I would like to use Keycloak as an authentication and authorization server in my existing project,I want to achieve row level (database table) permissions, I'm thinking to create a resource for each row and group them by type (the type is the name of the table), I'm wondering if there exists any better solution ?
Any suggestions are appreciated.
Related
I am using Cloudera 5.4.2 with Sentry and am successfully granting access to roles on databases. My challenge now is to have a group that can read only one table from a database that has many other tables. I have not been able to grant select on a specific table where the role does not have any permissions for the database. When looking at the Cloudera documentation I do not see an example of this and the wording around granting table access makes is sound straight forward.
Here is an example of what I would like to run to get role test access to the table private_table without having access to any other tables in the database testdb.
CREATE ROLE test;
GRANT ROLE test to group `test-group`;
GRANT SELECT ON TABLE testdb.private_table TO ROLE test;
I also faced the same issue as in it granted the privileges for that table in default schema instead of "testdb" schema, every time I ran the following command:
GRANT SELECT ON TABLE testdb.test_table TO ROLE test;
I found a way to workaround this by doing this:
USE testdb;
GRANT SELECT ON TABLE test_table TO ROLE test;
However, since all Hive/Impala queries take DB.TBL schema, GRANT should also accept it.
I have an MVC 5 application set up with windows authentication and my own custom roles table for authorization. This works fine if the user exists in my application database - username in my users table maps to the usernames in active directory.
My question is how do I keep my users table in sync with active directory. Any time a new user is hired, a new record has to be added to my intranet application to ensure this user has access to it.
Is there a way to load users from active directory into my own users table perhaps with some kind of scheduled job or is there a better way to achieve what I'm trying to do?
I think sync two database instances (AD database and you app database) will become management issue as your business grow. Even, adding new user and removing is day to day work, so in both cases you need to execute some sort of action to add or remove users from your app database.
Why don't you ask your team to give you access of AD database and consume this into your intranet app, this is what I was using in my past organization and this works great.
The AD can be used in a programmatic manner. Just look for LDAP stuff and you'll find lots of examples. Here's one to get you started : Connect to Active Directory via LDAP
If your application allows people to register then implement your own custom membership provider which talks to the AD. You can create the users in the AD, you will have to pass the password requirements which are set on the AD as well, which is more than likely a good thing. The roles information can be stored there as well, no need for a local custom roles table either.
I am new to MVC and want to understand the authentication mechanism in MVC
I have these tables in SQL, Users table, Roles table and UserRoles table which maps user id column to role id column. Now as soon as I add an attribute Authorize(Roles = "Customer") I want the access to be given only to the users having customer priviliges. Now what is is that I have to do to create a link between these two. I am looking for a step by step explanation or a link which points me to do this exactly, as I found a number of articles googling out on this and was unable to find the matching one.
Thanks in advance.
If you take the out of the box MVC template, you don't need to do anything to enforce this behavior. A database will be created for you as soon as you launch your application with a number of tables (Users, roles, mapping between users and roles, ...). Check your web.config for the connection string.
The only thing for you to do is to populate the ROLES table and then match those entries with the Authorize attribute in code. So if you have a role named "Admin" in the database, you can protect your actions and controllers with following code:
[Authorize(Roles="Administrators")]
You could also take it further to limit access by users but I wouldn't consider that as a best practice. Next, create a user in the UI and then match this user to a role you specified in the DB. Login as this user and you'll notice you have access to the restricted action/controller.
For more information, he best articles are those from Microsoft themselves, like this one.
I am building an MVC4 application and need to use external authentication (Facebook, etc). I have that working fine. I see the SimpleMembershipProvider creates 2 separate tables to handle this: "webpages_Membership" and "webpages_OAuthMembership". I need to map other tables (foreign keys) to User ID. The problem is both tables have a user ID which are unrelated to each other.. I could ignore the foreign keys in the database if necessary (don't like that though), but the bigger question is this: in code, how would I determine whether a user is authorized externally or locally so that I know where to get his other info from? Specifically, I have a user profile table where I will map other attributes to.. having 2 different types of user, how does one go about this?
Right, I have learned more about MVC4 and SimpleMembershipProvider and I see now that the User ID on both tables is actually a foreign key to a parent table called UserProfile. So, User IDs will still be unique.. it's just the mappings are a little different to what I was accustomed to with the standard ASP.NET membership provider. Email address and whatever other properties are required can be easily applied to the UserProfile table.
I am creating a Grails website where users will have access to the resources they create. Till here everything is clear to me. I define ROLE_USER and lock down my controllers and actions using the Config.groovy file.
The issue I am facing is that I have requirement to support group of users such that some resources created by a user can be edited/updated/deleted by other users of the same group. How do I associate a user with a "group" in spring security, what is the design/library I should use here?
What you will need to do is to have your users' roles (the authorizations) come from the database. Once that is the case, you can then easily adjust the roles a user (or set of users) has and create/remove them on the fly. The docs have some pretty good info on how to get the roles to come from the database, so I won't go any more into that here.
Once the dynamic roles are in place, however, you still need to be able to connect roles to the objects that are created. There are essentially two ways you can go about doing this:
Access Control Lists
Custom logic
Depending on the granularity you need and the flexibility you want, one option may be more appealing than another.
Access Control Lists essentially allow you to have a permission mapping between each user and each entity instance. As you can imagine, it's a fair bit of overhead and can perform poorly if you have a large number of entities and users.
Putting together your own logic, on the other hand, is much more flexible because you can set up your own scheme to connect entity instances or entity classes to users and their roles.
I dont think that spring-security provides such functionality out of the box so you will have to do that manually.
For each domain class that you this kind of functionality, store the user name of current logged in user
def authenticateService
def user = authenticateService.principal()
entity.setUser(user?.getUsername())
Then in the update/delete method of the contoller you should check if the role of the current logged in user matches
the role of the user that created the entity. If you have a match you should proceed with the update/delete otherwise throw an exception
/redirect the user to an error page
As role you can use the spring security roles or you can create a property on the user object you have created