As described by bitckets, now personal access tokens are free from user. And can be used as bearer tokens to access repositories.
But I couldn't find any way to configure bearer tokens inplace of username and password in spring cloud config server.
spring:
cloud:
config:
server:
git:
uri: https://my-bicket.com/bu/myrepo.git
username: my-username
password: my-token
Is it supported by spring cloud config server.
Related
i have a problem finding explanations on how to expose HTTPS API to outside clients.
The Vault on Kubernetes Reference Architecture
page ends with a short explanation in the end of this page which leave with no more info on how to
configure vault HTTPS API to be accessible to the outside world .
this tutorial using disable TLS
or this tutorial
which working on minicube , which act differently then real k8s and its also without TLS
the funny thing is that the main tutorial configuration the vault server cluster in k8s do use TLS
I just want to make curl API with TLS that will give me the password i set
How do i do this ?
Once you have port-forwarded the service/pod to your local machine, where you are using the CLI, you can use the VAULT_SKIP_VERIFY to skip certificate verification.
$ kubectl port-forward ... ...
// export your https url
$ export VAULT_ADDR=https://127.0.0.1:8200
// vault token
$ export VAULT_TOKEN= "****"
// set true
$ export VAULT_SKIP_VERIFY=true
Now, you ready to use the vault CLI.
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
... ... ...
I have worked on setting the authentication for Kafka clients in past. I have I have refered:
https://kafka.apache.org/documentation/#security
https://docs.confluent.io/current/kafka/authentication_sasl/index.html#sasl-configuration-for-kafka-brokers
And other links as well.
As mentioned in docs we need to have jaas configuration file to specify the authentication method, I had one like below:
KafkaClient {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
LoginStringClaim_sub="admin";
};
Which basically adds the OAuth authentication for kafka clients.
The question is - can I have multiple authentication methods enabled on kafka broker
I mean can I enable both OAuthBearer and PLAIN authentication on Kafka, and let the client authenticate by any one of these methods.
OK, I found how we can do it.
Multiple SASL mechanisms can be enabled on the broker simultaneously while each client has to choose one mechanism.
In JAAS config file, we have to specify the configuration for the multiple login modules as below:
KafkaServer {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
LoginStringClaim_sub="admin";
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
Then we have to enable the SASL mechanisms in server.properties:
# List of enabled mechanisms, can be more than one
sasl.enabled.mechanisms=OAUTHBEARER,PLAIN
And Then Specify the SASL security protocol and mechanism for inter-broker communication in server.properties
# Configure SASL_SSL if SSL encryption is enabled, otherwise configure SASL_PLAINTEXT
security.inter.broker.protocol=SASL_SSL
# Configure the appropriate inter-broker protocol
sasl.mechanism.inter.broker.protocol=PLAIN
Credit to - https://docs.confluent.io/current/kafka/authentication_sasl/index.html#enabling-multiple-sasl-mechanisms
I am trying to connect my Spring Cloud Config to a repo on AWS CodeCommit using HTTPS but I keep getting an error saying Cannot clone or checkout repository.
This is what I have done so far:
Created a user in AWS IAM and generated HTTPS GIT username and password credentials.
Added the AWS CodeCommit git URL and user credentials into the application.yml file
server:
port: 8888
spring:
cloud:
config:
discovery:
enabled: true
server:
encrypt.enabled: false
git:
uri: https://git-codecommit.eu-west-2.amazonaws.com/v1/repos/XXXXX
username: XXXXXXXXXX
password: XXXXXXXXXX
Added the AWS java-sdk-core library as a build dependency.
Is there anything else I need to do?
Document encrypt.* values need to go in bootstrap.{yml|properites}
Context :
ElastAlert v0.1.29 included in Container Docker on OpenShift Orchestrator
Elasticsearch 2.4.4 exposed by Openshift agregate_logging (with Oauth2)
Hello,
From Elastalert, i want to connect to Elasticsearch.
The authenticate of Elastic use oauth2.
The oauth2 requires the X-Proxy-Remote-User and the token in the header of the requests :
Ex:
curl -k -H "Authorization: Bearer $token" -H "X-Proxy-Remote-User: $(oc whoami)" -H "X-Forwarded-For: 127.0.0.1" https://es.example.test/_cat/indices
I believe that ElastAlert doesn't support the authenticate Oauth2 by token. Can you confirm?
Effectively, i don't think that client_key and client_cert tls options they are compatible ?
Thanks for your help
Regards
Loïc
From what I've read of the code, no, it only supports basic auth. This would be a nice feature if someone had the time to contribute.
Before i start with my problem:
I've got a website which is protected by a reverse proxy (nginx). So the client is not allowed to connect directly to the website. It must connect to nginx and nginx shows then the content of the website.
Now i wanted to add more "security" features. I installed samba4 as it is usable as a AD DC and wanted to use LDAP (which is included in samba4?) to authenticate the clients which are trying to reach the website.
So before a client can actually see the website it must connect to nginx and then authenticate itself (with LDAP credentials) and then it can view the websites content.
I configured nginx with the module ldap_http_authentication (see configuration below) and it is working. When the client tries to view the website i need to login with some LDAP Credentials, but when i try to authenticate the client it just doesn't work. it says that the LDAP credentials are wrong.
How can i add LDAP users when LDAP comes with samba? I just don't know which credentials to use. I added some users to samba like "test" and tried to use their credentials to authenticate, but they don't work as well.
So which credentials do i have to use for "binddn" and "binddn_passwd"? Where do I have to create them or get them?
My nginx ldap configuration:
ldap_server adds {
url "ldap://192.168.50.131/dc=test,dc=dom?sAMAccountName?sub?";
binddn "TEST\\USERNAME";
binddn_passwd "password";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
require valid_user;
satisfy any;
}
Thanks!
edit:
i tried to add some users with the command:
ldapadd -x -D cn=admin,dc=test,dc=dom -W -f add_user.ldif
but it just returns:
"Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required."
Btw: I've never set an LDAP Password, i just installed samba4. That's all!
By default samba4 require start_tls.
For a start you should try to switch the url to ldaps://
Then you need:
if you don't have a certified certificate
ssl_check_cert off
a certificate for the tls transaction
ssl_ca_file /etc/pki/tls/certs/whatever.crt
For ldapXXXXX commands you need the -Z switch
You also need to check that you ldap.conf file contains the URI and BASE:
URI ldaps://ldap.server.com
BASE "dc=domain,dc=example,dc=com"
You also need the 2 following:
a client certificate for the tls transaction
TLS_CACERT=/etc/pki/tls/certs/whatever.crt
What to do if certificate is not valid
TLS_REQCERT allow