I have a Icinga2 running with Active Directory as authentication backend and Icinga Web 2 as frontend.
The frontend permissions can be configured using the roles.ini in Icingaweb2's config folder. This is what I have in there:
# roles.ini
[Users]
users = "*"
permissions = "module/monitoring"
As you can see, I want to give all authenticated users access to the monitoring module. I have no group, which contains all users so I cannot use a group for that.
This does not work. How is the correct syntax to give the permission to all users?
(Of course, using existing user names or group names does work, backend configuration therefore is correct.) Thank you very much in advance!
This feature was implemented in IcingaWeb2 version 2.5, see https://github.com/Icinga/icingaweb2/pull/3096. It's a very simple patch against AdmissionLoader.php, which you can also apply separately by hand:
commit f495b390da6eb257ca101889deb70ccc22bb99c7
Author: Eric Lippmann <eric.lippmann#icinga.com>
Date: Thu Nov 16 12:01:06 2017 +0100
Apply role to all users if the role is defined with users=*
If the users directive contains at least one single asterisk, the role is applied to all users.
So, this supports roles which define users=username, ..., * and users=*
refs #3095
diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 0a80be127..8ee43dbfb 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
## -28,6 +28,9 ## class AdmissionLoader
$username = strtolower($username);
if (! empty($section->users)) {
$users = array_map('strtolower', StringHelper::trimSplit($section->users));
+ if (in_array('*', $users)) {
+ return true;
+ }
if (in_array($username, $users)) {
return true;
}
Related
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
Does Apache Ranger API provide any way to do this?
I can think of a way to first get all users using
curl -u <Username>:<Password> -X GET /service/xusers/users | jq '.vXUsers[].name'
And then put them in the below API to block all users
POST /service/public/v2/api/policy
Is there any way we can just use '*' on UI under Select User tab?
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
You do not need to block the users all together, just create a policy and do not specify any access permissions for any users. Unless you specify the permissions explicitly, by default, all the users will be denied.
For example, if a policy has no allow conditions as below;
Then, you will get denied for all actions;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapr] does not have [CREATE] privilege on [default/t] (state=42000,code=40000)
0: jdbc:hive2://node5.cluster.com:10000/>
When I specify an allow condition for a user to create a table as below;
Then, I can create a table;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
No rows affected (0.687 seconds)
0: jdbc:hive2://node5.cluster.com:10000/>
I'm using terraform to write azure policy as code
I found two problems
1 I can't seem to use log analytics workspace that is on a different subscription, within same subscription, it's fine
2 For policies that needs managed identity, I can't seem to assign correct rights to it.
resource "azurerm_policy_assignment" "Enable_Azure_Monitor_for_VMs" {
name = "Enable Azure Monitor for VMs"
scope = data.azurerm_subscription.current.id
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
description = "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
display_name = "Enable Azure Monitor for VMs"
location = var.location
metadata = jsonencode(
{
"category" : "General"
})
parameters = jsonencode({
"logAnalytics_1" : {
"value" : var.log_analytics_workspace_ID
}
})
identity {
type = "SystemAssigned"
}
}
resource "azurerm_role_assignment" "vm_policy_msi_assignment" {
scope = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.scope
role_definition_name = "Contributor"
principal_id = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.identity[0].principal_id
}
for var.log_analytics_workspace_ID, if i use the workspace id that is in the same subscription as the policy, it would work fine. but If I use a workspace ID from a different subscription, after deployment, the workspace field will be blank.
also for
resource "azurerm_role_assignment" "vm_policy_msi_assignment"
, I have already given myself user access management role, but after deployment, "This identity currently has the following permissions:" is still blank?
I got an answer to my own question:)
1 this is not something designed well in Azure, I recon.
MS states "a Managed Identity (MSI) is created for each policy assignment that contains DeployIfNotExists effects in the definitions. The required permission for the target assignment scope is managed automatically. However, if the remediation tasks need to interact with resources outside of the assignment scope, you will need to manually configure the required permissions."
which means, the system generated managed identity which needs access in log analytics workspace in another subscription need to be manually with log analytics workspace contributor rights
Also since you can't user user generated managed ID, you can't pre-populate this.
so if you want to to achieve in terraform, it seems you have to run policy assignment twice, the first time is just to get ID, then manual ( or via script) to assign permission, then run policy assignment again to point to the resource..
