Does a list or web-page exist showing what roles are required for all the Openstack CLI commands?
Thanks!
Related
I'm currently searching for a way to grant specific users permissions to only use and manage the features listed ind the Test Plans tab in azure devops. So users in this group/team should not be able to see releases, builds, code and all the other stuff in the current project.
Is there a Way to achieve this?
Thanks
There is no default way to disable services of Repos, Pipeline, etc. You need to set the permission for each resource by referring to the following link:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
For example, make users not see the repo, you can deny the "Read" permission for the repo:
I have installed Sonatype Nexus 3 OSS with Hosted Repository for Docker (Private Registry for Docker). I want to have couple of users, which will be able to pull/push docker images, based on their permissions.
First way, how I can do it - is to create several hosted repositories for docker and then via Securiy -> Privileges use repository-view with such approach configure permissions based on exact repository:
username: repository name: permission:
user1 docker-internal-1 nexus:repository-view-:docker:docker-internal-1:read
user2 docker-internal-1 nexus:repository-view-:docker:docker-internal-1:add
user3 docker-internal-2 nexus:repository-view-:docker:docker-internal-2:read
user4 docker-internal-2 nexus:repository-view-:docker:docker-internal-2:add
This approach works, but it requires having multiple hosted repositories for docker.
My question will be - is it somehow possible to have one singe hosted repository for docker and then configure permissions, based on docker repository namespace?
So let's say I have a repository called docker-internal and then I have such permissions:
username: repository name: permission:
user1 docker-internal nexus:repository-view-:docker:docker-internal/namespace1:read
user2 docker-internal nexus:repository-view-:docker:docker-internal/namespace1:add
user3 docker-internal nexus:repository-view-:docker:docker-internal/namespace2:read
user4 docker-internal nexus:repository-view-:docker:docker-internal/namespace2:add
Unfortunately in Nexus 3 documentation I haven't found a way how I can do it with repository-view permissions, cause they only allow you to specify repository name, but no namespace. Then there is such thing as wildcard, which is described in Sonatype docs like "Wildcard -> These are privileges that use patterns to group other privileges." So I've tried to create some regex pattern like this:
nexus:repository-view:docker:docker-internal/namespace1:read
And unfortunately it doesn't work.
We find a way to combine content-selectors and permission to support image level permissions.
First you have to create two content selectors:
"docker-login-all" with the expression format=="docker" and path=~"/v2/". If you are support v1 protocol too, make sure to create another selector for it.
"docker-foo-selector" with an expression matching the image you want to grant access. For example to select all the releases of foo/bar-linux, the expression is format=="docker" and path=~".*/foo/bar-linux/.*"
The first selector is very important, as without it you are not able to create a rule that allow your users to login.
Then create two privileges based on content-selectors:
"docker-login-all-privilege" based on "Docker-login-all" applied on all the docker registries, with read grants. This will grant the ability to login via docker cli.
"docker-foo-privilege" based on "docker-foo-selector" applied on all the docker registries, with read grants. This will allow your users to pull only foo/bar-linux images.
Then create a role with only the two privileges, and associate it to the users. It should work.
Please be aware of unexpected behaviours when using some commands: https://issues.sonatype.org/browse/NEXUS-12220
Based on answer from Sonatype Nexus support currently it's not possible to do it via wildcard and namespace in docker registry. So the only working way is to use separate docker repositories and repository-view permissions.
I want to configure two different AWS account credentials in Spinnaker. How can I add second account in spinnaker?
Thanks,
Puneet
Here are the detailed instructions on how to add multiple accounts to Spinnaker as written by the Spinnaker development team. You basically need to add the ability to assume role from the secondary account - https://github.com/spinnaker/clouddriver/tree/master/clouddriver-aws
Keep in mind that the default templates on spinnaker/spinnaker do not allow for multiple accounts and you have to edit clouddriver.yml directly to follow these instructions.
I have used AWS Community AMI for configuring Spinnaker. I am able to get the lists of ELB, AMI and Security Groups while creating Server Group. But, I am not getting the Instance types in the custom drop down list. Any idea about what could be going wrong?
Spinnaker Cluster Error
It looks like you are not having a correct IAM role assigned to the user whose access keys you are using for the spinnaker integration with AWS.
Mostly if you used the spinnaker.Check if you have enough rights in AWS.
If not then create a role and assign AWS POWER USER ACCESS to your user and then try to get the integration .
Spinnaker is a tool which would need AWS EC2 Full access atleast as it directly access EC2 spin up its server groups.
Instance types are cached in the browser's local storage. You can explicitly refresh the cache via the 'Refresh all caches' link:
If you show the network tab of your browser's console (prior to clicking 'Refresh all caches'), you should see a request to http://localhost:8084/instanceTypes.
If the response contains your instance types, you should be good to go.
Can we use RBAC plugin in Jenkins CLI to list the groups and the members below it? I am able to find the users for each group using the syntax
java -jar jenkins-cli.jar -s http://localhost:8080/ -i c:\.ssh\id_rsa group-membership path/to/folder GroupName
however, I would like to list all the groups for a particular folder and also list the members in the respective groups. I know later is achievable if we can list the available group names.
Sorry, there is no CLI command currently to list the groups in a given container. You could use get-job path/to/folder to retrieve its raw config.xml, which would include information about defined groups.