I'm facing a very odd problem that I can't use any user inside (_users) database to create a session through the route (/_session). It's always giving me error (bad credentials). It used to work fine in couchdb 1.6.1
For normal couchdb adminstrators, it works fine :
$ curl -X POST http://localhost:5984/_session -d 'name=my_main_admin&password=******'
{"ok":true,"name":"my_main_admin","roles":["_admin"]}
However for couchdb users (stored in _users), it doesn't work. I don't think it's about the roles.
So I first create the user :
$ curl -s -H "Content-Type: application/json" -X PUT "http://my_main_admin:*****#127.0.0.1:5984/_node/_local/_users/org.couchdb.user:my_new_user" --data '{"name": "my_new_user", "password": "my_new_user", "roles": [], "type": "user"}'
{"ok":true,"id":"org.couchdb.user:my_new_user","rev":"1-f1fa0870666d17d7324e54128dfbcacb"}
Then if I try to use this user to create a session, it never works :
$ curl -X POST http://localhost:5984/_session -d 'name=my_new_user&password=my_new_user'
{"error":"unauthorized","reason":"Name or password is incorrect."}
My CouchDB config looks fine :
"couch_httpd_auth": {
"allow_persistent_cookies": "true",
"auth_cache_size": "50",
"authentication_db": "_users",
"authentication_redirect": "/_utils/session.html",
"iterations": "10",
"require_valid_user": "false"
I used to create sessions with normal users on couchdb 1.6.1 , but it has never worked since I installed couchdb 3.1.1 . I can't find any relevant info in the documentation.
Am I missing something?
The problem is that you are creating the user through the _node/_local interface. The user should be created via the clustered API on the _users clustered database.
$ curl -s -H "Content-Type: application/json" -X PUT \
"http://my_main_admin:*****#127.0.0.1:5984/_users/org.couchdb.user:my_new_user" \
--data '{"name": "my_new_user", "password": "my_new_user", "roles": [], "type": "user"}' \
/
Now you should be able to log in with the new user using the _session endpoint.
Related
I have installed Airflow 2.0.1 on EC2 with PostgreSQL RDS as metadata db. I want to trigger DAG from Lambda so tried to test the code with curl but am receiving Unauthorized as response. What if anything should I be doing differently?
Steps:
Create user for lambda
airflow users create -u lambda_user -p some_pwd -f Lambda -l User -r User -e someone#nowhere.com
Define variables on shell (for lambda user, password and endpoint url)
Make the curl call
curl -H "Authorization: Basic Base64(username:password)" -H "Content-type: application/json" -H "Accept: application/json" -X GET --user "${LAMBDA_USER}:${LAMBDA_PWD}" "${ENDPOINT_URL}/api/v1/dags/sns_test/dagRuns"
Response I receive is this:
{
"detail": null,
"status": 401,
"title": "Unauthorized",
"type": "https://airflow.apache.org/docs/2.0.1/stable-rest-api-ref.html#section/Errors/Unauthenticated"
}
After revising call to
curl -H "Content-type: application/json" -H "Accept: application/json"
-X POST --user "${LAMBDA_USER}:${LAMBDA_PWD}" "${ENDPOINT_URL}/api/v1/dags/sns_test/dagRuns" -d '{"conf": {}}'
dag was triggered!
You are creating a user with the role User.
This is because you have -r User in the command.
Now Airflow requires at least Viewer permissions for the end point you are calling. You can find that information on the Apache Airflow website here.
If you change your command it will work.
Change it from
airflow users create -u lambda_user -p some_pwd -f Lambda -l User -r User -e someone#nowhere.com
to
airflow users create -u lambda_user -p some_pwd -f Lambda -l User -r Viewer -e someone#nowhere.com
I would like to use the Nexus 3 api to change the admin default password as well as the email address using groovy. But I don't understand how to set the password using the groovy api. Can someone provide an example of how to do this?
Summary
You can use the REST API to both update user information and change their password. This includes the admin user.
