Several versions ago, we made some monumental changes to the way that the ACLs (access control lists) and APIs behave and the level of access they grant. These improvements allow webhosts to provide more access to resellers while maintaining security for root users and server owners. We want to take this opportunity to highlight the numerous changes that these updates bring.
If you are a webhosting provider, you likely sell hosting packages to resellers with the intention of the customer being able to section off chunks of their account to “resell” to clients of their own. A reseller account is a special type of cPanel account that is also able to access WHM. Typically, resellers can make certain modifications to a server’s configuration and can create more cPanel accounts.
The Edit Reseller Nameservers and Privileges interface in WHM enables the server owner to limit a reseller’s access to various server management features. This interfaces also allows the server owner to grant root-level privileges to a reseller, assign nameserver IP addresses for accounts that the reseller creates, as well as add DNS entries for those addresses. Until recently, there was very little granularity to the privileges, leaving server owners to choose between increased workload or compromised security. To rectify that, a large number of access privileges were added to the list.
Added access privileges for Resellers
- Account Summary
- Allow CORS Proxy Requests
- Basic WHM Functions
- Create User Session
- Digest Authentication
- Generate Email Configuration
- Manage cPanel Integration Links.
- Manage OpenID Connect
- Manage Styles
- MySQL® Information
- SSL Information
- Manage API Tokens
- Manage DNS Records
- Nameserver Configuration
- List Packages
- Track Email
- Basic System Information
Being able to give a reseller autonomy to manage the above functions removes the need for a server owner to perform those actions for the reseller. For example, a reseller may want to manage the available cPanel styles or track email delivery on the server. With the new permissions, hosting providers can now allow the reseller to do this for themselves without granting full root access to the server.
One of the great benefits of having the various DNS related functions available to a reseller allows DNS clustering without sharing root-level access across servers. How is DNS Clustering beneficial? If your nameservers are located in different parts of the world, and one of those nameservers fails, DNS clustering allows you to maintain DNS functionality.
More Power for Integrators
To top things off, as of version 68 plugin developers can use the new ACLs to add granularity to their integrations as well, using API Tokens. The updated Guide to WHM Plugins – ACL Reference Chart is provided in our documentation site. The WHMAPI 1 accesses the WHM interface’s features, this API can be used to perform server administration tasks, administer cPanel & WHM reseller accounts, and manage cPanel & WHM services.
Another thing to keep in mind for integrators: when we recently introduced server profiles, we also started disabling API calls that aren’t associated with the current server profile. When a non-Standard Node server profile is enabled, the system disables API calls associated with that profile’s disabled service roles. For more information about server profiles and roles, read our How to Use Server Profiles documentation.
If you are interested in seeing changes made to our API, they are recorded and published with each new version as part of our Release Notes.
As you can see these improvements give resellers more autonomy in their day to day as well as taking the support burden off of root users while maintaining security.
How are you using ACLs and API’s in your day to day routine? To discuss more in-depth, or to weigh in with your own opinion, join the conversation on Slack, Discord, or the Official cPanel subreddit.