Apache Ranger : 1.2
Hive : 2.3.3
Ranger policy-A : AD Group-1 has access to both DB-1 & DB-2
Ranger policy-B : AD Group-2 has access to only DB-2
When a user1 belong to Group-1 executes "SHOW DATABASES;
he could see list of databases.
But, when a user2 belong to Group-2 does the same gets below error,
HiveAccessControlException Permission denied: user [user2] does not have [USE] privilage on [*]
Is this expected behavior?
Was expecting user2 should be able to see only databases he has access to when he executes "SHOW DATABASES"
Related
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
Does Apache Ranger API provide any way to do this?
I can think of a way to first get all users using
curl -u <Username>:<Password> -X GET /service/xusers/users | jq '.vXUsers[].name'
And then put them in the below API to block all users
POST /service/public/v2/api/policy
Is there any way we can just use '*' on UI under Select User tab?
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
You do not need to block the users all together, just create a policy and do not specify any access permissions for any users. Unless you specify the permissions explicitly, by default, all the users will be denied.
For example, if a policy has no allow conditions as below;
Then, you will get denied for all actions;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapr] does not have [CREATE] privilege on [default/t] (state=42000,code=40000)
0: jdbc:hive2://node5.cluster.com:10000/>
When I specify an allow condition for a user to create a table as below;
Then, I can create a table;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
No rows affected (0.687 seconds)
0: jdbc:hive2://node5.cluster.com:10000/>
This question is about Jenkins LDAP root DN & Display Name LDAP attribute
Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24
I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is the configuration settings.
root DN - DC=Company,DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail
But while testing the LDAP connection it fails below error.
Login
Authentication: failed for user "jenkins-user"
Lookup
User lookup: failed for user "jenkins-user"
LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; remaining name 'OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com'
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Lockout
The user "jenkins-user" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Suppose if i keep the root DN as empty and enabled the tick mark - Allow blank rootDN. my test connection is getting successful.
But i would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine for production environment?
Also for the logged in users, The display name shown as below which is too lengthy.
First-Name/Sur-Name/Team-Name/Location/Title/Company-Name
i would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name, givenName, cn & sn but none of them were worked. So is it possible to display only First name + Sur-name in Jenkins?
I have fixed it. Each time when we change/update the Display Name LDAP attribute value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.
I have deployed the ADempiere in a server and provide the jnlp based client installation to the users in the network. How can I find out the users accessing the server at a time. Is there any audit option or cange log features.
When a client accessing the server, it marks as
12:52:37,547 INFO [[/admin]] Request: /admin/adempiere.jnlp
12:52:37,555 INFO [[/admin]] User-Agent: JNLP/6.0 javaws/1.6.0_30
(b12) Java/1.6.0_30 12:52:37,565 INFO [[/admin]] Resource returned:/adempiere.jnlp
How can I identify the users accessing the service?
Thanks in advance.
By Querying the AD_Session Table, you can get the no of users logged into the system.
You will get active/inactive connections based on the processed column.
For getting active users in the system :-
SELECT AD_Org_ID, AD_Role_ID, remote_addr, remote_host, processed, logindate,
created as "login date with time", createdby As AD_User_ID FROM AD_Session
WHERE Processed='N' AND logindate > current_date-1;
(you can update the above sql as your wish)
use this Query for update Session in
update AD_Session set Processed='Y' where HERE Processed='N' AND logindate > current_date-1;
is it possible to access multiple PDBs with multiple users?
Consider the scenario:
I am having two common user :- c##a and c##b
and pdb :- PDBTEST
I am facing problem :
When I connect with common user - c##b, i am not able to see table in PDBTEST created by logging with c##a.
Though, I have assigned rights in PDBTEST for both users c##a and c##b.
For common user c##b, is there any other way i can access PDBTEST?
Steps i am following :
Connect as sysdba
1> created two user c##a and c##b (container = ALL)
2> common role granted with all privileges : c##role (container = ALL)
3> Assigned c##role to both user : c##a and c##b (container = ALL)
4> Created PDB : PDBTEST
Altered session and set container = PDBTEST
5> Granted c##role to both user : c##a and c##b inside PDBTEST
6> connect with c##a (not as sysdba)
Altered session and set container = PDBTEST
7> Created Table and inserted record : TestTable
8> connecting with c##b (not as sysdba)
Altered session and set container = PDBTEST
I am not able to access table 'TestTable' after connect with c##b..
More, If i connect with c##a , i can access inserted records.
You forgot to qualify the table name (you did not specify the schema name). This is no different than a non-pdb database. If you define a synonym, you can make this work.
In addition set container is only provided for administration purposes and should never be used for user access. For user access you should create a dedicated service.
I'm trying to access a shared mailbox in Exchange using IMAP but I don't want to store the password in the app so I give a try to NTLM authentication.
I was able to do the autentication using the SSPI framework api but now I'm struggling to select the shared inbox.
Using the "basic" authentication I know I could do:
a LOGIN domain/username/mailboxalias username_password //a OK LOGIN completed.
b select inbox //...\r\nb OK [READ-WRITE] SELECT completed."
And that do work fine, but I don't wan't to to store the password in my app, so I'm using NTLM auth (connecting to exchangeserver1.domain.com where the mailboxalias is stored):
a AUTHENTICATE NTLM // +
<type_1_msg> // + <type_2_msg>
<type_3_msg> // a OK [REFERRAL imap://;AUTH=*#exchangeServer2.domain.com/] AUTHENTICATE completed.
b select inbox // b NO [REFERRAL imap://;AUTH=*#exchangeServer2.domain.com/inbox] There is no replica for that mailbox on this server."
c select mailboxalias //c NO There is no replica for that mailbox on this server.
d select mailboxalias/inbox //d NO There is no replica for that mailbox on this server.
e select inbox/mailboxalias //e NO There is no replica for that mailbox on this server.
The current context user mailbox is stored in exchangeserver2 but the shared mailbox is in exchangeserver1, that's why in NTLM you see the REFERRAL piece, but in both scenarios above I'm connecting to exchangeserver1.
I tried several variations of select command with the 'mailbox alias' and 'inbox' but none worked. I do have access to the mailbox, I'm its owners and I can access it from Outlook (but I believe it uses MAPI) and 'basic authentication'.
After the authentication, How can I select the shared mailbox inbox?
I'm using the following AcquireCredentialsHandle call to generate the NTLM type 1 message:
AcquireCredentialsHandle (null, "NTLM", 2, 0, 0, 0, 0, ref phCredential, ref ptsExpiry)
I even tried changing the first parameter (which would be the username) from null (the current context user) to "domain/username/mailbox" but it didn't work.
Thanks :)