We installed ranger user-sync and able to sync all external users via open LDAP. This user sync is only happening when we restart ranger user sync. I would like to see if user can sync in real-time. Please help me how can I achieve this.
Below properties configured in install.properties. Rest other properties, I kept default.
SYNC_SOURCE = ldap
MIN_UNIX_USER_ID_TO_SYNC = 500
MIN_UNIX_GROUP_ID_TO_SYNC = 500
SYNC_INTERVAL = 1
SYNC_LDAP_URL = ldap://<Open LDAP server IP and port>
SYNC_LDAP_BIND_DN = cn=admin,dc=example,dc=org
SYNC_LDAP_BIND_PASSWORD = <password>
SYNC_LDAP_SEARCH_BASE = dc=example,dc=org
SYNC_LDAP_USER_SEARCH_BASE = dc=example,dc=org
SYNC_LDAP_USER_SEARCH_SCOPE = sub
SYNC_LDAP_USER_OBJECT_CLASS = person
SYNC_LDAP_USER_NAME_ATTRIBUTE = uid
SYNC_LDAP_USERNAME_CASE_CONVERSION=none
SYNC_LDAP_GROUPNAME_CASE_CONVERSION=none
SYNC_LDAP_REFERRAL =follow
#Shailendra. You may need to schedule the restart of ranger or the user sync directly via chron. I was able to find some info about the usersync sleep time.
Check for and reduce the value of this property in your configuration for the usersync sleep time:
ranger.usersync.sleeptimeinmillisbetweensynccycle (reference)
This article may help too as it suggest a java code to run usersync manually:
https://community.cloudera.com/t5/Support-Questions/Is-there-a-way-to-force-Ranger-user-sync-to-run-manually/td-p/110370
Related
I'm trying to access Azure Table Storage using the TableClient class, but I want to authenticate using AzureAD credentials via the browser popup.
I have tried 2 approaches and are sure I have things configured correctly in Azure, but I just keep getting
This request is not authorized to perform this operation using this
permission.
Here is test code 1 using MSAL
let app = PublicClientApplicationBuilder.Create("---registered app ID---")
.WithAuthority(AzureCloudInstance.AzurePublic, "---tennant id----" )
.WithDefaultRedirectUri()
.Build()
let! ar = app.AcquireTokenInteractive(["https://storage.azure.com/user_impersonation"]).ExecuteAsync()
let tokenCredential = { new TokenCredential() with
member x.GetTokenAsync(_,_) = task {return AccessToken(ar.AccessToken, ar.ExpiresOn)} |> ValueTask<AccessToken>
member x.GetToken(_,_) = AccessToken(ar.AccessToken, ar.ExpiresOn)}
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", tokenCredential)
and test 2 using Azure.Identity
let io = new InteractiveBrowserCredentialOptions(ClientId = "---registered app ID---", RedirectUri = Uri("https://login.microsoftonline.com/common/oauth2/nativeclient"))
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", new InteractiveBrowserCredential(io))
I have the app registered in Azure & I have added api permissions for Azure Storage, with Admin consent. My account is a Service Administrator for the tennant so I have full access to the storage account. I have scoured all the docs but just cant see what I'm missing.
To access table data using your Azure AD credentials, your user account should be assigned either Storage Table Data Contributor or Storage Table Data Reader role.
Please assign one of these roles to your user account and re-acquire the token. You should not get the error you are getting then.
I'm using terraform to write azure policy as code
I found two problems
1 I can't seem to use log analytics workspace that is on a different subscription, within same subscription, it's fine
2 For policies that needs managed identity, I can't seem to assign correct rights to it.
resource "azurerm_policy_assignment" "Enable_Azure_Monitor_for_VMs" {
name = "Enable Azure Monitor for VMs"
scope = data.azurerm_subscription.current.id
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
description = "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
display_name = "Enable Azure Monitor for VMs"
location = var.location
metadata = jsonencode(
{
"category" : "General"
})
parameters = jsonencode({
"logAnalytics_1" : {
"value" : var.log_analytics_workspace_ID
}
})
identity {
type = "SystemAssigned"
}
}
resource "azurerm_role_assignment" "vm_policy_msi_assignment" {
scope = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.scope
role_definition_name = "Contributor"
principal_id = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.identity[0].principal_id
}
for var.log_analytics_workspace_ID, if i use the workspace id that is in the same subscription as the policy, it would work fine. but If I use a workspace ID from a different subscription, after deployment, the workspace field will be blank.
also for
resource "azurerm_role_assignment" "vm_policy_msi_assignment"
, I have already given myself user access management role, but after deployment, "This identity currently has the following permissions:" is still blank?
I got an answer to my own question:)
1 this is not something designed well in Azure, I recon.
MS states "a Managed Identity (MSI) is created for each policy assignment that contains DeployIfNotExists effects in the definitions. The required permission for the target assignment scope is managed automatically. However, if the remediation tasks need to interact with resources outside of the assignment scope, you will need to manually configure the required permissions."
which means, the system generated managed identity which needs access in log analytics workspace in another subscription need to be manually with log analytics workspace contributor rights
Also since you can't user user generated managed ID, you can't pre-populate this.
so if you want to to achieve in terraform, it seems you have to run policy assignment twice, the first time is just to get ID, then manual ( or via script) to assign permission, then run policy assignment again to point to the resource..
