is it possible to access multiple PDBs with multiple users?
Consider the scenario:
I am having two common user :- c##a and c##b
and pdb :- PDBTEST
I am facing problem :
When I connect with common user - c##b, i am not able to see table in PDBTEST created by logging with c##a.
Though, I have assigned rights in PDBTEST for both users c##a and c##b.
For common user c##b, is there any other way i can access PDBTEST?
Steps i am following :
Connect as sysdba
1> created two user c##a and c##b (container = ALL)
2> common role granted with all privileges : c##role (container = ALL)
3> Assigned c##role to both user : c##a and c##b (container = ALL)
4> Created PDB : PDBTEST
Altered session and set container = PDBTEST
5> Granted c##role to both user : c##a and c##b inside PDBTEST
6> connect with c##a (not as sysdba)
Altered session and set container = PDBTEST
7> Created Table and inserted record : TestTable
8> connecting with c##b (not as sysdba)
Altered session and set container = PDBTEST
I am not able to access table 'TestTable' after connect with c##b..
More, If i connect with c##a , i can access inserted records.
You forgot to qualify the table name (you did not specify the schema name). This is no different than a non-pdb database. If you define a synonym, you can make this work.
In addition set container is only provided for administration purposes and should never be used for user access. For user access you should create a dedicated service.
Related
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
Does Apache Ranger API provide any way to do this?
I can think of a way to first get all users using
curl -u <Username>:<Password> -X GET /service/xusers/users | jq '.vXUsers[].name'
And then put them in the below API to block all users
POST /service/public/v2/api/policy
Is there any way we can just use '*' on UI under Select User tab?
I think Apache Ranger does not support blocking all the users in a Policy using '*' simply.
You do not need to block the users all together, just create a policy and do not specify any access permissions for any users. Unless you specify the permissions explicitly, by default, all the users will be denied.
For example, if a policy has no allow conditions as below;
Then, you will get denied for all actions;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapr] does not have [CREATE] privilege on [default/t] (state=42000,code=40000)
0: jdbc:hive2://node5.cluster.com:10000/>
When I specify an allow condition for a user to create a table as below;
Then, I can create a table;
0: jdbc:hive2://node5.cluster.com:10000/> create table t (id int);
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
No rows affected (0.687 seconds)
0: jdbc:hive2://node5.cluster.com:10000/>
I would like to test 802.1X function for an Ethernet Switch (NAS).
I have a Workstation (Windows 10) and an Ubuntu server : I want to test EAP-MSCHAPv2.
I see a tutorial to configure FreeRADIUS : https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
Problem is I don't have a Windows server. Is it possible to test EAP-MSCHAPv2 without it ? How to configure FreeRADIUS ? ... I just want to test a static configuration with one login+password.
Currently my FreeRADIUS works with EAP-MD5 : I already created user profile and NAS config
You need to set the MS-CHAP-Use-NTLM-Auth attribute to No in the control list. The mschap module will then do the authentication internally, rather than trying to call out to AD.
This is documented more extensively in raddb/mods-available/mschap.
For example you could create a user bob with password test in the raddb/users file thus:
bob Cleartext-Password := "test", MS-CHAP-Use-NTLM-Auth := No
Note that this attribute must be in the control list, not in the reply list, so appears on the same line as the username.
I have tried most of the configuration examples of user to return a Configuration-Token attribute. I need an example configuration and which file to place it in (e.g. user or user.conf).
tried something like (in user.conf):
testing Cleartext-Password := "password"
reply: Configuration-Token="hello"
This caused freeradius to not run
Freeradius would not execute.
How can I make the queue manager (which exists by default in the docker image) accept any connection without authentication?
I went through all the options in the web console (:9443/ibmmq/console/) and tried anything that I thought might have the effect I wanted, but couldn't find it.
TIA & BR,
Christian
Edit: here's the code I'm using to connect
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "JmsPutGet (JMS)");
//cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
//cf.setStringProperty(WMQConstants.USERID, APP_USER);
//cf.setStringProperty(WMQConstants.PASSWORD, APP_PASSWORD);
// Create JMS objects
context = cf.createContext();
----------edit------------
Error log after
removing "connection authentication" for the QM
setting the channel auth. record (under extended) to "As Queue Manager"
AMQ9557E: Queue Manager User ID initialization failed for '[my OS user]'.
EXPLANATION:
The call to initialize the User ID '[my OS user]' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
If you are trying to disable the MQ Connection Authentication feature so that userid & passwords are not authenticated then you can do this by executing the following MQSC commands in runmqsc against the Queue Manager.
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY(*) TYPE(CONAUTH)
Alternatively in the MQ web Console:
Select your queue manager in the Queue Manager widget
Click properties
Go to the Extended section and scroll down
Set the "Connection Authentication" attribute to a blank value
Click save adn then close
Select your queue manager in the Queue Manager widgit
Click the ... and select Refresh security from the drop down
"Select connection authentication"
Add widget: "Channel authentication records"
In this widget, select the entry for your channel, click properties under "Extended" set client connections to "As Queue Manager"
If required:
Select your QM in the "Queue Manager" widget, open properties (...), "refresh security...", "Connection authentication".
Make sure the default user name (in the standard docker installation, that's "app") is set in the channel properties under MCA (as sugg. by #JoshMc)
Run following mqsc commands to disable channel authentication in IBM MQ server:
ALTER QMGR CHLAUTH(DISABLED)
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)
how i can create a profile for two different NAS (Cisco & MicroTek) with different attributes.
i don't know if there is a way to make if statement depend on the IP of NAS or not.
for more explanation:
i use daloradius to manage the freeradius, i can't manage the speed because now i have for example 10M profile with attribute Cisco-AVPair=ip:sub-qos-policy-in=10Mbps but in MikroTek is different it used Mikrotik-Rate-Limit=10M so i need one profile treat with both if the user connect to the cisco will use his policymap and when he connect to MikroTek use the other attribute
You can define arbitrary attributes associated with a NAS in clients.conf
For example:
client 192.168.0.1 {
secret = testing123
my_attribute = 'foo'
}
Then access them with the %{client:<attribute>} xlat.
authorize {
update reply {
Reply-Message := "User connecting to NAS with attribute %{client:my_attribute}"
}
}
This is significantly more efficient that huntgroups or the other grouping mechanisms.