My Corda application is working well except for the permissions management. Currently every node can start ever flow, however this should not be possible. I tried to restrict the permissions of certain nodes in the build.gradle file. Here is one node as an example:
node {
name "O=PartyA,L=Paris,C=FR"
p2pPort 10008
rpcSettings {
address("localhost:10009")
adminAddress("localhost:10049")
}
rpcUsers = [[ user: "user2", password: "test", permissions: ["StartFlow.FlowInitiatorOne", "StartFlow.FlowInitiatorTwo"]]]
}
I deploy my network using the deployNodes command. My flows are written in Java. Regardless of the permissions, PartyA is able to start all flows. The log file of PartyA shows that all flows are registered, before the permissions are added to the node.
[INFO ] 2019-12-13T09:35:25,796Z [main] internal.NodeFlowManager.registerInitiatedFlow - Registered com.template.flows.FlowInitiatorOne to initiate com.template.flows.FlowResponderOne (version 1)
[INFO ] 2019-12-13T09:35:25,797Z [main] internal.NodeFlowManager.registerInitiatedFlow - Registered com.template.flows.FlowInitiatorTwo to initiate com.template.flows.FlowResponderTwo (version 1)
[INFO ] 2019-12-13T09:35:25,798Z [main] internal.NodeFlowManager.registerInitiatedFlow - Registered com.template.flows.FlowInitiatorThree to initiate com.template.flows.FlowResponderThree (version 1)
[INFO ] 2019-12-13T09:35:25,800Z [main] internal.NodeFlowManager.registerInitiatedFlow - Registered com.template.flows.FlowInitiatorFour to initiate com.template.flows.FlowResponderFour (version 1)
[INFO ] 2019-12-13T09:35:25,793Z [main] internal.NodeFlowManager.registerInitiatedFlow - Registered com.template.flows.FlowInitiatorFive to initiate com.template.flows.FlowResponderFive (version 1)
Below the flow registrations, the log file shows the user with the right permissions
[INFO ] 2019-12-13T09:35:55,434Z [main] security.RPCSecurityManagerImpl.buildImpl - Constructing realm from list of users in config [User(user2, permissions=[StartFlow.FlowInitiatorOne, StartFlow.FlowInitiatorTwo])]
If I enter flow list in the terminal, PartyA will tell me that it can start all five flows. How do I fix this problem?
Your setup is correct and what you see in the log makes sense as well.
1. When the node starts, it scans the cordapps folder and registers all the flows that it sees.
2. Since you are connecting to the node directly (not through ssh or using the standalone shell) and your node is in dev mode; then Corda connects you to the node as user shell with password shell and you can run all flows.
3. To test your RPC user, you would have to write a client that connects to your node using the test user; that client will be restricted to calling only the 2 flows that you specified.
Read about different the types of accessing the node: https://docs.corda.net/shell.html
You can see a sample client in R3's cordapp-example (it's in Kotlin):
1. In the controller class, you call the flows using the proxy: https://github.com/corda/samples/blob/release-V4/cordapp-example/clients/src/main/kotlin/com/example/server/MainController.k
2. Notice how the Gradle task to run that webserver uses the defined RPC user: https://github.com/corda/samples/blob/69ff8d4a668c520b6695be67864f4f96ab7ec809/cordapp-example/clients/build.gradle#L64
3. The Java template comes with a predefined clients module as well: https://github.com/corda/cordapp-template-java/tree/release-V4/clients/src/main/java/com/template/webserver
Related
I am trying to use Geode Redis Adapter as my server for Rate Limiting provided by Spring Cloud Gateway. If I use a real Redis Server, everything works perfectly, but with Geode Redis Adapter doesn't.
I am not too sure if this functionality is supported.
I tried to start a [Geode image] (https://hub.docker.com/r/apachegeode/geode/) exposing the default Redis port 6739. Starting the container, I executed using gfsh the following commands:
start server --name=redis --redis-port=6379 --J=-Dgemfireredis.regiontype=PARTITION_PERSISTENT
When I try to access in my local machine by redis-cli -h localhost -p 6379 I can get connected.
