Modersators selected?

Quick Question: Although it may or may not have been answered before: How are Moderators chosen? I’m thinking generally of scenarios where rooms are completely left abandoned… or if room names are re-used later by other people- if someone is a moderator on one device signs into one of these sessions later, do they inherit permissions? Or is it simply that the first person in a room (old or new) is a moderator?

On default deployment first is a moderator, on meet.jit.si all are moderators

1 Like

Hi, @damencho
We have docker deployment with authenticated virtual host with JWT tokens authorization and guest virtual host for guests.
But all connecting participants are grant moderator roles.
How to set moderator role only to first conference user?

Not sure maybe docker is configured with all owners module, I’m not very familiar with it.

1 Like

I think you are defiantly right:

root@11c4b0da89fb:/prosody-plugins# ls
ext_events.lib.lua mod_filter_iq_rayo.lua mod_muc_meeting_id.lua mod_smacks.lua mod_websocket_smacks.patch
mod_auth_token.lua mod_muc_allowners.lua mod_muc_poltergeist.lua mod_speakerstats.lua muc_owner_allow_kick.patch
mod_conference_duration.lua mod_muc_call.lua mod_muc_size.lua mod_speakerstats_component.lua poltergeist.lib.lua
mod_conference_duration_component.lua mod_muc_domain_mapper.lua mod_poltergeist_component.lua mod_token_verification.lua token
mod_filter_iq_jibri.lua mod_muc_max_occupants.lua mod_presence_identity.lua mod_turncredentials.lua util.lib.lua
root@11c4b0da89fb:/prosody-plugins#

But how to disable it in docker?

@damencho could you please advise someone from Jitsi team that expert in Docker?
We deleted file mod_muc_allowners.lua from prosody container, restarted container, but still every user in every conference get moderator rights.

@Anton_Karlan Can you share your prosody config files? Let me have a look.

Hi! Sure!

[root@s-rc-jitsi-01 prosody]# cat conf.d/jitsi-meet.cfg.lua
admins = { "focus@auth.meet.jitsi" }
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
http_default_host = "meet.jitsi"

VirtualHost "meet.jitsi"
    authentication = "token"
    app_id = "someID"
    app_secret = "some_secert"
    allow_empty_token = false
    ssl = {
        key = "/config/certs/meet.jitsi.key";
        certificate = "/config/certs/meet.jitsi.crt";
    }
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping";
    }
    c2s_require_encryption = false

VirtualHost "guest.meet.jitsi"
    authentication = "token"
    app_id = "someID"
    app_secret = "some_secert"
    allow_empty_token = true
    c2s_require_encryption = false

VirtualHost "auth.meet.jitsi"
    ssl = {
        key = "/config/certs/auth.meet.jitsi.key";
        certificate = "/config/certs/auth.meet.jitsi.crt";
    }
    authentication = "internal_plain"

Component "internal-muc.meet.jitsi" "muc"
    modules_enabled = {
        "ping";
    }
    storage = "memory"
    muc_room_cache_size = 1000

Component "muc.meet.jitsi" "muc"
    storage = "memory"
    modules_enabled = {
        "token_verification";
    }

Component "focus.meet.jitsi"
    component_secret = "another_secret"


[root@s-rc-jitsi-01 prosody]# cat prosody.cfg.lua
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery

        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards

        -- These are commented by default as they have a performance impact
                --"privacy"; -- Support privacy lists
                --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)

        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                "register"; -- Allow users to register on this server using a client and change passwords

        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

        -- HTTP modules
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"http_files"; -- Serve static files from a directory over HTTP

        -- Other specific functionality
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
                --"groups"; -- Shared roster support
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                --"motd"; -- Send a message to users when they log in
                --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.

};

https_ports = { }

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
        -- "offline"; -- Store offline messages
        -- "c2s"; -- Handle client connections
        -- "s2s"; -- Handle server-to-server connections
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

daemonize = false;

pidfile = "/config/data/prosody.pid";

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = false

-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security

s2s_secure_auth = false

-- Many servers don't support encryption or have invalid or self-signed
-- certificates. You can list domains here that will not be required to
-- authenticate using certificates. They will be authenticated using DNS.

--s2s_insecure_domains = { "gmail.com" }

-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_plain"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
--  Logs info and higher to /var/log
--  Logs errors to syslog also
log = {
        { levels = {min = "info"}, to = "console"};
}

-- Enable use of native prosody 0.11 support for epoll over select
network_backend = "epoll";
-- Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512.
network_settings = {
  tcp_backlog = 511;
}

component_interface = { "*" }

data_path = "/config/data"

Include "conf.d/*.cfg.lua"

@hmharshit hi!
Any news?

@Anton_Karlan Your prosody configuration looks fine. I saw you are using JWT tokens to authorize. So all participants are granted moderator roles including the guest? Or the moderator role is granted only to participants authenticated with jwt?

I think this is true.
But one interesting thing.
I opened new incognito Chrome tab and paste room link there.
Then I see, that connected users are presented as Fellow Jitser, but not as my rocket chat name. That is normal, because there is no JWT token in link an user in connected as guest.
But strange thing is that I see notification, that my host user (user who started a call) is granted moderator rights.


image
May be it is correct - new user is notified who is a moderator in this room.

And answering your question - yes, all JWT authenticated users granted moderator permissions, while guests - not.
But I need that only first participant (room creator) will be moderator, and other is not.
How can I achieve that?

Yeah, it’s normal and expected.

This is also expected.

I’m not aware about the official solution for this, but I’m using some workaround to solve this issue.

So, what I’m doing is during the creation of the jwt token, I append one key say isModerator to true or false. Then I detect this key on server-side - prosody in the muc-room-created hook. In the hook, I verify the user then fetch the key and assign the role as owner or member depending on the value of isModerator key.

This has solved my use case where I need to have multiple moderators. I think this should also your use case probably.

1 Like

Yes, I saw that posts on forum. But I think we can’t use that because we use Jitsi not as standalone system, but as a part of Rocket.Chat. So, we haven’t opportunity to add something to URL (or JWT)
But, thanks, anyway!

@damencho can we somehow disable that notifications?
I created a github issue about that https://github.com/jitsi/jitsi-meet/issues/5948

I’m not sure about that. So in rocket.chat, you cannot create your JWT token even by yourself?

No. There is only Application ID (iss) and Application Secret settings for JWT token authorization

@Anton_Karlan Ahh I see. Then I guess it’s need to have some different approach I guess.

Let me know if you find some solution to this.

Sure, thanks for your halp!

why is there no way to turn off making all users a mod?

By default when installing the first one is moderator, you need to enable a module so everyone to be moderator.

i do not want moderators, i want to know how to turn that feature off? the software makes everybody moderators when they login to a room and I do not want it to do this. How to I stop that? im on my own server