I'm using https://hub.docker.com/r/pypiserver/pypiserver to host a private pypi server.
The -a flag allows me to restrict which actions need to be authenticated.
The -P flag allows me to pass in user/password pairs.
I need:
all actions requiring authentication
Only certain user/passwords can read+write
Others can only read
Reading that page, this doesn't seem to be possible? How can I achieve this?
Related
Can we mask the X-Goog-Credential in signed url that we create for a end user , so that they dont get to see the projectid and gcp account details.
curl --location --request GET 'https://host/images/f2b0ce52-a485-43bf-b1e9-413e04cf7ef5.jpeg?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=account#project.iam.gserviceaccount.com%2F20221019%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20221019T114634Z&X-Goog-Expires=600&X-Goog-SignedHeaders=host&X-Goog-Signature=2f263e1db1eb48f00c554ef577a89ee1069a8e306c23b5ffdaa6dd31194d210338cc65794aa23602b34b6e5df27c3fb2fee001be0f8c0516d119d2777023c26e77e77f89baf738c0627a4611863bf032694bfca366a958ee458939cfc836e98e9ce9b1bca7f0e02405bd7dc51536adf63654f410a5a651e2e35c578aa95e906f7b139eeb5f5df6b0ac70d4b670832964ef9e27a34cbb5fc8a41e3d766c5431233076eccb79ee099c74f83997dc334d8e90cf813f74b54657ce264dc4553c675c9c9d0a67b3b5774fcb86283ce1b19230a1c4e4f8dfd8e6e11f1244056e90ffc3d64eb8bb3c97f8e55252ad7a90c326b473d0910f2bf9cc487430ab69465e8aff'
As mentioned in the Answer :
It's not possible, if you want the client to directly access that data. You could obfuscate it by using a URL shortener, but all that would do is hide it from view temporarily.
Once you choose to allow clients to access your project directly, your project id is no longer private information. That ID is absolutely required in order to identify resources within your project (and not just Cloud Storage).
If you don't want anyone to see the name of your project, you will either:
Disallow all direct client access
Route all requests through some middleware service identified by another DNS name that hides all the implementation details of the interaction with Google Cloud products.
For more information related to revoking and routing requests you can refer to the doc_revoking and doc_routing.
In OpenWhisk, I want to display the functions I deployed from wsk(cli) OpenWhisk's interface, for this I go to the site on the api host, but it asks for authentication information. Where to get authentication information in Openwhisk? As an alternative, what I've tried hasn't worked. When I type wsk property get it says whisk aut.
wsk property set --apihost 'http://172.17.0.1:3233' --auth '23bc46b1-71f6-4ed5-8c54-816aa4f8c502:123zO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP'
I could not enter the information written here when I typed the username and password.
https://i.stack.imgur.com/W2FRa.png
I found this solution: If the --web true flag is used, you can also run functions from the web interface.
image
Is there a way to set the API token of a user manually? In the UI it has a button "Change API Token" which generates the token. Instead I want to set it.
Our old jenkins server crashed and we have to create a new one. Lot of teams are using a remote trigger call similar to below one. Change in the API token impacts all these teams as they have to update their code.
curl -X POST -H "$CRUMB" "http://automation:ef*****************************d#jenkins-url.com/job/log_deployment/buildWithParameters?token=B6472A215********************
The API token in UI is 32 char long. Upon checking the file in jenkins/users//config.xml there is this property jenkins.security.ApiTokenProperty. Seems like it is possible to set this, need some direction please.
<jenkins.security.ApiTokenProperty>
<apiToken>{AQAAABAAAAAwOROgeIy1vAUUOtGIYud+70TXY0pS/pKTe7nLeO8Xtd2BDgXW1RlZ6pL9+bvDrbwHh2xBnebPJAUS3OQt8f/toQ==}</apiToken>
</jenkins.security.ApiTokenProperty>
Thanks!
Update: More info from
https://issues.jenkins-ci.org/browse/JENKINS-32776
User
passwords are stored as salted hashes (SHA-256 or bcrypt); whereas API tokens
are encrypted using an AES-128 ECB-mode block cipher, using a static key shared
among all users.
You cannot set a given token explicitly since Jenkins only stores the hash of a token.
You can, however, copy the hashed value, thus effectively copying a token.
To do this between different masters with different global encryption keys, you need to decrypt the hash of the first master and use that for setting the hash on the second master. It's probably easiest to do that in groovy.
I'd like to setup a docker registry that allows anonymous pulls but authenticates pushes.
My naive approach was to allow get requests. But that seems to break the login as the client only creates the credentials if the initial Get request to /v2/ yields a 401.
However also repository reads start with that so I cannot put this behind authentication either.
Basically it seems I'd have to distinguish between a ping before a pull and a ping before a login.
I'm also happy to setup token authentication. But that would probably run into the same conundrum.
Apparently the way to go is to set up token authentication.
Then you can return a valid token for the scope pull even if no Basic Authentication was given.
You can find an example code on https://github.com/cloudfleet/floating-dock/blob/master/app/controllers/api/v1/jwt_controller.rb and https://github.com/cloudfleet/floating-dock/blob/master/app/services/auth/container_registry_authentication_service.rb
It is an adapted version of GitLabs JWT implementation for the registry.
we have a lot of users on a VBulletin forum. now i want write few more apps on rails for the same userbase. Until now all the authentication and session management is being taken care of by VBulletin. What is the best way to provide SSO for my users both onVBulletin and on the rails apps i am writing
I am working on single sign-on process with v Bulletin and custom made application. i can logged in at Vb using cookies. i can access all. but when access send "Private Message". it says
"
You have turned off private messages. You may not send private messages until you turn them on by editing your options.
"
is there all permission are set at "datasource" table?..
Thanks
master
Ideally your two sites are subdomains of a common domain (e.g. forum.example.com and rails.example.com), or share the same domain (www.example.com.) One of the sites would be the primary authenticator, and set a cookie (for .example.com in the case of the common parent domain [notice the . before example.com] or www.example.com in the case of the shared domain, so that both applications can access it), where the cookie contains:
the user ID
a salt (random value calculated at login time), and
a SHA-2 signature computed over the triplet (user ID + salt + a shared secret key), where the shared secret key is a secret string known by both sites.
Each site would be able to retrieve the user ID and salt from the cookie, then use the shared secret key (known only by the two applications) to calculate a SHA-2 signature that must match the SHA-2 signature stored in the cookie.
If the SHA-2 signatures match then you can assume that the user is authenticated, otherwise force the user to log in again.
The cookie must be destroyed when logging off.
The small print
To protect against session hijacking, all requests made over the two sites should be encrypted over SSL (use https.) If this is not possible, a hash based on the client's IP address as well as browser type and version (User-agent) should probably be calculated at login time and also be stored in the cookie. It should be re-checked against the client's IP address and user agent before serving each request. The hash-based approach is security through obscurity, and can be fooled; moreover, a user accessing the internet from behind a pool of proxies or using TOR may be kicked out by your system every time a different proxy or exit node (with a different IP address) forwards a request.