I added security to AWS Kibana using this blog. Kibana is now secure and I have to login with a user from the user pool. But now filebeat can't write to the elastic search endpoint anymore. I tried adding the username and password to filebeat config, but I still get Failed to connect: 403 Forbidden. If I remove Cognito authentication filebeat can write again.
Any help on this would be appreciated
Filebeat doesn't have an option for anything other than Basic Auth, so it isn't possible to configure it in a way that works for AWS Kibana. We went around this issue by whitelisting the IP address of the machine on the access policy of our Kibana instance.
Related
I checked the minio guide to connect to the identity openid, finally I connected to the minio console window by Keycloak service users, but I failed to use the same username and password in the api and execute the show bucket request through postman.
Is there a way to define a user's openid and allow access to all minio features for that user?
I tried to fix the problem with different openid services like Okta, KeyCloak, Google, but I didn't succeed.
You first need to get temporary tokens after the OpenID handshake for your users, once you have the STS (session tokens) you can use them to make S3 API calls.
https://github.com/minio/minio/tree/master/docs/sts read here on how to do it programmatically
Edit: More detailed documentation is available now at https://min.io/docs/minio/linux/administration/identity-access-management.html
We are running jenkins and few other tools behind nginx ingress and we have handled the user authentication through this as well.
Once the user logs in to our app, the credentials get stored in nginx ingress and it is passed to jenkins as cookies.
Hence once user gets redirected to jenkins from our app, he would be logged into jenkins automatically.
Now we are trying to replace nginx ingress with istio ingress. We have placed our application behind istio ingress and are using the OIDC provider-keycloak along with authservice for authentication.
We are able to get the user to login to our app. But we are trying to figure out a way in which we can pass these credentials onto jenkins using cookies or through any other means.
Can someone let us know a way in which this can be achieved?
I'm trying to get my spinnaker interface authenticated using this tutorial:
https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
Prior to the tutorial, spinnaker was confirmed up and running on http://localhost:9000. I have tried the following on 1.3.1, 1.4.1 and 1.4.2.
After editing/applying/enabling the google security, I try the login and successfully am challenged with a google login screen. Upon completing the two-factor auth and I am redirected as expected to http://localhost:8084/login, though I receive the following error:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
Here is a log of my setup steps:
kross#halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross#halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross#halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
I'm not quite sure what to do with this. It seems I am authentic, yet for some reason the required user fields are not allowed in the interaction.
I have reviewed spinnaker's authentication setup as well and repeatedly made a few changes and tested with a fresh incognito browser, yet no change.
Since the google provider is a packaged OAuth 2 provider with spinnaker, I'm confused as to what further configuration would be necessary, as I am not "bringing my own provider".
Where can I start looking next? Any references/pointers to documentation?
The problem is the --user-info-requirements hd=$DOMAIN argument. This is (generally) only needed if you're using a G Suite/Google Apps for Work account as your OAuth identity provider - it restricts login to only users in your domain. Otherwise, anyone with a valid #gmail account would be able login.
If you do use the --user-info-requirements hd=$DOMAIN and the $DOMAIN specified is invalid, you will receive this error. Be sure to use the fully qualified domain name as the value.
I have an application that monitors CI jobs, and I've added a jenkins installation to my account. Typically, this application is internal to the company I work at, but our jenkins servers aren't accessible outside the LAN.
To lookup the status of a build, I to a python urllib.urlopen on
http://hostname/job/job_name/lastBuild/api/json
then parse the json result
When trying to connect to https://webiken.ci.cloudbees.com, I get an HTTPError because the URL requires authentication. Is there anyway to configure my jenkins to be public?
Thanks,
Sam
you can use HTTP Basic authentication with your cloudbees credentials to access the API :
curl https://webiken.ci.cloudbees.com/job//api/json --user ndeloof#cloudbees.com:
Also see this wiki page on how to make your Jenkins instance public.
I was wondering if anyone knows how to setup authentication using LDAP for ActiveMQ 5.4.2 Web Console?
It's really simple just to enable basic authentication from jetty.xml and set a new user/pass in clear text in jetty-realm.properties file, but I have many users in LDAP that need to access the web console.
Thank you in advance for any help!
Nerses
You could use JAAS and the LdapLoginModule.
http://wiki.eclipse.org/Jetty/Tutorial/JAAS
and LdapLoginModule
-jim