2 The ID was actually given the contributor rights, you just have to go into sub RBAC to see it.
I have a requirement that I want to list all the accounts and then write all the credentials in my ~/.aws/credentials file. Fir this I am using boto3 in the following way
import boto3
client = boto3.client('organizations')
response = client.list_accounts(
NextToken='string',
MaxResults=123
)
print(response)
This fails with the following error
botocore.exceptions.ClientError: An error occurred (ExpiredTokenException) when calling the ListAccounts operation: The security token included in the request is expired
The question is , which token is it looking at? And if I want information about all accounts what credentials should I be using in the credentials file or the config file?
You can use boto3 paginators and pages.
Get an organizations object by using an aws configuration profile in the master account:
session = boto3.session.Session(profile_name=master_acct)
client = session.client('sts')
org = session.client('organizations')
Then use the org object to get a paginator.
paginator = org.get_paginator('list_accounts')
page_iterator = paginator.paginate()
Then iterate through every page of accounts.
for page in page_iterator:
for acct in page['Accounts']:
print(acct) # print the account
I'm not sure what you mean about "getting credentials". You can't get someone else's credentials. What you can do is list users, and if you want then list their access keys. That would require you to assume a role in each of the member accounts.
From within the above section, you are already inside a for-loop of each member account. You could do something like this:
id = acct['Id']
role_info = {
'RoleArn': f'arn:aws:iam::{id}:role/OrganizationAccountAccessRole',
'RoleSessionName': id
}
credentials = client.assume_role(**role_info)
member_session = boto3.session.Session(
aws_access_key_id=credentials['Credentials']['AccessKeyId'],
aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
aws_session_token=credentials['Credentials']['SessionToken'],
region_name='us-east-1'
)
However please note, that the role specified OrganizationAccountAccessRole needs to actually be present in every account, and your user in the master account needs to have the privileges to assume this role.
Once your prerequisites are setup, you will be iterating through every account, and in each account using member_session to access boto3 resources in that account.
I have deployed the ADempiere in a server and provide the jnlp based client installation to the users in the network. How can I find out the users accessing the server at a time. Is there any audit option or cange log features.
When a client accessing the server, it marks as
12:52:37,547 INFO [[/admin]] Request: /admin/adempiere.jnlp
12:52:37,555 INFO [[/admin]] User-Agent: JNLP/6.0 javaws/1.6.0_30
(b12) Java/1.6.0_30 12:52:37,565 INFO [[/admin]] Resource returned:/adempiere.jnlp
How can I identify the users accessing the service?
Thanks in advance.
By Querying the AD_Session Table, you can get the no of users logged into the system.
You will get active/inactive connections based on the processed column.
For getting active users in the system :-
SELECT AD_Org_ID, AD_Role_ID, remote_addr, remote_host, processed, logindate,
created as "login date with time", createdby As AD_User_ID FROM AD_Session
WHERE Processed='N' AND logindate > current_date-1;
(you can update the above sql as your wish)
use this Query for update Session in
update AD_Session set Processed='Y' where HERE Processed='N' AND logindate > current_date-1;
First of all, a kind user named "leppie" tried to help me but I couldn't get the answer I am looking for and it's kind of an urgent matter.
I run a windows service in Windows 7 with LocalSystem account (Since this win service will be installed many computers remotely and silently, I guess I need to use LocalSystem in ServiceInstaller.Designer.cs by the code below:
this.ProcessInstaller.Account = System.ServiceProcess.ServiceAccount.LocalSystem;
this.ProcessInstaller.Password = null;
this.ProcessInstaller.Username = null;
When I run this windows service the code below cannot get the currently logged in user's credentials (the users do not have admin privileges, not even myself).
using (DirectoryEntry de = new DirectoryEntry("LDAP://MyDomainName"))
{
using (DirectorySearcher adSearch = new DirectorySearcher(de))
{
adSearch.Filter = "(sAMAccountName=" + Environment.UserName + ")";
SearchResult adSearchResult = adSearch.FindOne();
UserInternalEmail = GetProperty(adSearchResult, "mail");
}
}
I have been suggested to run the WinService under a AD/LDAP/domain account, but which user could this be?
this.ProcessInstaller.Account = System.ServiceProcess.ServiceAccount.<User ? LocalService ? NetworkService>;
this.ProcessInstaller.Password = "adminpassword";
this.ProcessInstaller.Username = "adminusername";
I mean, lets say an ABC user is an admin and lets say I knew the password and username of this ABC admin, but when this admin changes the password, I think this will effect my winservice which will be running on 70 computers.
Is there a way to retrieve the user credentials on active directory? I would be really appreciated if you provide me some code samples..
Thank you very very much,
The problem is that Environment.UserName will always return the username of the service account under which the service is running, not the user logged into the machine.
See this question for information on how to get the names of users logged into the workstation. Keep in mind that Windows will allow multiple users to be logged in at the same time.