I'm setting up user authentication on mongoDB and would like my rails app to still be able to communicate to the DB.
I have the configurations set properly as far as I know, but get the error Not authorized on <db> to excecute command { distinct: "<collection>", key: "<field_name>", query: {} }
Currently I am using 'webUser' with readWrite privileges.
What mongoDB privilege do I need to grant the web user to run this query?
Btw, I do have auth_source, username, password, roles declared properly in mongoid.yml
Thanks in advance!
Update - screenshot of db users:
Related
How to configure a PSQL v11.4 user that is not the superuser and does not own the database.
This user should have full access to create SQL objects and drop them, even
though they do not own the database, so they can not drop the database.
All sql/database objects exist on the PUBLIC schema.
So far I have tried:
CREATE USER app_user WITH ENCRYPTED PASSWORD 'foo_bar';
ALTER USER app_user NOCREATEDB NOCREATEROLE;
ALTER USER app_user VALID UNTIL 'infinity';
GRANT ALL PRIVILEGES ON DATABASE database TO app_user;
When running Rails migrations I get the following error:
remote: PG::InsufficientPrivilege: ERROR: permission denied for table schema_migrations
Seems like the psql best practices is to have a role with privileges
set, then assign the user to be a member of that role. However because everything
is on the public schema all users/roles should have full access right? However
this line in the docs is throwing me off:
"The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object; see below.) The owner implicitly has all grant options for the object, too."
from: https://www.postgresql.org/docs/11/sql-grant.html
Also though because the database is being restored via the sudo user, objects
will be owned by the sudo user, however new objects could belong to the
app_user, is this an issue?
You need the CREATE privilege on the database, and you need to pg_dump (or pg_restore with the -x and -O options, so that the restoring user becomes the object owner and no additional privileges are granted.
Some things, like certain extensions, event triggers or functions in untrusted languages (to name a few examples) require superuser rights to create them. Either avoid such objects or create them ahead of time and ignore the errors.
ddev has these default settings:
database: db
dbuser: db
password: db
I thought it should be possible to provide customized values for that (I know it doesn't make too much sense, but still). I was looking for these settings in config.yaml, but no luck.
Is it possible to modify those credentials and add them to git?
You can change database credentials any time if it seems useful to you. You have full root on the mysql database. So ddev mysql -uroot -proot will get you in there where you can GRANT ALL on db.* to 'mynewuser'#'%' IDENTIFIED BY 'mynewpassword'; That will create a new user with full privs on the 'db' database. But you can also create new databases and new users as much as you want. And if you want, you can change the password of the 'db' user. We try to make it as simple as possible for local dev... but if you want to make it more complicated, go for it!
There are a couple of items in the FAQ that may help as well - about multiple databases and database credentials.
If you remove the default credentials, of coures, you have to change your CMS's settings files to credentials that will work.
I am trying to setup group authorizations using my IDP (Identity Provider) with the Jenkins instance I have.
For individual users, I have been able to setup this up successfully by installing the SAML 2.0 plugin , sending up the Service Provider Metadata to my IDP and completing a successful registration.
I am able to login to my Jenkins successfully using my SAML credentials.
Further more I am able to give users certain roles using the Role Strategy Plugin. I have defined roles like "Job Reader" , "Job Admin" etc etc and assigned those roles to individual users.
All until here is done.
But what Im looking for is rather than having to assign roles to users on the Jenkins layer, I want Jenkins to pull groups defined in my IDP and assign those groups to roles that Ive defined rather than me having to assign roles to individual users.
On my IDP side, I have created groups (I have a group ID) and assigned users to those groups. All I want to do is to have my Jenkins reads those group IDs. Is there some documentation I can follow ?
Below are the steps Ive done so far with unsuccessful results.
In my IDP, Ive created a group jenkins-reader and assigned a user to the group.
When I curl on the data of the user, I can clearly see that my user P000002 is part of a particular group.
{
"uid": "P000002",
.
.
"companyGroups": [
"jenkins-reader"
],
.
.
. }
Now switching to Jenkins, I have the following config.
Under Manage Roles , ive configured Project Roles. Creating a jenkins-reader roles and assigning in Job Read permissions.
Under Assign Roles , I added the group jenkins-reader (same name as defined in IDP) and assigned it the jenkins-reader role configured in the last step.
When I hit Apply and Save, I try to login again and I get the ERROR
Access Denied
P000002 is missing the Overall/Read permission
Now Im not sure whether Ive missed something here or am taking a wrong approach to this. Ive been following this doc.
I have a Rails application with devise-like authentication and a lot of parts that depend on it. Now I want to add a chat between users using ejabberd (xmpp). I was searching through net and found that it's quite possible, but I can't understand how to make authorization in ejabberd server. For example user logins in a Rails app through login page with one credentials how to implement ejabberd loggining in this action? It will not be good to write like "please, put your user pw and ejabbered pw". Other way is to monkey-patch users registration, so ejabbered will use the same pw as user in the database and I will make authorization in one action, but will it be good? And how long user will be online in this way? Maybe I misunderstood something?
I've used rails extauth script like this https://github.com/geoiq/digitalgazette/blob/master/mods/chat/files/ejabberd-auth.rb and ruby_bosh gem for my application.
So now ejabberd is using my app to authenticate users. At login (for example) user's jid and password is using by ruby_bosh to make session and get jid, rid and sid saving them to session to use them later in a strophejs.
Is anyone aware of any gems, tutorials, or solutions enabling a user to sign in to a website at one domain and automatically given access to other partner domains in the same session?
I have two rails apps running, let's call them App-A and App-B. App-A has a database associated with it, powering the registration and login at App-A.com. I'd now like to give all of those users with App-A.com accounts access to App-B.com, without making them reregister or manually login to App-B.com separately.
Thanks in advance for any help!
--Mark
You can set the same session_key in both apps. In appA environment.rb change the session_key, like this
Rails::Initializer.run do |config|
...
config.action_controller.session = {
:session_key => '_portal_session',
:secret => '72bf006c18d459acf51836d2aea01e0afd0388f860fe4b07a9a57dedd25c631749ba9b65083a85af38bd539cc810e81f559e76d6426c5e77b6064f42e14f7415'
}
...
end
Do the same in AppB. (remember to use the very same secret)
Now you have shared sessions. Let's say you use restfull_authentication, wich sets a session variable called user_id. When you authenticate in appA it sets the user_id in the session. Now, in appB you just have to verify if user_id exists in the session.
This is the overall schema, you can elaborate more using this idea.
If you want to create single sign-on solution for your applications then I recommend to take a look at RubyCAS solution. It could be used also to provide single sign-on for other non-Rails applications as well as you can integrate authentication with LDAP or other authentication providers.