Nexus REST API: Update user information
The default admin user-data.json in my instance is the following:
{
"userId": "admin",
"firstName": "Administrator",
"lastName": "User",
"emailAddress": "admin#example.org",
"source": "default",
"status": "active",
"readOnly": false,
"roles": [
"nx-admin"
],
"externalRoles": []
}
Update the user-data.json to your desired values and use curl with the REST API.
NX_PASSWORD="admin user password"
curl -ifu admin:"${NX_PASSWORD}" \
-XPUT -H 'Content-Type: application/json' \
--data "$(< user-data.json)" \
<nexus base URL>/service/rest/v1/security/users/admin
Nexus REST API: Change password
You'll want to use the Security Management API.
See Nexus 3 backend source code.
OLD_PASSWORD="nexus admin password"
NEW_PASSWORD="your new password"
curl -ifu admin:"${OLD_PASSWORD}" \
-XPUT -H 'Content-Type: text/plain' \
--data "${NEW_PASSWORD}" \
<nexus base URL>/service/rest/v1/security/users/admin/change-password
Screenshot of Nexus documentation
This documentation is only available on a running Nexus instance. You can view this API on your own running Nexus instance by visiting:
Menu: System configuration > System > API.
Old way: Change password during initial onboarding
This only works during initial onboarding. You should definitely not use this method. Just documenting for completeness.
This section is for changing the initial password during onboarding.
Referencing Nexus source
Frontend code
Backend code
You can change the admin user password with a single curl command.
OLD_PASSWORD="initial nexus password"
NEW_PASSWORD="somepass"
curl -ifu admin:"${OLD_PASSWORD}" \
-XPUT -H 'Content-Type: text/plain' \
--data "${NEW_PASSWORD}" \
<nexus base URL>/service/rest/internal/ui/onboarding/change-admin-password
I originally thought changePassword was deprecated, but I was mistaken. Here is an example of updating admin email address and changing the password:
def user = security.securitySystem.getUser('admin')
user.setEmailAddress('admin#mycompany.com')
security.securitySystem.updateUser(user)
security.securitySystem.changePassword('admin','admin456')
Sonatype Nexus has change-admin-password internal api to update the admin password, but its not straight forward to use, it's using the session id that's created with the /service/rapture/session endpoint.
curl -v 'https://<hostname>/service/rapture/session' --data 'username=<base64 username>&password=<base64 password>'
curl -v -X PUT 'https://<hostname>/service/rest/internal/ui/onboarding/change-admin-password' -H 'cookie: <NXSESSIONID form the above response>' --data '<plain text password>'
Reference:
https://github.com/sonatype/nexus-public/blob/9b177ab50bd7f8470b08247b146da459170ecc8f/plugins/nexus-onboarding-plugin/src/main/resources/static/rapture/NX/onboarding/step/ChangeAdminPasswordStep.js#L50
Install the nexus3 cli:
pip install nexus3-cli
Get the first initial password (Assuming Nexus is running in docker):
docker exec nexus cat /nexus-data/admin.password
Set environment variables:
export NEXUS3_PASSWORD=<PASSWORD FROM PREVIOUS STEP>
export NEXUS3_USERNAME=<USERNAME>
export NEXUS3_URL=<URL>
Allow remote script execution by updating /nexus-data/etc/nexus.properties and appending the below line:
nexus.scripts.allowCreation=true
Restart nexus service to reload the last change:
docker container restart <nexus>
Create a file reset-password.groovy with the following contents (Thanks to #Dennis Hoer) :
def user = security.securitySystem.getUser('admin')
user.setEmailAddress('admin#mycompany.com')
security.securitySystem.updateUser(user)
security.securitySystem.changePassword('admin','admin456')
From command line create the script and run the script to reset the password of admin:
nexus3 script create --script-type groovy passreset reset-password.groovy
nexus3 script run passreset
The password is now reset
I'm trying to use curl to log into an Okta-enabled site providing the user name & password using the parameter -u {username:password} and all I get back is the html content of the Okta redirect page.
