Block access for all the users in Apache Ranger - apache-ranger

I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
Does Apache Ranger API provide any way to do this?
I can think of a way to first get all users using
curl -u <Username>:<Password> -X GET /service/xusers/users | jq '.vXUsers[].name'
And then put them in the below API to block all users
POST /service/public/v2/api/policy
Is there any way we can just use '*' on UI under Select User tab?

I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
You do not need to block the users all together, just create a policy and do not specify any access permissions for any users. Unless you specify the permissions explicitly, by default, all the users will be denied.
For example, if a policy has no allow conditions as below;
Then, you will get denied for all actions;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapr] does not have [CREATE] privilege on [default/t] (state=42000,code=40000)
0: jdbc:hive2://node5.cluster.com:10000/>
When I specify an allow condition for a user to create a table as below;
Then, I can create a table;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
No rows affected (0.687 seconds)
0: jdbc:hive2://node5.cluster.com:10000/>

Related

How to set the scope using Google Operators in Airflow

I have a task using the GCSToGoogleSheetsOperator in Airflow where Im trying to add data to a sheet.
I have added the service credential email to the sheet I want to edit with editor privileges, and received this error:
googleapiclient.errors.HttpError:
<HttpError 403 when requesting
https://sheets.googleapis.com/v4/spreadsheets/<SHEET_ID>/values/Sheet1?valueInputOption=RAW&includeValuesInResponse=false&responseValueRenderOption=FORMATTED_VALUE&responseDateTimeRenderOption=SERIAL_NUMBER&alt=json
returned "Request had insufficient authentication scopes.".
Details: "[{
'#type': 'type.googleapis.com/google.rpc.ErrorInfo',
'reason': 'ACCESS_TOKEN_SCOPE_INSUFFICIENT',
'domain': 'googleapis.com',
'metadata': {
'service': 'sheets.googleapis.com',
'method': 'google.apps.sheets.v4.SpreadsheetsService.UpdateValues'}
}]>
I cant update the sheet, but the GCS and BigQuery operators work fine.
My connection configuration looks like the following:
AIRFLOW_CONN_GOOGLE_CLOUD=google-cloud-platform://?extra__google_cloud_platform__key_path=%2Fopt%2Fairflow%2Fcredentials%2Fgoogle_credential.json
I tried following the instructions to add the scope https://www.googleapis.com/auth/spreadsheets.
Which URL encoded looks like:
AIRFLOW_CONN_GOOGLE_CLOUD=google-cloud-platform://?extra__google_cloud_platform__key_path=%2Fopt%2Fairflow%2Fcredentials%2Fgoogle_credential.json&extra__google_cloud_platform__scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets
Now, operators which previously worked error out like this:
google.api_core.exceptions.Forbidden: 403 POST https://bigquery.googleapis.com/bigquery/v2/projects/my-project/jobs?prettyPrint=false: Request had insufficient authentication scopes.
And the GCSToGoogleSheetsOperator operator still error out like this:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/download/storage/v1/b/my-bucket/o/folder%2Fobject.csv?alt=media: Insufficient Permission: ('Request failed with status code', 403, 'Expected one of', <HTTPStatus.OK: 200>, <HTTPStatus.PARTIAL_CONTENT: 206>)
How can I set the permissions correctly to use both BigQuery, GCS and Sheets operators?
Adding a scope seems to ignore the IAM roles, so its either one or the other.
The service account had roles needed to access GCS and BigQuery, but by adding the scope https://www.googleapis.com/auth/spreadsheets, the service would ignore the privileges granted by the roles and look only at the ones specified by the scopes.
So, to recover it, you must add both the spreadsheet and cloud-platform scopes (or more strict scopes). cloud-platform will provide access to GCS and BigQuery and spreadsheets to Google Sheets API.
If you set your connection using environment variables, you have to URL encode the arguments, so to create a GOOGLE_CLOUD connection, you will have to do something like this, which is not encoded...
AIRFLOW_CONN_GOOGLE_CLOUD=google-cloud-platform://?extra__google_cloud_platform__key_path=/abs/path_to_file/credential.json&extra__google_cloud_platform__scope=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/spreadsheets
To encode, which is the version you have to use, replace /, , and ::
AIRFLOW_CONN_GOOGLE_CLOUD=google-cloud-platform://?extra__google_cloud_platform__key_path=%2Fabs%2Fpath_to_file%2Fcredentials%2Fgoshare-driver-c08e0904285b.json&extra__google_cloud_platform__scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets

Attempting to configure a user that get Configuration-Token in reply

I have tried most of the configuration examples of user to return a Configuration-Token attribute. I need an example configuration and which file to place it in (e.g. user or user.conf).
tried something like (in user.conf):
testing Cleartext-Password := "password"
reply: Configuration-Token="hello"
This caused freeradius to not run
Freeradius would not execute.

How to create system user in Sling?

