Keycloak - Fine-grained permissions don't work - permissions

I gave a client permission “manage” to a user (with a User policy) and also gave him “view client” and “query client” roles. On a client editing screen there is no Save button and all input fields are disabled.
What's wrong?
Did it according to the manual
https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/admin-console-permissions/fine-grain.adoc
didn't help at all

Related

How to delete a user from SonarQube and re-activate?

In our SonarQube instance we have recently enabled LDAP authentication. Prior to LDAP integration the users were manually created. It so happened some of the users were created using the same LDAP user ID and custom password.
Now when LDAP is integrated we want all users use the LDAP ID/pass instead of previously manually created ID/password. SonarQube login works with manually created password rather than LDAP password. So how do remove the manually created users and only activate the LDAP users?
PS: I dont see the option to delete but only to de-activate
As replied by Jeroen Heier in comments, removing users from Administration > Security > Users will allow you to reuse the login of the removed user with an LDAP account.
If it's not the case, please describe what you're doing.
While I'm concerned with the deletion of an account... why can't you re-activate a user if you de-activated them through the UI. This is incredibly painful if a user was accidentally deactivated.

How to restrict access to Jenkins?

My Jenkins instance is currently open for every user, there is no authentication. I want to protect Jenkins against access by unauthorized users. I'm looking for a very simple/basic solution -- one user. If this "admin" user hasn't authenticated himself, he should not be able to do anything. If he has, he should get the full access the Jenkins instance (including all projects). How to configure this?
Follow these steps:
Go to Configure Global Security --> Security Realm : Jenkin's own user database and authorization Logged-in users can do anything. After saving, Jenkins should prompt you to create a new user. Please create the required user by filling in details like username and password.
Then, log in with that user and change the authorization to Matrix-based security. The matrix configuration should be as shown below i.e., it should have all privileges for the required user and none for anonymous users.
First you need to create an admin user or whatever you want.
To do that, go to your jenkins dashboard page and find "Credentials" option.
In credentials, you can create your user.
With your admin user created, just go back to your jenkins dashboard page and find "Manage Jenkins" option, in there, click on "Configure Global Security".
In Global Security Page, check the box "Enable Security", scroll down to "Access Control" and chose "Jenkins’ own user database" and select what users can do after login.

CAS SSO automatically log in

i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)

Jenkins restrict access to only Google Apps Domain users using OpenID Authentication

Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.
I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?
It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension
Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious.
If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.
It states
The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with
Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.
Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
Select the 'Matrix based-security' mode for Authorization
Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
Save the settings
Reload Jenkins
Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.
Hope this helps.

Authenticated referrals option disappeared

I just created my second app, and I want to enable Authenticated Referrals as I made on my first app. But the "Authenticated Referrals" option has disappeared in Settings > Permissions, however that option is still in the Facebook app's documentation : http://i.stack.imgur.com/WC6A0.jpg
Can you help me to retrieve this option ? Thanks.
Authenticated Referrals are removed for new applications as described in this blog post
https://developers.facebook.com/blog/post/2012/10/10/growing-quality-apps-with-open-graph/
Authenticated referrals create an inconsistent experience for people by asking them to give permissions in order to access content with little context. You must migrate to use a standard Auth Dialog experience.