How can I login into the app by providing my Okta credentials using curl?
You can use the following script, assuming you have installed jq (https://stedolan.github.io/jq/download):
sessionToken=$(curl -X POST -H "Accept: application/json" -H "Content-Type:
application/json" -d '{
"username": "[okta_username]",
"password": "[password]",
"options": {
"multiOptionalFactorEnroll": true,
"warnBeforePasswordExpired": true
}
}' "https://[yourorg].oktapreview.com/api/v1/authn" | jq '.sessionToken' -r)
curl -X GET "https://[yourorg].oktapreview.com/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=http://blah" -c "okta-cookie"
curl -X GET [OKTA_EMBED_LINK] -b "okta-cookie" -L -v
From the last line, you will need to grab the SAMLResponse form parameter and submit it to the action url of the same form.
I hope this helps!
I am trying to use CircleCI's REST API to create a "New Checkout Key" of type "github-user-key".
If I run :
curl -X POST \
--header "Content-Type: application/json" \
-d '{"type":"deploy-key"}' \
https://circleci.com/api/v1/project/myOrg/myPrj/checkout-key?circle-token=8e9c47...etc
I get :
{
"public_key" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA . . . pRYe+9SHcZFs4n \n",
"type" : "deploy-key",
"fingerprint" : "b0:cd:e8:77:ef:00:d5:da:62:b7:fc:d9:9e:84:f7:f1",
"login" : null,
"preferred" : true,
"time" : "2015-11-20T14:57:43.379Z"
}
If I run :
curl -X POST \
--header "Content-Type: application/json" \
-d '{"type":"user-key"}' \
https://circleci.com/api/v1/project/myOrg/myPrj/checkout-key?circle-token=8e9c47...etc
I get :
{
"message" : "Invalid checkout key type (valid types are deploy-key and github-user-key)"
}
If I run :
curl -X POST \
--header "Content-Type: application/json" \
-d '{"type":"github-user-key"}' \
https://circleci.com/api/v1/project/myOrg/myPrj/checkout-key?circle-token=8e9c47...etc
I get :
{
"message" : "{\"message\":\"Not Found\",\"documentation_url\":\"https://developer.github.com/v3\"}"
}
I suspect the documentation for the command is incomplete.
Does anyone know how to do this?
In order to be able to add a user key to your project, CircleCI needs permissions from GitHub to add SSH keys to your account. You can grant it permission by visiting Project Settings > Permissions > Checkout SSH keys for any of your projects and clicking on Authorize w/ GitHub. After doing this, you should be able to generate a checkout key of type github-user-key for any of your other projects using the curl command you demonstrated.
Thank you for surfacing this—we are filing a bug with your report. Sorry for the confusion with the first answer we sent you, we didn’t understand the context well enough.
I am new to openstack, trying to use Ceilometer python API to pull some data from a testbed server, I am accessing the server from a remote site
the problem is that I cannot figure out how get the an authorization token
I used the following command
curl -i 'http://HOST:8774/' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -d/tokens auth": {"tenantName": "project", "passwordCredentials": {"username": "user", "password": "password"}}}'
But it does not give me anything,
curl -X GET -H "X-Auth-Token:$MY_TOKEN" http://HOST:8774/tokens
also does not give me any token
From your use of port 8774 I suspect you might be using DevStack. Try this
curl -s -X POST http://$OPENSTACK_KEYSTONE_HOST:5000/v2.0/tokens -d '{"auth": {"passwordCredentials": {"username":"my-username", "password":"my-password"}, "tenantName":"my-tenantName"}}
In DevStack Keystone (the auth service you get tokens from) is running on port 5000 by default. This may or may not be true in your case. Ask your friendly OpenStack operator what host (and port) Keystone is running on and put that in place of $OPENSTACK_KEYSTONE_HOST:5000