We Keep Coding

*.aclpolicy file not works - Auth using Active Directory

Summarizing my environment:
Running Rundeck (3.3.11) at Kuberenetes Cluster
Dedicated Database MariaDB connected via JDBC Connector.
Configured Active Directory via JAAS using the variables RUNDECK_JAAS_LDAP_ * and auth working, I can logon using my AD user.
Configured ACL Policy template using K8s Secret like in this Zoo sample:
volumeMounts:
- name: aclpolicy
mountPath: /home/rundeck/etc/rundeck-adm.aclpolicy
subPath: rundeck-adm.aclpolicy
volumes:
- name: aclpolicy
secret:
secretName: rundeck-adm-policy
items:
- key: rundeck-admin-role.yaml
path: rundeck-adm.aclpolicy
Variables exported to Rundeck Pod:
RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule
RUNDECK_JAAS_LDAP_USERBASEDN=OU=Users,OU=MYBRAND,DC=corp,DC=MYDOMAIN
RUNDECK_JAAS_LDAP_ROLEBASEDN=OU=RundeckRoles,OU=Users,OU=MYBRAND,DC=corp,DC=MYDOMAIN
RUNDECK_JAAS_LDAP_FLAG=sufficient
RUNDECK_JAAS_LDAP_BINDDN=myrundeckuser#mybrand.mydomain
RUNDECK_JAAS_LDAP_BINDPASSWORD=foo
In my MS Active Directory the structure is:
-mybrand.mydomain
- MYBRAND
- Users
- RundeckRoles
- rundeck-adm (group with my user associated)
After I login returns this screen:
EDIT1:
My rundeck-admin-role.yaml:
description: Admin project level access control. Applies to resources within a specific project.
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: rundeck-adm
---
description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
- equals:
kind: system_acl
allow: [read,create,update,delete,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,delete,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,create,update,delete] # allow access for /ssh-key/* storage content
by:
group: rundeck-adm
Someone can help me to find my mistake?

Guys I found the trouble!
It was missing to add some variables RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE and RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS, by default if you don't declare that, Rundeck assume another values.
After I apply this vars and re-deploy my Rundeck Pod back works my access using my AD Account.
To help the community I'm making available the list of vars that I used in my deployment:
"JVM_MAX_RAM_PERCENTAGE"
"RUNDECK_DATABASE_URL"
"RUNDECK_DATABASE_DRIVER"
"RUNDECK_DATABASE_USERNAME"
"RUNDECK_DATABASE_PASSWORD"
"RUNDECK_LOGGING_AUDIT_ENABLED"
"RUNDECK_JAAS_MODULES_0"
"RUNDECK_JAAS_LDAP_FLAG"
"RUNDECK_JAAS_LDAP_PROVIDERURL"
"RUNDECK_JAAS_LDAP_BINDDN"
"RUNDECK_JAAS_LDAP_BINDPASSWORD"
"RUNDECK_JAAS_LDAP_USERBASEDN"
"RUNDECK_JAAS_LDAP_ROLEBASEDN"
"RUNDECK_GRAILS_URL"
"RUNDECK_SERVER_FORWARDED"
"RUNDECK_JAAS_LDAP_USERRDNATTRIBUTE"
"RUNDECK_JAAS_LDAP_USERIDATTRIBUTE"
"RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE"
The JAAS plugin that I use was: JettyCombinedLdapLoginModule

DynamoDB and Serverless: not authorized to perform: dynamodb:Query on resource

I'm getting this error:
"message": "User: arn:aws:sts::XXXXX:assumed-role/lambda-my-account-dev-us-east-2-lambdaRole/lambda-my-account-dev-my-account is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-2:XXXX:table/dev-app-transactions/index/transactionsByUserId",
I'm confused about giving permissions on table. In serverless.yml I have:
service: lambda-my-account
provider:
name: aws
runtime: nodejs12.x
region: ${opt:region, 'us-east-2'}
stage: ${opt:stage, 'dev'}
tags:
datadog: ${self:provider.stage}
environment:
// some enviroments
iamRoleStatements:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "arn:aws:logs:*:*:*"
- Effect: Allow
Action:
- dynamodb:Query
Resource:
- "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}"
// rest of file
Why I'm getting that error?
Is there any in resources that I haven't config? I think that the problem is with my Index of that table. I made it by hand on the AWS console, but I'm not sure if I need to config here in the serverless.yml file too.

