I have setup a local nexus server with a hosted repo dev-repo
http://localhost:8081/nexus/content/repositories/dev-repo/
In gradle I can download the artifacts hosted like this:
repositories {
maven {
url "http://localhost:8081/nexus/content/repositories/dev-repo/"
credentials {
username "admin"
password "admin"
}
}
}
When I am not logged in, I am able to access the above repository in the browser.
Why is that?
Isn't it secured by Nexus admin account by default?
By default, Nexus Repository Manager has anonymous access to its components on. From your URL, I am guessing you are using NXRM2. This is not well documented in NXRM2, but is hinted at here: https://help.sonatype.com/display/NXRM2/Introduction+to+the+User+Interface
You can adjust this in NXRM2 by logging in as admin (or anyone with security permissions) and accessing Administration - Server and the "Anonymous Access" section.
This is discussed here in NXRM3 documentation, FYI or in case I misanalyzed what version you're on (but the concept is the same).
Related
Below is my code to popup and login through MSAL.
var app = PublicClientApplicationBuilder.Create(msal.ClientId)
.WithDefaultRedirectUri()
.WithTenantId(msal.TenantId)
.Build();
var result = await app.AcquireTokenInteractive(msal.Scopes).ExecuteAsync();
Code above works when it's running on my local machine.
And below is my settings in Azure AD. Its working when I set it to localhost:5000
But when I set the localhost to 'myWebAppUrl' which is hosted on Azure Virtual Machine. MSAL won't popup. And it will just return "The operation was cancelled". Anything I missed here?
Please check the below points.
In azure ad,the reply URL must begin with the scheme https, unless using localhost. ex:http://localhost:5000
Else you can use something like https://yourappurl and don’t forget to Grant admin consent
Under Permissions for the scopes you have in azure ad.
Please check Redirect URI restrictions
Apps that use system browsers: http://localhost
Apps that use embedded
browsers:https://login.microsoftonline.com/common/oauth2/nativeclient
For Node.js, you can use msal://redirect
Please check Add a redirect URI section and Client application configuration (MSAL) | Microsoft Docs
And check if you can use confidential client to your app
.
Some authentication libraries like MSAL.NET use a default value of
urn:ietf:wg:oauth:2.0:oob when no other redirect URI is specified,
which is not recommended. This default will be updated as a breaking
change in the next major release.
Other references
Instantiate a public client app (MSAL.NET) - Microsoft identity platform | Microsoft Docs
Initialize MSAL.NET client applications - Microsoft identity platform | Microsoft Docs
I can ask this question in many ways, like
How to configure Jenkins credentials with Github Personal Access Token
How to clone Github repo in Jenkins using Github Personal Access Token
So this is the problem
The alternate solution that I am aware of
SSH connection
username password configuration in Jenkins. However,
use of a password with the GitHub API is now deprecated.
But My question is how to setup Github connection with Jenkins using Personal Access Token
[UPDATE]
The new solution proposed by git is
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Which says:
Beginning August 13, 2021, we will no longer accept account passwords
when authenticating Git operations and will require the use of
token-based authentication, such as a personal access token (for
developers) or an OAuth or GitHub App installation token (for
integrators) for all authenticated Git operations on GitHub.com. You
may also continue using SSH keys where you prefer.
What you need to do:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today
Basically, change the add URL as
https://<access token>#github.com/<userName>/<repository>.git
Something like this
https://<access token>#github.com/dupinder/NgnixDockerizedDevEnv.git
and set the credentials to none.
Thanks to #Gil Stal
[OLD Technique]
After many discussion on multiple threads from Stackoverflow
I found one thread that is useful.
Refer to this answer:
https://stackoverflow.com/a/61104603/5108695
Basically
Personal access token can be used as a password, as far as Jenkins is concerned at least. I added new credentials to the credential manager.
Go to Jenkins
Go to credentials > System > Global credentials > Add credentials a page will open.
In Kind drop-down select Username and password.
In User put a non-existing username like jenkins-user or user.
Add Personal Access Token in the password field
Now start configuring your project.
source code management tab, select new configured credentials from Drop-down near credential Under Repository URL
So this is how we can configure or setup Authentication between Jenkins and Github using Personal Access Token
References:
Git Clone in Jenkins with Personal Access Token idles forever
Change jenkins pipeline to use github instead of gitlab
The accepted answer wont work anymore because of this: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations.
You will need to:
Change the URL of the repo to: https://<access token>#github.com/<user-name>/<repo-name>.git (Replace every <...> with the real parameters)
Set the credentials to none.
As of August 2021 the answer posted by Dupinder Singh is accurate. The only thing I would add is that if you are part of a team, the url format appears to be a bit different. This is what worked for me:
https://<access token>#github.com/<team>/<repo>.git
for example
https://ghp_6dh3jdk394jsmbh299jjdg20fh87hd83ksk39#github.com/MyKuleTeam/KuleGuyCode.git
Note that if you use a personal access token you don't need to have any github credentials stored in jenkins.
As for credentials for Jenkins Github Plugin, please be aware only Personal access tokens are now accepted by this plugin.
To generate such a token, follow the Github docs (e.g. here). Don't save it, it can be regenerated in Github and updated in Jenkins if lost or when migrating to a different server.