How can I create a system user in Sling?
I tried searching but all I find is related to AEM, which I don't use. Is it possible to create the user using Jackrabbit API or Sling Initial Content (descriptor files)?
I tried to execute the following:
curl -u admin:admin -F:name=myuser -Fpwd=mypwd -FpwdConfirm=mypwd -Frep:principalName=myuser -Fjcr:primaryType=rep:SystemUser http://localhost:8080/home/users/system/*
But there is an error:
*ERROR* [127.0.0.1 [1465215465364] POST /home/users/system/* HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
javax.jcr.nodetype.ConstraintViolationException: Property is protected: rep:principalName = myuser
at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.setProperty(NodeDelegate.java:525)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1358)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1346)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:209)
at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl.internalSetProperty(NodeImpl.java:1346)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl.setProperty(NodeImpl.java:432)
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.store(SlingPropertyValueHandler.java:592)
There is an out-of-the box solution based on Sling and Jackrabbit Oak. It features a text-based DSL for setting users and ACLs, for instance:
create service user bob,alice
set ACL on /libs,/apps
remove * for alice
allow jcr:read for bob
end
It is also possible to embed these instructions in the provisioning model used to build a Sling launchpad - assuming you're using the slingstart-maven-plugin.
The complete documentation can be found at Repository Initializers and Repository Initialization Language
Not sure this is possible through a post request per: https://mail-archives.apache.org/mod_mbox/sling-users/201512.mbox/%3CCAFMYLMb9Wiy+DYmacc5oT7YRWT1hth8j1XAAo_sKT8uq9HoFNw#mail.gmail.com%3E
The suggested solution is to use the jackrabbit api to do this. This would look something like:
//get a user manager
try {
User systemUser = userManager.createSystemUser("myuser", "/home/users/system");
} catch (Exception e) {
log.error("Error adding user",e);
throw e;
}
//commit changes
It's very important to note that this doesn't allow you to set a password for this user, nor can one be set with user.changePassword() -- when I try that I get an error:
javax.jcr.UnsupportedRepositoryOperationException: system user
From the java doc:
Create a new system user for the specified userID. The new authorizable is required to have the following characteristics:
User.isSystemUser() returns true.
The system user doesn't have a password set and doesn't allow change the password.
http://jackrabbit.apache.org/api/2.10/org/apache/jackrabbit/core/security/user/UserManagerImpl.html
Here's my whole activator class: https://gist.github.com/scrupulo/61b574c9aa1838da37d456012af5dd50

How can I show a custom 404 page when access is denied to a node or method in Neos?

We're making a forum where access is supposed to be denied by unregistered users. I want to show a proper error message - not an exception - for users that are not allowed there. How do I achieve this in Neos 2.0?
Both read and write access should be denied. Maybe it's easier to deny access to the node where the forum is? But wouldn't that need hard-coding of node path?
Current Policy.yaml:
privilegeTargets:
'TYPO3\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
'My.Package:PostControllerLoggedInActions':
matcher: 'method(My\Package\PostController->(index|new|create)Action(.*))'
roles:
'TYPO3.Flow:Everybody':
privileges:
-
privilegeTarget: 'My.Package:PostControllerLoggedInActions'
permission: DENY
'My.Package:User':
privileges:
-
privilegeTarget: 'My.Package:PostControllerLoggedInActions'
permission: GRANT
Edit: Here are some slides about (among other things) how to create a custom 404 page: https://speakerdeck.com/aertmann/tasty-recipes-for-every-day-neos
Edit 2: Use Flow exception handler?
You can try to set it in your root Configuration/Settings.yaml. You can do it by status code (like in example) or exception class:
TYPO3:
Flow:
# you have already persistence
# and maybe other stuff under flow
# just add it below them but still under TYPO3.Flow
error:
exceptionHandler:
renderingGroups:
accessRestricted:
matchingStatusCodes: [ 401, 403]
options:
templatePathAndFilename: 'resource://TYPO3.Neos/Private/Templates/Error/Index.html'
layoutRootPath: 'resource://TYPO3.Neos/Private/Layouts/'
format: 'html'
variables:
errorTitle: 'Restricted Area'
errorDescription: 'Go home boy.'

Find out the logged in users in ADempiere

I have deployed the ADempiere in a server and provide the jnlp based client installation to the users in the network. How can I find out the users accessing the server at a time. Is there any audit option or cange log features.
When a client accessing the server, it marks as
12:52:37,547 INFO [[/admin]] Request: /admin/adempiere.jnlp
12:52:37,555 INFO [[/admin]] User-Agent: JNLP/6.0 javaws/1.6.0_30
(b12) Java/1.6.0_30 12:52:37,565 INFO [[/admin]] Resource returned:/adempiere.jnlp
How can I identify the users accessing the service?
Thanks in advance.
By Querying the AD_Session Table, you can get the no of users logged into the system.
You will get active/inactive connections based on the processed column.
For getting active users in the system :-
SELECT AD_Org_ID, AD_Role_ID, remote_addr, remote_host, processed, logindate,
created as "login date with time", createdby As AD_User_ID FROM AD_Session
WHERE Processed='N' AND logindate > current_date-1;
(you can update the above sql as your wish)
use this Query for update Session in
update AD_Session set Processed='Y' where HERE Processed='N' AND logindate > current_date-1;

Resources