Have a business requirement to prevent development users from being able to access production and integration MFP environments; However, they can retain full access to the test environment.
Currently have the following Active Directory security groups configured for the production environment:
mfpadmin
mfpdeployer
mfpmonitor
mfpoperator
mfpanalytics_administrator
mfpanalytics_infrastructure
mfpanalytics_support
mfpanalytics_developer
mfpanalytics_business
mfpappcenteradmin
mfpappcenteruser
Within the server.xml file there is an LDAP connection and then a section defining security roles. These AD group names are reflected in the security role section. To fulfill the requirement above, one may presumably creates new active directory security groups similar to the ones listed above (something like mfpadmin-test, mfpadmin-int), add development users to these newly created test groups, e.g., mc-admin-test, remove these same users from the groups defined for the production environment, e.g., mfpadmin, and update the appropriate server.xml file.
Is there anything inside of the specific applications (Admin, Analytics, AppCenter) that one needs to do to further restrict access?
Is there anything needed to be done with the war file?
Is there anything inside of the specific applications (Admin, Analytics, AppCenter) that one needs to do to further restrict access?
(A) No just defining the right security roles should be sufficient
Is there anything needed to be done with the war file?
(A) No , nothing to do with the war file.
mfpadmin,mfpdeployer,mfpmonitor, and mfpoperator are the default security roles defined by Mobilefirst. The same security roles will need to be defined for your test and integration environments. These security roles can in-turn be grouped to the right groups i.e
mfpadmin-test, mfpadmin-in etc.
Related
Question regards Gerrit 2.14
Goal
I want to have projects visible only to Registered Users, and also I would wish that 'owner' of project can set it's visibility, share, hide etc without admin rights, or involving admin to set those rights for him/her per project. For example I want to have projects A, B, C, D, E with B, C owned by p1, and C shared between p1, p2. So user p1 would see B, C, and user p2 would see C.
What I've checked
I believe that there are 3 ways of achieving something described above:
user has admin rights - can set parent of project other than All-projects: I don't want that
admin can set per project ACL for user/group: I don't want that
user becomes Project Owner of projects s/he created
By default "Create Project" is not granted for Registered users and "READ for refs/*"
I have tried
Setting permissions in All-Projects.git that all project inherit
Create Group
Registered Users
Create Project
Registered Users
Reference: refs/*
Allow Administrators
Allow Project Owners
Deny Anonymous Users
/* IF I add ALLOW Registered Users here -> see bottom of question */
and all remaining permissions unchanged, I expected to be able, as registered user:
Be sure that anonymous (not registered/logged on) users cannot view projects
Create project using both GUI and SSH
Be assigned as Project Owner to that project - have full control over this single project
Result
Unfortunately, registered user can create project (if user does not select previously prepared parent All-public-projects - which grants multiple other permissions - default All-projects is assigned as parent) BUT user, who is supposed to be Project Owner cannot access this project.
Ideas what is wrong
I'm aware that Registered Users are members of Anonymous Users group as well, but documentation states
Inherited access rights can be overwritten unless they are defined as BLOCK rule. BLOCK rules are used to limit the possibilities of the project owners on the inheriting projects.
Changing the parent of a project is only allowed for Gerrit administrators. This means you need to contact the administrator of your Gerrit server if you want to reparent your project.
and also
[READ] This category has a special behavior, where the per-project ACL is evaluated before the global all projects ACL. If the per-project ACL has granted Read with 'DENY', and does not otherwise grant Read with 'ALLOW', then a Read in the all projects ACL is ignored. This behavior is useful to hide a handful of projects on an otherwise public server.
For an open source, public Gerrit installation it is common to grant Read to Anonymous Users in the All-Projects ACL, enabling casual browsing of any project’s changes, as well as fetching any project’s repository over SSH or HTTP. New projects can be temporarily hidden from public view by granting Read with 'DENY' to Anonymous Users and granting Read to the project owner’s group within the per-project ACL.
Now since I do not want to set permissions per project basis, am I correct to think that reason for this to fail is
For the All-Projects root project any Owner access right on 'refs/*' is ignored since this permission would allow users to edit the global capabilities, which is the same as being able to administrate the Gerrit server (e.g. the user could assign the Administrate Server capability to the own account).
