I'm looking for a suggestion on what combinations of identity providers to use.
I want to authenticate LDAP users based on the groups they are members of.
Example:
secret1.example.com can be accessed only by members of group A
secret2.example.com can be accessed only by members of group B
Both subdomains are configured as proxy_pass on one NGINX instance. I've looked into a vouch!/keycloak combo but vouch! creates a cookie for the whole domain (example.com) which doesn't provide that granular control. There is a workaround with multiple vouch! instances and whitelists but that doesn't seem like a clean and easily servicable solution.
Ideally this solution sould be as granular as the auth_basic function in NGINX, but I'm not sure something like that exists.
Does anyone have some suggestions as to how to go about it?
Is NGINX the right solution for the job?
Thanks in advance!
To anyone who is encountering a similar problem, take a look at Authelia. The setup documentation is pretty straight forward. While I haven't tried it yet it seems to satisfy my needs.
Related
We have Jenkins setup in our organisation with two organisational folders which basically does builds for repo's from two different github organizations.
We use Keycloak to authenticate to Jenkins. (Not sure if that's relevant or not) and we authenticate using openid connect with Keycloak.
I would like to know if it is possible to restrict access for a certain group of users to only be able to view builds on one of the github organizations. So for example if we have two github organizations: mrrobot_org and evilcorp_org, then I would like to be able to make an evilcorp_org_devs_group and add users to that group which would then restrict those developers from only accesing builds from the evilcorp_org github organization.
Someone told me this might be possible to do from Keycloak, but it does not seem likely.
I've tried quite a few things already but from what I've read the best option seems to use this plugin
https://plugins.jenkins.io/role-strategy/
and match the organzation using a regex to match a folder:"Folders can be matched using expressions like
^foo/bar.*".
Any other suggestions how I could do this?
Thanks so much.
For anyone reading this. I ended up using the Folder auth plugin for Jenkins.
I ended up sticking to Keycloak for Authentication, but used the folder auth plugin for Authorization.
So this allows me to restrict access per Jenkins folder. Each folder containing the builds of a given github organization.
The plugin is pretty easy to use. You can check it out here:
https://github.com/jenkinsci/folder-auth-plugin
The docs are here:
https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md
i have several databases running in RDS Service.
I'd like to know the best pratice to grant access to developers to these DB.
I tought a solution using jenkins but i dont think this is the best option.
I am trying to avoid give some password to developers.
Hope you can help me.
As #ceejayoz mentioned you can create a few users with restricted privileges, for example an user who only can run selects on few schemas, another user who can update registers in a few tables.
I can share what we do and what I've seen. We do A and use B where it is easy.
A) Standard Users
For all databases, we have 3 standard users with the following suffixes (_dba, _rw, _ro). Those all have their own passwords using a strong password generator.
_dba is used to deploy scheme and has all rights
_rw is used by the application (CRUD on all tables, but can't modify scheme)
_ro only has R on all tables and generally given to developers
Note: Developers have access to a bastion used for port forwarding and proxycap. They can query the RDS endpoints from their own machines (DB Tools) going through socks proxy and bastion.
This is lazy method - since creation of users is done programmatically and we feel comfortable giving some developers read only access. They could write a bad query and slow down system, but they could do that with a specific user so not much different and the bastion logs tell me who really was in if I had to investigate.
B) UI
Simple web app with login (ideally MFA) - that provides a way to run queries. If only for reporting, ideally against R/O copy of system. Stackoverflow offers one themselves (https://data.stackexchange.com/).
What would be nice is if RDS offered this themselves (linked to your IAM roles). They offer this on RDS Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/query-editor.html) and it may be a feature in other RDS versions. That allows fine control or even lazy control (IAM groups).
Let me make this clear from the beginning: I'm a complete noob regarding oauth2 and not a dev (just monkey interested in tech stuff) so the question might be silly. If so please don't hesitate to smash the monkey as he truly deserved it...
Since I wanted to get a better understanding of how oauth2 is working I wanted to setup slack within emacs. This is not my first project with oauth2. I managed to get offlineimap working with gmail using oauth2. However, google did one step automatically with which I'm struggeling right now for slack.
My question is all about the redirect url. Google did setup this for me pointing to my localhost. Now slack doesn't do the job for me and since my localhost isn't reachable form the outside (of my home network) I need to setup a way to securely get to my localhost.