To add the token do Jenkins credentials store, go to <JENKINS_URL:PORT>/credentials/store/system/domain/_/newCredentials and select Kind "Secret text" (not the default "Username and password"), then paste the token as Secret and choose some ID.
Testing: the credential should appear on the list of Credentials at <JENKINS_URL:PORT>/credentials/ and be selectable from the drop-down list at <JENKINS_URL:PORT>/configure/, where pressing the "Test connection" button should display "Credentials verified for user <GITHUB_USER>".
More info: see the Github plugin docs.
Caveats: Git Plugin has its long-standing issues, so if the newly created "Secret text" does not appear in your pipelines, try if this solution helps (with "the user who triggered the build" considered safer than "SYSTEM"):
client-and-managed-masters/why-credentials-are-not-listed-in-the-git-scm-section
There is (yet another) way to do this as of 2020/04 which is supposed to be superior to personal access tokens. The best part is that you can continue using a username/password-style credential, and the plugin will handle authenticating with GitHub in the background.
Benefits include:
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication. No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens. This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
Links:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc
I'm trying to use an Artifactory server as proxy for the resolution of java/scala artifacts.
I'm referring to this documentation, where the suggestion is to put the following lines in ~/.sbt/repositories:
[repositories]
local
my-ivy-proxy-releases: http://repo.company.com/ivy-releases/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
my-maven-proxy-releases: http://repo.company.com/maven-releases/
Unfortunaely there's no mention on where I should put my authentication credentials, and
Any clue?
In the buid.sbt put the following:
credentials += Credentials("Artifactory Realm", "artifacts.schibsted.io", "username", "password")
The Artifactory Realm string is required as it is.
AD login is not possible after upgrading from LDAP 1.4. In the TRACE log the following error message is logged:
DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: xxxxxx
ERROR web[rails] Error from external users provider: exception Java::Com4j::ExecutionException: com4j.ComException: 8007203a Failed to MkParseDisplayName : The server is not operational. : .\com4j.cpp:217
Removing the LDAP settings from sonar.properties did not help. After downgrading to LDAP 1.4 everything works again. Did we miss some configuration setup?
LDAP plugin 1.5.1 with fix for this issue (LDAP-49 is released and available for download from SonarQube's update center.
Refer to SonarQube LDAP plugin documentation page:
LDAP 1.5.1 – Dec 02, 2015 – Compatible with SonarQube 5.2+
Bug fixes for Active Directory environments
Please go through the new changes and try the below mentioned settings.
LDAP 1.5 plugin is using Waffle to support Windows Authentication and SSO on Windows OS.
LDAP in Windows auth mode supports two ways of login from browser:
1.Single sign On
SSO will be performed on hitting any SonarQube url other than /sessions/login .
Only domain users are supported through SSO.
2.Form based login from /sessions/login page
Domain users
Login: <domain\alias> or alias#domain or alias
Password: <domain credentials>
Technical users
Login: <username>
Password: <password>
On logout, users will be presented login page ( /sessions/login),
where he can choose to login as technical user or domain user by
passing appropriate credentials.
For those users who are already using previous version of LDAP plugin to
connect to Microsoft AD and have already defined authorization in terms of those
users and group name use following settings in Windows OS:
# LDAP configuration
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.log.level=DEBUG (For debugging purpose, remove this if you don't see any issue)
ldap.windows.auth=true
-----------------------------------------------------------------------
Default protocol is NTLM which should work for most of the scenarios.
Troubleshooting NTLM
◦Enabling NTLM Logging
http://goo.gl/3LhU6E
If you want to use Kerberos "Negotiate" protocol please use the following steps.
Negotiate Authentication Steps:
For negotiate authentication to work make sure following steps are followed:
1.Browser Configuration
Waffle link: Configuring Browsers (IE/Firefox)
https://goo.gl/vcPnrk
2.Kerberos setup
Make sure that user has privilege for Kerberos delegation
setspn -L username
To add preivileges to the current user run
setspn -S HTTP/machine:port machine
example:
setspn -S HTTP/machine:9000 machine
3.The SonarQube application is running as a service(NT service)
Troubleshooting Resources
1.Useful Kerberos troubleshooting resources
◦Enabling Kerberos Logging
http://support.microsoft.com/kb/262177/en-us
◦Troubleshooting Kerberos Delegation
http://www.microsoft.com/en-us/download/confirmation.aspx?id=4754
Can we isolate a subversion user using the mod_authz authentication such that they will only be authenticated to a single subversion repository? Right now we are hosting multiple repositories via apache, and our access_file is global across all repositories. This means if we use the *=r option, then all users will have read access. We would like to introduce a user into that environment so they will only have access to a single repo, and they will not be included in other repository access via the *=r option. Is this type of configuration available?
Thanks,
Suresh
You can use the NOT modifier on global scope of the authz file:
[/]
*=
~single_repo_user=r
[single_repo:/]
*=
single_repo_user=r
This reads:
for all repositories, nobody has any permission, except he is not user named single_repo_user, than user has read permission
for repository "single_repo" nobody has access except single_repo_user who has read access
So only single_user_repo has no permission. everybody else has read permission.
You can of course just delete the user name out of the htpasswd file..
See more infos here:
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz