Is there a way to manually create the role and put it in serverless.yml? The thing is, we are not given the "iam:CreateRole" permission in our iam user because of their security policy.
Your serverless.yml can use an already existing IAM role.
You can set it at the provider level:
provider:
role: <role ARN>
Or at role level:
functions:
myFunction:
role: <role ARN>
Related
We are trying to set a shinyproxy server with ldap security.
In the shinyproxy.yml the ldap configuration is set as:
ldap:
url: ldap://ourIP:389/dc=ourdomain,dc=com
manager-dn: cn=admin,dc=ourdomain,dc=com
manager-password: ++++++++
group-search-base: ou=Groups
group-search-filter: (|(cn=admingroup)(cn=nonadmingroup))
user-search-base: ou=People
user-search-filter: uid={0}
But with this configuration filters in the .yml like admin-groups, or access-groups in every app doesn´t seem to work. Having all users all permissions.
How should we set it so the filters work?
We needed to make the group filter dependent on the userpass entry.
First, to be able to relate user and group, in our OpenLDAP server, instead of adding the user to the group as primary group (sharing the gidNumber), we needed to add it to another primary group, and then to the intended group (adding the attribute "memberUid" in it).
Finally specifying the group filter as:
group-search-filter: (&(objectClass=posixGroup)(memberUid={1}))
what I am trying to do:
I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token
and gets the access token for this user.
Now I am building another REST API to access a resource where I want to do the following:
doSomething(accesstoken, data)
{
a) call keycloak API to validate access token and get roles.
b) if role == manager, process(data)
c) else: return error msg.
}
Now, how do I do (a): validating the access token and getting the roles associated with it.
I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo
but that only gives the details about the user like name, email, etc. but does not display any roles.
Here's an example I got:
{
"name": "test user",
"sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
"email_verified": false,
"preferred_username": "user",
"given_name": "test",
"family_name": "user"
}
As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that.
In other words - it authenticates but does not authorize.
Please suggest.
Thanks,
Anand
In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.
Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles
The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.
In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class
https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration
Additionally, if the full scope is not allowed then you need to add the relevant roles to the scope, so they can appear in the token.
After adding role in the roles section , need to move available roles into the Assigned Roles of the scope tab of the respective client section.
I have a module that can be accessed only by admin, except for a single action that can be accessed by all authenticated users.
Is there a way to reset the credential for that single action? I tried to use null but still get 403 Error. Is listing all actions in security.yml the only solution?
default:
credentials: [ admin ]
public:
credentials: null
Have you try to set en empty array or credential ?
public:
credentials: [ ]
Yes, you'll have to list all of the actions if you want fine grained control on who has access to what.
Or, another way (albeit ugly) is to set the action, which doesn't require any credentials, to is_secure : false and then check if they're authenticated through the action in the controller.
Also, if you want to do by using credentials, then you should set every user to have a default credential. i.e. with a credential called 'user'
Out of interest: how many actions do you have for this module?
EDIT: Also, what happens if you use a ~ instead of null?
You have to write all allowed credentials inside the public action if you want to have it accesible for logged users with all credentials (sf1.4 ad reference)
.. or you can open the action to the whole world:
default:
is_secure: true
myPublicAction:
is_secure: false
is possible to deny a credential in security.yml?
For example:
default:
is_secure: true
credentials: admin
(i want that user have not the admin credential)
No, it is not possible. All you can do is add all the other credentials to the security file with a OR connector or add some php code in the actions.class.php.
Your best option is extending the sfBasicSecurityUser class, overriding the hasCredential() method to handle it (for example by adding a ! before the given credential). This is what the security filter uses to check if the user may access the requested action.
Then edit your app's myUser class to extend this new class, and voila.
I am trying to fully understand how the credentials/permissions system works in symfony(1.4)
I have 2 groups and 2 users.
User 1 has the following permissions:
Add.Car, Delete.Car
User 2 has the following permissions:
Add.Bike, Delete.Bike
Now what I want to do, is only allow users with the Add.x permissions to be able to add to a category table.
The problem is, that If I have:
credentials: [Add.Car, Add.Bike] - it seems to look for users with BOTH of these, not either of them.
Is this how the credentials work and If so, is there a way to check if the user has either Add.Bike OR Add.Car before allowing them to create new records?
Thanks
Wrap the credentials in [ ]
credentials: [[Add.Car, Add.Bike]]
see http://www.symfony-project.org/jobeet/1_4/Doctrine/en/13 'Complex Credentials' section