How does google set this up?
I came across ngork which looks to me like a solution to my problem. Again, I've never heard / used it before. I think I would be able to get that stuff up and running but I would like to know:
Is this a safe and secure solution? To what should I pay attention?
"Is this a safe and secure solution?" is a very broad question and you can surely find a lot of discussion and opinions on this forum on how safe VPN tunnels for HTTP are in general and ngrok is in particular.
So the answer is: it depends on what your requirements are. Any other answer will be opinionated or will have to make assumptions about your requirements, which you have not specified.
Having said that:
If you want to use it for local development (incl. Oauth) ngrok
appears to be safe enough to be recommend by the Slack team for
local development (see tutorial).
If you want to use it for a production environment and/or in a
company network I would recommend to verify with the responsible IT
security officer before using it. However, it is a professional and
well-known product used by many companies, so you should have a fair
chance that it gets approved.
I have not used Google Oauth, but in my experience with other Oauth services its pretty standard that its calling you via a redirect URL.
I am after a better solution for security in Jenkins. After my play around this space, my current solution is to implement the 'Project-based Matrix Authorization Strategy'. I was previously considering running Jenkins behind Apache and control security through Apache. But during my trial with matrix based security, I was able to assign full access to logged in users and block anonymous users from seeing anything on the dashboard except login-page.
Before I proceed with my beta servers, I would like to seek experts advice to understand what I am doing is correct ?or there is a better way to do this. At the moment I have around 30 users created in my system.
If matrix based solution is the best and easiest, I would like to know,
1) Is it possible to group users and assign access based on groups ? So that I don't have to give users on individual basis
2) I also saw a post about 'Role strategy plug-in', but I couldn't see that in my Jenkins. Not sure if this plug-in out of date and/or nomore supported
Thanks in advance.
I'm using the Role Strategy plugin with a LDPA directory and it works well.
You just have to install this plugin on your Jenkins server and to switch from "Matrix-based security" to "Role-Based Strategy".
Next, you will be able to define roles:
And assign them to users (or LDAP groups, if you have a LDAP directory):
I want to develop a rails app that does this:
a public front-end deployed on some place like Heroku
a private front-end that I can access (this would be someplace like my home/office where it is the only app running)
a private backend that collects and analyses data (the public front end can access the backend through an API,this would be someplace like my home/office where it is the only app running)
I want to keep the code base the same so I was thinking of modifying environment variables accordingly.
So, two things:
is this a good architecture for this?
how would I run a back ground worker thread/process on the private front/backend machine
thanks
This is one application.
My suggestion is that you use an authentication framework, my suggestion would be devise (https://github.com/plataformatec/devise) and an authorization framework like acl9 (https://github.com/be9/acl9) or cancan (https://github.com/ryanb/cancan).
The fact is smarter people than you and I have built fantastic frameworks to solve just this problem and there's no point reinventing the wheel when something already exists. Plus, writing authentications systems might seem easy but it's actually incredibly complicated.
I would also not recommend restful-authentication or acts_as_authenticated, especially if you're building a rails 3 application.
If you're planning on deploying on heroku using environment variables isn't going to work because:
The variables will be the same across all of your dynos.
If you want to run different apps you need to go for their new database offerings which are quite expensive.
Consolidate everything into one app, your life will be easier in the long run!
For background workers you can use resque and dynamically spin up workers (http://blog.darkhax.com/2010/07/30/auto-scale-your-resque-workers-on-heroku). Use different queues if you want for the public/private facing stuff if they have different SLAs.
I hope this helps, if you have any more questions leave a comment.
What about authorization? I'm using this plugin with Restful authentication for authentication.
With it I define roles and where it can access, and give a role to each user. The user log in and the controller (or the view) checks the user's permissions and respond properly (you'll need to code a bit, but it's the most elegant and safer way, I think).
You could perhaps use authentication to figure out who is accessing things, within the controller.
Couldn't you use a before_filter that authenticated access and authorised different levels of functionality, based on authenticated user?
For authentication, you could go for something simple like this (cheatsheet here):
http://cheat.errtheblog.com/s/acts_as_authenticated/
or a better one:
https://github.com/technoweenie/restful-authentication