My implementation is simple:
application.yaml
- id: rate-limitter
predicates:
- Path=${GUI_CONTEXT_PATH:/rate-limit}
- Host=${APP_HOST:localhost:8080}
filters:
- name: RequestRateLimiter
args:
key-resolver: "#{#remoteAddrKeyResolve}"
redis-rate-limiter:
replenishRate: ${rate.limit.replenishRate:1}
burstCapacity: ${rate.limit.burstCapacity:2}
uri: ${APP_HOST:localhost:8080}
Application.java
#Bean
KeyResolver remoteAddrKeyResolve() {
return exchange -> Mono.just(exchange.getSession().subscribe().toString());
}
When my application is started and I try to access /rate-limit, I expected to connect to redis and my page be displayed.
However, my Spring application keeps trying to access and can't i.l.c.p.ReconnectionHandler: Reconnected to localhost:6379. So, the page is not displayed and keep loading. FIXED in Edit1 below
Problem is I am using RedisRateLimiter and tried to simulate the access with a for loop. Checking the RedisRateLimiter.REMAINING_HEADER, the value is -1 always. Doesn't seems right, because I don't have this issue in Redis itself.
During the start of the application, I also receive these messages on connection to Geode Redis Adapter:
Starting without optional epoll library
Starting without optional kqueue library
Is anything missing in my Geode Redis Adapter or anything else in Spring?
Thank you
Edit 1: I was missing to start the locator and region, that's why I wasn't able to connect.
start locator --name=locator
start server --name=redis --redis-port=6379 --J=-Dgemfireredis.regiontype=PARTITION_PERSISTENT
create region --name=redis-region --type=REPLICATE_PERSISTENT
I have following configuration on server side:
server:
port: 8888
spring:
profiles:
active: native
cloud:
config:
server:
native:
search-locations: "classpath:/config"
security:
user:
name: test
password: test
And following configuration on client side:
spring:
cloud:
config:
fail-fast: true
profile: "${spring.profiles.active}"
uri: "${SPRING_CLOUD_CONFIG_URI:http://localhost:8888/}"
username: test
password: test
I can successfully access properties from browser using user/pwd as test/test, but when my client tries to fetch it failed with 401 error:
INFO 7620 --- [5cee934b64bfd92] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : http://localhost:8888
WARN 7620 --- [5cee934b64bfd92] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: 401 null
I tried setting the log level for spring cloud to DEBUG but nothing additional got logged, so I have no clue why I'm getting a 401 from client while I can access properties successfully via browser using the same credentials.
I've also tried removing the security from server and client and it worked perfectly, which means rest of the configurations are quite ok. But then the question is, what am I overlooking when I apply basic security and why it is not working and throwing a 401 instead?
Try checking these configurations:
spring.cloud.config.username
spring.cloud.config.password
Both properties should be defined at bootstrap.properties (not application.properties)
Please check if the way you are specifying profile name is correct and if it is getting resolved properly in Java code. You can implement CommandLineRunner and print active profiles from Environment variable.
If you specified property spring.profiles.active as native in pom.xml, you can resolve it in application/yaml file as #spring.profiles.active#
If you specified property file as VM argument, then it should work with current implementation.
If you did not specify spring.profiles.active in pom or VM argument, it will resolve to default profile, not native profile. Profile in config client and config server should be same.
Yes we have to use bootstrap properties because When the Spring Cloud application starts, it creates a bootstrap context. The bootstrap context is searching for a bootstrap.properties or a bootstrap.yaml file, whereas the application context is searching for an application.properties or an application.yaml file. The bootstrap context is the parent context for the main application
When even run activemq cmd, getting below lines but server is not starting.
Java Runtime: Oracle Corporation 1.8.0_131 C:\Program Files\Java\jdk1.8.0_131\jre
Heap sizes: current=1005056k free=989327k max=1005056k
JVM args: -Dcom.sun.management.jmxremote -Xms1G -Xmx1G -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\conf\login.config -Dactivemq.classpath=D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\conf;D:\Apache ActiveMq\apache-activemq-5.14.5\bin../conf;D:\Apache ActiveMq\apache-activemq-5.14.5\bin../conf; -Dactivemq.home=D:\Apache ActiveMq\apache-activemq-5.14.5\bin.. -Dactivemq.base=D:\Apache ActiveMq\apache-activemq-5.14.5\bin.. -Dactivemq.conf=D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\conf -Dactivemq.data=D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\data -Djava.io.tmpdir=D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\data\tmp
Extensions classpath:
[D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\lib,D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\lib\camel,D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\lib\optional,D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\lib\web,D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\lib\extra]
ACTIVEMQ_HOME: D:\Apache ActiveMq\apache-activemq-5.14.5\bin..