2 The ID was actually given the contributor rights, you just have to go into sub RBAC to see it.
I am configuring a Sentry on premise installation (using the default Docker image) with LDAP authentication, so any time a user logs-in for the first time a Sentry user is created under the hood.
The default notifications settings for these new users are pretty annoying, because the Workflow Notifications flag is set to Always, and ideally we'd like it to be Only On Issues I Subscribe To.
I know that each new user can go and update their settings by hand, but this is a largish corporation and I don't want to be directing every single person to change that when they get tired of receiving too many notifications and come asking me.
So in brief: is there any way to update the default notifications settings for new Sentry users?
As a quick and dirty way to achieve this, I am applying this patch when building our custom Sentry on Premise Docker image, alongside the steps where we copy the config files.
diff --git a/src/sentry/api/endpoints/user_notification_details.py b/src/sentry/api/endpoints/user_notification_details.py
index a382b6b7e3..2edd21efc7 100644
--- a/src/sentry/api/endpoints/user_notification_details.py
+++ b/src/sentry/api/endpoints/user_notification_details.py
## -36,7 +36,7 ## USER_OPTION_SETTINGS = {
},
'workflowNotifications': {
'key': 'workflow:notifications',
- 'default': UserOptionValue.all_conversations, # '0'
+ 'default': UserOptionValue.participating_only, # '0'
'type': int,
}
}
Is it possible to add a monitoring package through the Softlayer API. On the portal, I can go into the Monitoring section and Order a "Monitoring Package - Basic", which will associate it with that Virtual Guest.
Is it possible to do this either during the placeOrder call or after the initial placeOrder call (i.e if the customer wants to add Basic Monitoring after the server is provisioned).
I tried to look into examples but they all assumed that there was a monitoring agent available, but it wasnt in my case. I also looked into Going Further with Softlayer part 3 but not sure how to extract the Basic Monitoring package from Product_Package Service.
Im using Python to do this, so any pointers in associating a Monitoring service during creation or after-creation would be very helpful.
Thanks in Advance!
try this:
"""
Order a Monitoring Package
Build a SoftLayer_Container_Product_Order_Monitoring_Package object for a new
monitoring order and pass it to the SoftLayer_Product_Order API service to order it
In this care we'll order a Basic (Hardware and OS) package with Basic Monitoring Package - Linux
configuration for more details see below
Important manual pages:
https://sldn.softlayer.com/reference/datatypes/SoftLayer_Container_Product_Order_Monitoring_Package
http://sldn.softlayer.com/reference/datatypes/SoftLayer_Product_Item_Price
http://sldn.softlayer.com/reference/services/SoftLayer_Product_Order/verifyOrder
http://sldn.softlayer.com/reference/services/SoftLayer_Product_Order/placeOrder
http://sldn.softlayer.com/reference/datatypes/SoftLayer_Monitoring_Agent_Configuration_Template_Group
License: http://sldn.softlayer.com/article/License
Author: SoftLayer Technologies, Inc. <sldn#softlayer.com>
"""
import SoftLayer
USERNAME = 'set me'
API_KEY = 'set me'
"""
Build a skeleton SoftLayer_Container_Product_Order_Monitoring_Package object
containing the order you wish to place.
"""
oderTemplate = {
'complexType': 'SoftLayer_Container_Product_Order_Monitoring_Package',
'packageId': 0, # the packageID for order monitoring packages is 0
'prices': [
{'id': 2302} # this is the price for Monitoring Package - Basic ((Hardware and OS))
],
'quantity': 0, # the quantity for order a service (in this case monitoring package) must be 0
'sendQuoteEmailFlag': True,
'useHourlyPricing': True,
'virtualGuests': [
{'id': 4906034} # the virtual guest ID where you want add the monitoring package
],
'configurationTemplateGroups': [
{'id': 3} # the templateID for the monitoring group (in this case Basic Monitoring package for Unix/Linux operating system.)
]
}
# Declare the API client to use the SoftLayer_Product_Order API service
client = SoftLayer.Client(username=USERNAME, api_key=API_KEY)
productOrderService = client['SoftLayer_Product_Order']
"""
verifyOrder() will check your order for errors. Replace this with a call to
placeOrder() when you're ready to order. Both calls return a receipt object
that you can use for your records.
Once your order is placed it'll go through SoftLayer's provisioning process.