Questions
If my reasoning is correct, how do I achieve my goal?
Also, granting READ refs/* to Registered User makes project to be accessible, but also all others too. How would I then be able to hide some projects from other Registered users? Or if that is not possible - how do I configure permissions in order to prevent other registered users to commit, and possibly even clone other projects?
Additional question.
How do I quickly see who is set as project's Project Owner?
I'm glad to see not beeing the only one with such a requirement. For me everything would work just fine if the user who creates a project via Gerrit's Web UI would be automatically the project owner (only if the user is not and Admin User). However, as you know the current Web UI does neither pass this information to the Gerrit backend nor does it allow to assign project owners when creating a new project. I see the following options:
Open a feature request for the Gerrit dev team hoping they will consider the idea
Use the create-project REST API and pass the project owner(s) for creating projects, i.e. using an own app
Use the create project CLI and pass the project owner(s) for creating projects
Implement an own Gerrit Plugin - see 2. Plugin Development which would make the current user creating a new project a project owner
For me only option 1 or 4 is viable because the other mean way too much overhead. I'm thinking about writing such a plugin, and I would make it opensource... About 2 months ago I was hoping there's aready something available I could use, but I couldn't find anything.
To your second question: I typically us the Web UI for this by going to the project's Access tab and then checking the who has the permission "Owner" for the branch refs/*.
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
Is it possible in any of the existing LDAP servers to edit a schema in one of the editors available? Like JXplorer, Apache Directory Studio, LDAP Admin?
I tried with OpenLDAP and all of the above tools (I run the server with -F option) but it looks like it's not possible to modify schema - add new attributes, add descriptions etc.
I would be grateful if any of you have some experience with this.
Cheers
Some LDAP servers allow (authorized users) to change the schema by sending LDAP modify operation affecting the so-called subschema subentry directly, but not OpenLDAP.
In OpenLDAP you have two possible configuration methods:
Static file configuration usually with schema files being simply included (aka slapd.conf) which requires slapd to be restarted to make configuration changes effective
Dynamic configuration backend back-config (aka cn=config) for which you can also define ACLs restricting access to your LDAP admins
The dynamic configuration method allows to tweak the schema via LDAP making it effective without server-restart. But you have to modify the multiple LDAP entries in sub-tree cn=schema,cn=config which you can do with any generic LDAP client.
Since schema descriptions usually reference other schema descriptions the order is important. Standard LDAP does not know about order of entries beneath an entry or order of attribute values. Therefore OpenLDAP implements an extension specified in draft-chu-ldap-xordered.
This question is related to Weblogic 12c.
I have an EAR file that I want to deploy in various environments (dev, QA, pre-prod and prod). However, my application requires a username and a password (to connect to another server) and they're not the same across the four environments. I don't want to package 4 different property files in 4 different EAR files. I want a single generic EAR file. Beside, I don't want to handle the prod password during packaging.
Ideally, I'd like the admin of each environment to provide the appropriate username nad password for the environment. Unlike Tomcat, Jetty or JBoss(?), I think it's not possible for a WebLogic Admin to specify this information in a way that it will become available under the java:comp/env JNDI context.
How can an application obtain some admin-defined configuration strings from Weblogic?
BTW, it's not a username/password for a JDBC connection.
From what I understand, you need to change parameters based on the environment you are using right?
If you would like to override parameterss on the fly you can use WebLogic deployment plan concept.
Did you mean that you need to provide username/password to start-up the application?
If so, you may accomplish that by creating a script with WLST http://docs.oracle.com/cd/E15051_01/wls/docs103/config_scripting/using_WLST.html
As far as I know, the WebLogic way is to
Define your username/password as env-entry in the deployment descriptor
Deploy your application together with the plan.mxl whereas each environment admin maintains his own envrionemnt-specific version of the plan.xml
That way you get them into /comp/env/config
More details here: http://docs.oracle.com/cd/E11035_01/wls100/deployment/config.html
Only drawback known to me: plan.xml will always contain the unencrypted password but as the admin knows the password anyway and this is "his" file on "his" maschine that should be fine.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.