ACTIVEMQ_BASE: D:\Apache ActiveMq\apache-activemq-5.14.5\bin..
ACTIVEMQ_CONF: D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\conf
ACTIVEMQ_DATA: D:\Apache ActiveMq\apache-activemq-5.14.5\bin..\data
Usage: Main [--extdir ] [task] [task-options] [task data]
Tasks:
browse - Display selected messages in a specified destination.
bstat - Performs a predefined query that displays useful statistics regarding the specified broker
consumer - Receives messages from the broker
create - Creates a runnable broker instance in the specified path.
decrypt - Decrypts given text
dstat - Performs a predefined query that displays useful tabular statistics regarding the specified destination type
encrypt - Encrypts given text
export - Exports a stopped brokers data files to an archive file
list - Lists all available brokers in the specified JMX context
producer - Sends messages to the broker
purge - Delete selected destination's messages that matches the message selector
query - Display selected broker component's attributes and statistics.
start - Creates and starts a broker using a configuration file, or a broker URI.
stop - Stops a running broker specified by the broker name.
Task Options (Options specific to each task):
--extdir - Add the jar files in the directory to the classpath.
--version - Display the version information.
-h,-?,--help - Display this help information. To display task specific help, use Main [task] -h,-?,--help
Task Data:
- Information needed by each specific task.
JMX system property options:
-Dactivemq.jmx.url= (default is: 'service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi')
-Dactivemq.jmx.user=
-Dactivemq.jmx.password=
Errors:
02/15 09:33:30: Launching app
$ adb push C:\Users\hp\AndroidStudioProjects\recevienotfirebase\app\build\outputs\apk\app-debug.apk /data/local/tmp/com.example.hp.recevienotfirebase
$ adb shell pm install -r "/data/local/tmp/com.example.hp.recevienotfirebase"
Success
$ adb shell am start -n "com.example.hp.recevienotfirebase/com.example.hp.recevienotfirebase.MainActivity" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
Client not ready yet..Connected to process 2360 on device Nexus_6P_API_24 [emulator-5554]
I/art: Not late-enabling -Xcheck:jni (already on)
W/art: Unexpected CPU variant for X86 using defaults: x86
W/System: ClassLoader referenced unknown path: /data/app/com.example.hp.recevienotfirebase-1/lib/x86
I/InstantRun: Instant Run Runtime started. Android package is com.example.hp.recevienotfirebase, real application class is null.
[ 02-15 09:33:38.693 1497: 1520 D/ ]
HostConnection::get() New Host Connection established 0x8fdb9800, tid 1520
W/System: ClassLoader referenced unknown path: /data/app/com.example.hp.recevienotfirebase-1/lib/x86
D/FirebaseApp: com.google.firebase.auth.FirebaseAuth is not linked. Skipping initialization.
W/InstanceID/Rpc: Found 10012
D/FirebaseApp: com.google.firebase.crash.FirebaseCrash is not linked. Skipping initialization.