"""
try:
order = productOrderService.verifyOrder(oderTemplate)
print(order)
except SoftLayer.SoftLayerAPIError as e:
print("Unable to verify the order! faultCode=%s, faultString=%s"
% (e.faultCode, e.faultString))
exit(1)
this is an example to create an network monitoring
"""
Create network monitoring
The script creates a monitoring network with Service ping
in a determinate IP address
Important manual pages
http://sldn.softlayer.com/reference/services/SoftLayer_Network_Monitor_Version1_Query_Host
http://sldn.softlayer.com/reference/datatypes/SoftLayer_Network_Monitor_Version1_Query_Host
License: http://sldn.softlayer.com/article/License
Author: SoftLayer Technologies, Inc. <sldn#softlayer.com>
"""
import SoftLayer.API
from pprint import pprint as pp
# Your SoftLayer API username and key.
USERNAME = 'set me'
API_KEY = 'set me'
# The ID of the server you wish to monitor
serverId = 7698842
"""
ID of the query type which can be found with SoftLayer_Network_Monitor_Version1_Query_Host_Stratum/getAllQueryTypes.
This example uses SERVICE PING: Test ping to address, will not fail on slow server response due to high latency or
high server load
"""
queryTypeId = 1
# IP address on the previously defined server to monitor
ipAddress = '10.104.50.118'
# Declare the API client
client = SoftLayer.Client(username=USERNAME, api_key=API_KEY)
networkMonitorVersion = client['SoftLayer_Network_Monitor_Version1_Query_Host']
# Define the SoftLayer_Network_Monitor_Version1_Query_Host templateObject.
newMonitor = {
'guestId': serverId,
'queryTypeId': queryTypeId,
'ipAddress': ipAddress
}
# Send the request for object creation and display the return value
try:
result = networkMonitorVersion.createObject(newMonitor)
pp(result)
except SoftLayer.SoftLayerAPIError as e:
print("Unable to create new network monitoring "
% (e.faultCode, e.faultString))
exit(1)
Regards
How can I create a system user in Sling?
I tried searching but all I find is related to AEM, which I don't use. Is it possible to create the user using Jackrabbit API or Sling Initial Content (descriptor files)?
I tried to execute the following:
curl -u admin:admin -F:name=myuser -Fpwd=mypwd -FpwdConfirm=mypwd -Frep:principalName=myuser -Fjcr:primaryType=rep:SystemUser http://localhost:8080/home/users/system/*
But there is an error:
*ERROR* [127.0.0.1 [1465215465364] POST /home/users/system/* HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
javax.jcr.nodetype.ConstraintViolationException: Property is protected: rep:principalName = myuser
at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.setProperty(NodeDelegate.java:525)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1358)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1346)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:209)
at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl.internalSetProperty(NodeImpl.java:1346)
at org.apache.jackrabbit.oak.jcr.session.NodeImpl.setProperty(NodeImpl.java:432)
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.store(SlingPropertyValueHandler.java:592)
There is an out-of-the box solution based on Sling and Jackrabbit Oak. It features a text-based DSL for setting users and ACLs, for instance:
create service user bob,alice
set ACL on /libs,/apps
remove * for alice
allow jcr:read for bob
end
It is also possible to embed these instructions in the provisioning model used to build a Sling launchpad - assuming you're using the slingstart-maven-plugin.
The complete documentation can be found at Repository Initializers and Repository Initialization Language
Not sure this is possible through a post request per: https://mail-archives.apache.org/mod_mbox/sling-users/201512.mbox/%3CCAFMYLMb9Wiy+DYmacc5oT7YRWT1hth8j1XAAo_sKT8uq9HoFNw#mail.gmail.com%3E
The suggested solution is to use the jackrabbit api to do this. This would look something like:
//get a user manager
try {
User systemUser = userManager.createSystemUser("myuser", "/home/users/system");
} catch (Exception e) {
log.error("Error adding user",e);
throw e;
}
//commit changes
It's very important to note that this doesn't allow you to set a password for this user, nor can one be set with user.changePassword() -- when I try that I get an error:
javax.jcr.UnsupportedRepositoryOperationException: system user
From the java doc:
Create a new system user for the specified userID. The new authorizable is required to have the following characteristics:
User.isSystemUser() returns true.
The system user doesn't have a password set and doesn't allow change the password.
http://jackrabbit.apache.org/api/2.10/org/apache/jackrabbit/core/security/user/UserManagerImpl.html
Here's my whole activator class: https://gist.github.com/scrupulo/61b574c9aa1838da37d456012af5dd50