You also need to give your role dynamodb:Query permissions on the index itself. You can add a resource statement like:
"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}/index/transactionsByUserId" to the iamRoleStatements section.

Kubernetes cluster role admin not able to get deployment status

I have the following role:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
When I do a kubectl proxy --port 8080 and then try doing
http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/cdp/deployments/{deploymentname}
I get a 200 and everything works fine. However when I do:
http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/cdp/deployments/{deploymentname}/status
I get forbidden and a 403 status back .
I also am able to do get, create, list,watch on deployments with my admin role .
Any idea as to why /status would give forbidden when I clearly have all the necessary permission as admin for my namespace.

You mentioned verbs of the role and you didn't mention resources and apiGroup. Make sure the following are set:
- apiGroups:
- apps
- extensions
resources:
- deployments/status

the status subresource doesn't give you any more information than simply fetching the deployment
The admin role permissions do not let you write deployment status. They let you create and delete the deployment objects, controlling the "spec" portion of the object. Status modification permissions are granted to the deployment controller.

Rundeck: http error 500: when logging in as admin

I've been trying to set up a rundeck server but run into several issues when the authentication provided either doesn't provide full access to projects and when I've tried to modify the config files, it then fails to authenticate as shown below.
HTTP ERROR: 500
Problem accessing /user/j_security_check. Reason:
java.io.IOException: Configuration Error:
No such file or directory
My jaas-loginmodule.conf looks like this:
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://sb2sys3.derivatives.com"
bindDn="uid=svldap,cn=users,cn=accounts,dc=derivatives,dc=com"
bindPassword="T0wR0pe!"
authenticationMethod="simple"
forceBindingLoginUseRootContextForRoles="true"
forceBindingLogin="true"
userBaseDn="cn=users,cn=accounts,dc=derivatives,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="cn=groups,cn=accounts,dc=derivatives,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="groupOfNames"
cacheDurationMillis="300000"
supplementalRoles="user"
reportStatistics="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
I've also editted the realm.properties file to have a user with the role admin, which is also changed in the web.xml.
The current admin.aclpolicy looks like this:
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: admin

The error you are receiving appears to be related to the JAAS_CONF variable.
I managed to reproduce the exact 500 error on a rpm installation with CentOS7.
By commenting out the JAAS_CONF variable from /etc/rundeck/profile and ,if you have set it, /etc/sysconfig/rundeckd or /etc/default/rundeckd, the error shows empty java.io.IOException with “Configuration Error: No such file or directory” so it may be a possibility that a mistype in those files may be affecting the authentication.
I would advise you to perform a complete check in those files in order to verify that everything is in order.
Hope it helps

Symfony 2 receiving anonymous token after basic authentication

I have a Symfony 2 app using the basic in_memory authentication (as described in the security documentation). The login works fine in our development environment(s). But on the staging server, the basic authentication doesn't seem to provide a proper token -as seen in the hereby provided logfile-; thus we keep on getting the login popup again and again.
Our security configuration:
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/admin, roles: [ROLE_ADMIN]}
providers:
in_memory:
users:
admin: { password: admin, roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
This is the log output from the (successful) development environment login:
[2011-07-21 13:49:48] security.DEBUG: Read SecurityContext from the session [] []
[2011-07-21 13:49:48] security.DEBUG: Reloading user from user provider. [] []
[2011-07-21 13:49:48] security.DEBUG: Username "root" was reloaded from user provider. [] []
And this is the log output from the staging environment login:
[2011-07-21 13:53:08] security.INFO: Populated SecurityContext with an anonymous Token [] []
[2011-07-21 13:53:08] security.DEBUG: Access denied (user is not fully authenticated); redirecting to authentication entry point [] []
[2011-07-21 13:53:08] security.DEBUG: Calling Authentication entry point [] []
Thanks in advance for the help.

Your dev environment is probably running PHP as mod_php while your staging server is probably running it as FastCGI. By default, the PHP_AUTH_USER and PHP_AUTH_PW server variables are not filled in this context when you authenticate via HTTP basic, and these are what Symfony is using to create the Security context and validate your password.
If you're running this as FCGI on Apache you can fix this. One is to force FastCGI to pass the Authorization header, which it normally suppresses. Add this to the Apache site definition next to the other FastCGI configuration options:
FcgidPassHeader Authorization
For other applications you may also need to mess around to a greater degree (as described here) but for Symfony just passing the header should be sufficient.