I/FA: App measurement is starting up, version: 10084
I/FA: To enable debug logging run: adb shell setprop log.tag.FA VERBOSE
D/FA: Debug-level message logging enabled
D/FA: AppMeasurement singleton hash: 91568628
V/FA: Collection enabled
V/FA: App package, google app id: com.example.hp.recevienotfirebase, 1:1056127560632:android:663d67b615c99e63
I/FA: To enable faster debug mode event logging run:
adb shell setprop debug.firebase.analytics.app com.example.hp.recevienotfirebase
V/FA: Registered activity lifecycle callback
I/FirebaseInitProvider: FirebaseApp initialization successful
V/FA: State of service unknown
V/FA: Checking service availability
W/GooglePlayServicesUtil: Google Play services out of date. Requires 10084000 but found 9452470
D/FA: Service container out of date
V/FA: Setting useService: true
V/FA: Using measurement service
V/FA: Connecting to remote service
W/GooglePlayServicesUtil: Google Play services out of date. Requires 10084000 but found 9452470
W/art: Before Android 4.1, method android.graphics.PorterDuffColorFilter android.support.graphics.drawable.VectorDrawableCompat.updateTintFilter(android.graphics.PorterDuffColorFilter, android.content.res.ColorStateList, android.graphics.PorterDuff$Mode) would have incorrectly overridden the package-private method in android.graphics.drawable.Drawable
V/FA: onActivityCreated
V/FA: Using measurement service
V/FA: Connection attempt already in progress
V/FA: Activity resumed, time: 51631
W/gralloc_ranchu: Gralloc pipe failed
[ 02-15 09:33:52.817 2360: 2360 D/ ]
HostConnection::get() New Host Connection established 0x9e59ea40, tid 2360
W/FA: Service connection failed: ConnectionResult{statusCode=SERVICE_VERSION_UPDATE_REQUIRED, resolution=null, message=null}
I/OpenGLRenderer: Initialized EGL, version 1.4
D/OpenGLRenderer: Swap behavior 1
V/FA: Session started, time: 61634
I/FA: Tag Manager is not found and thus will not be used
D/FA: Logging event (FE): _s, Bundle[{_o=auto, _sc=MainActivity, _si=-2727167516359703917}]
V/FA: Using measurement service
V/FA: Connecting to remote service
W/GooglePlayServicesUtil: Google Play services out of date. Requires 10084000 but found 9452470
W/FA: Service connection failed: ConnectionResult{statusCode=SERVICE_VERSION_UPDATE_REQUIRED, resolution=null, message=null}
W/FA: Tasks have been queued for a long time
Google Play services out of date. Requires 10084000 but found 9452470
You may want to check this thread which states that you'll get this error when the activity is not exported. Be noted that the activity has to be exported to be accessible from adb.
Also, based from this SO post, you have to add the following to your android manifest: <action android:name="com.google.firebase.INSTANCE_ID_EVENT"/> or maybe the problem was that the onTokenRefresh() method was not called when the app was starting. Try calling FirebaseInstanceId.getInstance().getToken() in the MainActivity and see if it works.
I'm trying to set up the user mapping on SonarQube (Latest) so it can fetch the organizational structure from LDAP.
I already installed the LDAP plugin on Sonar (1.5.1), and created a minimal configuration to connect the two:
# General Configuration
sonar.security.realm=LDAP
ldap.url=ldap://ldap:389
# User Mapping
ldap.user.baseDn=ou=users,ou=udd,dc=example,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={uid}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
All my users are under the example.com domain:
But then, as I try to login to Sonar using the LDAP entries I get the following error on the logs:
Error from external users provider: exception Java::OrgSonarApiUtils::SonarException: Unable to retrieve details for user dev1 in <default>
Which is pretty frustrating, since all those properties are configured on the configuration file above.
Any ideas about the source of this issue?
EDIT:
I found this when I increased the log depth to DEBUG:
2016.01.25 05:54:27 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://ldap:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ld
ap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2016.01.25 05:54:27 DEBUG web[o.s.p.l.LdapUsersProvider] integer expected inside {}: (&(objectClass=inetOrgPerson)(uid={uid}))
javax.naming.directory.InvalidSearchFilterException: integer expected inside {}: (&(objectClass=inetOrgPerson)(uid={uid}))
at com.sun.jndi.toolkit.dir.SearchFilter.format(SearchFilter.java:602) ~[na:1.7.0_95]
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1785) ~[na:1.7.0_95]
...
I don't see why is an integer supposed to be expected between the {}'s, and that doesn't make much sense compared to my LDAP structure.
Try to set ldap.user.request to (&(objectClass=inetOrgPerson)(uid={login}) (instead of using (uid={uid})).
Details:
The LDAP Plugin does not recognise {uid} and therefore doesn't know what to do with it. It then passes it to the LDAP javax.naming API, which chokes on this. This behaviour is made explicit at SonarQube startup (logs in my case):
INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=cn=employees,dc=example,dc=org, request=(&(objectClass=inetOrgPerson)(uid={uid})), realNameAttribute=cn, emailAttribute=mail}
Using {login} instead (keyword shown in the documented default values) will let the LDAP Plugin build a well-formed request with a {0}:
INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=cn=employees,dc=example,dc=org, request=(&(objectClass=inetOrgPerson)(uid={0})), realNameAttribute=cn, emailAttribute=mail}
The javax.naming API will then replace this {0} by a parameter which SonarQube will set to the actual username value you fill in the login form.