Cluster authentication - ignite

According to this documentation -> https://apacheignite.readme.io/docs/advanced-security, it's said that the authentication mechanism only applies to JDBC connections.
Here is our scenario, we don't need any security per connection from client to server but, we want all clients to authenticate before entering the server topologies which will happen when doing this -> Ignition.getOrStart(CFG).
Is there any way we achieve this?

Take a look at: https://www.gridgain.com/docs/latest/administrators-guide/security/authentication
You have the option of building your own security plugin as detailed in the Authorization
section of the url you mentioned: https://apacheignite.readme.io/docs/advanced-security#section-authorization
More info here: https://www.gridgain.com/docs/latest/administrators-guide/security/custom-authenticators

Related

How to configure access control in Orion NGSI API for tenant isolation using Wilma PEP Proxy and IdM Keyrock?

I want to provide access control at the Orion Context Broker NGSI API level to ensure real data isolation. I want to make sure that a tenant can only query/update their contexts and NOT those of another tenant.
To do so, I started putting an instance of Wilma PEP Proxy in front of Orion Context Broker. Then I configured my own Identity Manager keyrock GE instance based on official IdM Keyrock docker image and my own Authorization PDP GE based on official AuthzForce docker image.
After a few days of configurations and many tries, finally I could have these three security Generic Enablers working fine, authenticating and authorizing requests for the Orion Context Broker NGSI API using PEP Proxy level 2.
However, level 2 of authorization is not enough to ensure what I want, because service (tenant) and sub service (application path) information are in the headers of the request. Particularly in Fiware-Service and Fiware-ServicePath headers. In order to build header-based authorization policies you need to use level 3: XACML authorization.
The problem is that I made some digging in official documentation of Fiware and I could not find any example of an XACML policy. Besides official documentation of Wilma PEP Proxy (see here) says that you may have to modify PEP Proxy source code in order to get this level of authorization.
As this case is thought to check advanced parameters of the request such us the body or custom headers, it depends on the specific use case. So the programmer should modify the PEP Proxy source code in order to include the specific requirements.
It it's that possible?
Do I really have to modify the PEP Proxy source code to achieve something as simple as a tenant can only access his data?
very good question. There are alternative GEis that support perfectly the use cases you are referring to. Please check this presentation
https://es.slideshare.net/FI-WARE/building-your-own-iot-platform-using-fiware-geis
thanks, best

RabbitMQ - use HTTP auth backend only for authentication?

Per https://www.rabbitmq.com/access-control.html, RabbitMQ has the ability to use authentication (who is the user) and authorization (what can the user do?)
I'm using a rather obscure plugin for authorization already. I was wondering if there was a way to use the HTTP backend ONLY for authentication, because it would gel extremely well with the Django server that this project is using (users on the Django server may be allowed onto the Rabbit server).
Thanks
Never used before, but this plugin should solve:
https://github.com/rabbitmq/rabbitmq-auth-backend-http
This plugin provides the ability for your RabbitMQ server to perform
authentication (determining who can log in) and authorisation
(determining what permissions they have) by making requests to an HTTP
server.

weblogic disable authentication

I have established a WebService on my weblogic 10.3 BEA server, and have tried accessing it through SOAtest only to find that it gives me the error: Recieved HTTP response Code: 403 Forbidden. I appreciate that weblogic is securing my webservice ;) but in the context of what I'm doing I would like to allow anonymous access to this specific webservice. This means that I would like any client to be able to access the SOAP communications of this webservice
Any help is greatly appreciated :)
R.
Here are a few things you could try:
From the weblogic console
Home -> Domain -> Web Applications -> Turn on "Allow All Roles"
From the weblogic console make sure no roles or policies are set in
Home -> Deployments -> <your deployment> -> Security
In your web.xml deployment descriptor set
role-name="*"
That said, the default behavior of weblogic (if you haven't changed it to a secure port, etc etc) is to allow anonymous access to web apps so maybe your deployment is specifying roles even though you don't think it should be. Check all of the .xml files in your .war/.ear to see if restrictions are in place.
As a last ditch effort you should check this link: How to make weblogic form authentication in wicket
Please look for 'security-constraint' tag inside web.xml to see if there is any CONFIDENTIAL user data constraint. If there is, SSL needs to be enabled on your application server.

Jenkins Authentication using IBM Tivoli Access Manager

I am considering integrating IBM's Tivoli Access Manager with Jenkins for user authentication. TAM uses something called a WebSeal to allow users to login and then forwards the creds for that user in the HTTP header to the desired service. I am new to Jenkins and was wondering what would be the easiest approach to do this. I noticed that the existing OpenId plugin extends the FederatedLoginService currently present in Jenkins. Could something similar be done to integrate TAM? If not, where would I extend Jenkins to allow the extraction of the creds form the header provided by WebSeal?
Thanks in advance.
To make #daniel-beck’s suggestion into a concrete answer: the Reverse Proxy Auth plugin is the way this sort of integration is normally done in the absence of a dedicated SSO plugin, though I do not know specifically whether WebSEAL sends headers suitable for consumption by this plugin. From what I can glean by searching, you would get HTTP_IV_USER and HTTP_IV_GROUPS.

Restful CAS client and Proxy Granting Tickets

I have an application that uses a CAS server to authenticate. I first use a REST call to generate a ticket generating ticket which is then validated successfully and a service ticket is generated.
My next step is to pass this ticket to another webapp as a parameter in a web service call and let them login to the same CAS server with it. Apparently this kind of behaviour is possible if I use proxy granting tickets instead of ticket granting tickets but I can't see any way to get a PGT through the REST client.
Can anyone help with getting PGTs, or am I on a wild goose chase?
Try looking at https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
I went through the example, mimicking the various calls in code and it worked fine. The tricky bit was then writing the code to represent that code. In my case, it had to fit in with Spring Security
Spring Security comes with libraries for authenticating to a stateless service using CAS. This includes requesting a ProxyGrantingTicket and then requesting a ProxyTicket.
The Spring Security 3.1.6 docs describe this in section 22.3.3