As far as I know in Kogito, user task in BPMN require external user service and connector to supply user/group information. However I can't find suitable reference or example or document(Or, i can't understand how it work). Can anyone elaborate or provide sample how to use my own user/group in the workflow approval?
In Kogito BPMN, you can use the Task User Service integrated with Keycloak to achieve what you're looking for. Have you tried what is described in this doc https://docs.jboss.org/kogito/release/latest/html_single/#proc-task-console-security_kogito-developing-process-services?
Related
Im trying to make a little .core service to keep gitlab issue's and a board on Microsoft Planner in sync.
Gitlab side isn't an issue however talking to the planner aspect is proving problematic.
In Azure I have successfully added an App Registration and using the delegated permissions, I can do what I need, BUT when it gets the access token, I get the old
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ******** to authenticate.
Which as im trying to make this into a service, isn't great.
I then setup permission as a deamon but Planner dosn't allow assess to 'Application Permissions' which planner needs.
So is there another option?
Unfortunately Planner does not support Application Permissions. You can try to use a user account specifically created to act as your service as a workaround. There is currently no timeline for Planner supporting Application Permissions, however this is in our work backlog.
For example if you create a new Plannerplan then it works only with delegated permissions. It's not exposed with application permissions so that you can use it in daemon app. Unfortunately this is by design or in other words, it will work only with delegated permissions only at this point.
Unfortunately it won't work that way, but you may want to give a try. Being said that i would suggest you to file an Microsoft Uservoice or upvote an existing uservoice item talks about it - so that they can consider implementing it as a feature which support application permissions
Also you can see above #Tarkan confirmed the same and shared insight that its in their backlog too.
Is there a way I can fetch user credentials to authenticate with ADLS from within a spark job. I am trying to write a library that be used by users in their spark job to read data and want to hide implementation details. Also, what would be the best way to get credentials for a user from within spark job?
You can't fetch user credentials. You'll either need to save the user login session (tokens) somewhere securely, or...
If you want to have your solution authenticate without any interaction from an end user, then using a service principal + a certificate or key is the right way to go. This means your application will log in as the service principal, rather than as a user, and that service principal will need permissions on the resources and data upon which your solution should operate.
Azure Active Directory is what you'll authenticate with in either case, and their documentation for their authentication libraries is located here. They have a REST API, SDKs in many languages, and I'm sure there are third-party libraries are also available, if your language of choice isn't covered yet.
I hope this helps!
Problem Statement:
I am trying to build a custom management system which would require authentication and authorization both.
The system needs to have capabilities to manage/create/update/delete users, roles, permissions and groups.
My Design Solution
I am planing to implement this in-house from scratch and would provide authentication and authorization as follows.
Authentication : user would provide their credentials and the system would authenticate if the user is valid or not.
Authorization: once the user is authenticated, based on the user groups and the permissions they could access the requested pages on the site.
Question:
Now, my question is that suppose I have this application built successfully and in future my application requires LDAP (active directory) authentication would it be possible to plug in LDAP related features keeping my existing application intact or I would have to re-write the entire or most application using LDAP API's.
I have had a look at at apache shiro and spring security which
provides LDAP functionality and they also provide capabilities to manage/create/update/delete users.
As of now I have not yet decided if I would go with either of them or write my own.
Would appreciate if I could get a detailed reponse about how to go about things.
Note:
I am a complete newbie to LDAP so please excuse me if I have used some wrong terminology with regards to LDAP.
I would recommend NOT implementing this your self, just integrate with existing API.
Disclosure: I work for Stormpath (which provides exactly this) and on Apache Shiro.
Also, if your application needs to be backed by LDAP, most LDAP setups I've seen only support read operations when integrating with applications, so you may want to chat with your LDAP admin and see if your 'manage' user use case is viable.
Security is a serious domain, with lots and lots of hidden complications. I would definitely recommend against implementing this yourself. Since you mention Spring LDAP, I'm guessing you're in a Spring-based project. The obvious choice in such a setup would be the excellent Spring Security project.
I am considering integrating IBM's Tivoli Access Manager with Jenkins for user authentication. TAM uses something called a WebSeal to allow users to login and then forwards the creds for that user in the HTTP header to the desired service. I am new to Jenkins and was wondering what would be the easiest approach to do this. I noticed that the existing OpenId plugin extends the FederatedLoginService currently present in Jenkins. Could something similar be done to integrate TAM? If not, where would I extend Jenkins to allow the extraction of the creds form the header provided by WebSeal?
Thanks in advance.
To make #daniel-beck’s suggestion into a concrete answer: the Reverse Proxy Auth plugin is the way this sort of integration is normally done in the absence of a dedicated SSO plugin, though I do not know specifically whether WebSEAL sends headers suitable for consumption by this plugin. From what I can glean by searching, you would get HTTP_IV_USER and HTTP_IV_GROUPS.
I am developing a google chrome extension that needs to communicate with a nodejs server. I was wondering if its possible to use everyauth package to simplify authentication. For starters, I just wanted to use simple password based authentication. But from the examples and the documentation ,as well according to my trial, it seems to me that everyauth is designed to be used for a webapp and gives me errors if i don't set the getLoginPath. Also i am not sure how to configure everyauth to send the user details or errors after user authenticate in a json payroll rather than redirecting user to a particular page. This is my first project with node.js and I am looking for some advice on how to go forward with this. I am open to using some other package/library that provides such authentication,
Since you are open to using other modules, as the developer of Passport, I'd suggest you look at it: https://github.com/jaredhanson/passport
Passport is designed to be a simple and unobtrusive authentication library, which makes it easy to get up and running quickly. It's also modular and extensible, which allows it to adapt to your applications needs over time.
The examples provided, along with the local strategy ( https://github.com/jaredhanson/passport-local ) are enough to get you started with username/password authentication. Let me know if you have any feedback or questions.
I was able to accomplish a REST-only interface to everyauth by overriding its handler methods: https://gist.github.com/2938492