I am not able to access airpal through username and password that i provides in shiro_static_users.ini file , After the changes done i had compile the code and start the airpal server :
Without giving any username and password i am able to access the airpal server.
I have pm as a database in hive and want to give permission to raj user.
My ini file:
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
shiro.loginUrl = /login
authc.successUrl = /app
allGroup = com.airbnb.shiro.UserGroup
allGroup.groups = all
allGroup.permissions = access, read:*:*, write:*:*
allGroup.defaultConnector = hive
allGroup.defaultSchema = default
allGroup.timeout = 40m
allGroup.accessLevel = User
allGroup1 = com.airbnb.shiro.UserGroup
allGroup1.groups = pm
allGroup1.permissions = access, read:*:*, write:*:*
allGroup1.defaultConnector = hive
allGroup1.defaultSchema = pm
allGroup1.timeout = 40m
allGroup1.accessLevel = User
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionListener = com.airbnb.shiro.SessionListenerLogger
allowAllFilter = com.airbnb.shiro.filter.AllowAllFilter
allowAllFilter.groups = $allGroup ,$allGroup1
allowAllFilter.loginUrl = /login
securityManager.sessionManager = $sessionManager
[users]
test = test, all
raj = raj, pm
[roles]
all = *
pm = *
[urls]
/login = authc
/logout = logout
/app = authc, perms["access"]
/api/** = authc, perms["access"]
Related
I set up superset to use LDAP in order authentication but I have one problem.
All users have Gamma Role by default and everyone can view other users' dataSources and databases.
How can it be set so that each user can see only the datasources he created?
Modify LDAP configuration
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN ='Admin'
AUTH_LDAP_USE_TLS = False
AUTH_USER_REGISTRATION_ROLE= "Admin"
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTNAME_FIELD = "sn"
AUTH_LDAP_EMAIL_FIELD = "mail"
AUTH_USER_REGISTRATION = True
AUTH_LDAP_SERVER = "ldap://xxx.xxx.xxx.xxx:389"
AUTH_LDAP_SEARCH = "cn=hall.net,ou=groups,dc=dataops,dc=dg"
AUTH_LDAP_USERNAME_FORMAT = "uid=%s,ou=groups1,dc=dataops,dc=dg"
AUTH_LDAP_UID_FIELD = "uid"
AUTH_ROLES_MAPPING = {
"cn=hall.net,ou=groups,dc=dataops,dc=dg": ["Admin"],
"cn=hall.biz,ou=groups,dc=dataops,dc=dg": ["Admin"],
}
#AUTH_LDAP_GROUP_FIELD = "memberOf"
AUTH_ROLES_SYNC_AT_LOGIN = False
PERMANENT_SESSION_LIFETIME = 1800
AUTH_LDAP_BIND_USER = "cn=supersetadmin_MX4G,cn=hall.net,ou=groups,dc=dataops,dc=dg"
AUTH_LDAP_BIND_PASSWORD = "6P8HIKBZCZ"
AUTH_ROLE_PUBLIC = 'Public'
PUBLIC_ROLE_LIKE = 'Alpha'
OpenIO 7.2.0.
I have an OpenIO with keystone (queens) auth cluster.
By default any user can configure his own acls and public url.
I would like to restrict user only for read and write in containers and objects.
Apparently deny_host_headers can do the job in proxy-server.conf but it not seems to be working -> nothing append.
I didn't find any "super admin" acls.
Any idea ?
My proxy-server.conf ->
# OpenIO managed
[DEFAULT]
use_stderr = False
bind_ip = ip
bind_port = port
workers = 72
max_clients = 1024
user = openio
log_facility = /dev/log
log_header = true
log_level = INFO
log_name = OIO,OPENIO,oioswift,0
eventlet_debug = false
sds_namespace = OPENIO
sds_proxy_url = http://ip:port
sds_default_account = openio
sds_connection_timeout = 5
sds_read_timeout = 35
sds_write_timeout = 35
sds_pool_connections = 500
sds_pool_maxsize = 500
sds_max_retries = 0
sds_tls = False
[pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache bulk proxy-logging authtoken keystoneauth proxy-logging copy container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server
[filter:catch_errors]
use = egg:swift#catch_errors
[filter:gatekeeper]
use = egg:swift#gatekeeper
[filter:healthcheck]
use = egg:oioswift#healthcheck
[filter:proxy-logging]
use = egg:swift#proxy_logging
access_log_headers = false
access_log_headers_only =
[filter:cache]
use = egg:swift#memcache
memcache_servers = ip:port
memcache_max_connections = 10
oio_cache = False
oio_cache_ttl = 0
[filter:bulk]
use = egg:swift#bulk
#[filter:tempurl]
#use = egg:swift#tempurl
#[filter:swift3]
#use = egg:swift3#swift3
#force_swift_request_proxy_log = True
#s3_acl = True
#check_bucket_owner = True
#location = us-east-1
#max_bucket_listing = 1000
#max_multi_delete_objects = 1000
#max_upload_part_num = 10000
#log_s3api_command = False
#bucket_db_enabled = True
#bucket_db_prefix = s3bucket:
#storage_domain = s3.openio.io
#bucket_db_master_name = OPENIO-master-1
#bucket_db_sentinel_hosts = ip:port
#[filter:tempauth]
#use = egg:oioswift#tempauth
#user_demo_demo = DEMO_PASS .admin
[filter:copy]
use = egg:oioswift#copy
object_post_as_copy = False
[filter:container-quotas]
use = egg:swift#container_quotas
[filter:account-quotas]
use = egg:swift#account_quotas
[filter:slo]
use = egg:oioswift#slo
max_manifest_segments = 10000
concurrency = 10
[filter:dlo]
use = egg:swift#dlo
[filter:versioned_writes]
use = egg:oioswift#versioned_writes
allow_versioned_writes = True
[app:proxy-server]
use = egg:oioswift#main
object_post_as_copy = False
allow_account_management = True
account_autocreate = True
sds_chunk_checksum_algo =
deny_host_headers = x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control
[filter:authtoken]
auth_type = password
#username = swift
username = user
project_name = user
region_name = region
user_domain_id = domain
memcache_secret_key = memcache_secret_key
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
insecure = True
cache = swift.cache
delay_auth_decision = True
token_cache_time = 300
auth_url = http://ip:port
include_service_catalog = False
www_authenticate_uri = http://ip:port
memcached_servers = ip:port
password = password
revocation_cache_time = 60
memcache_security_strategy = ENCRYPT
project_domain_id = dommain
[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = role
reseller_admin_role = role
delay_auth_decision = False in authtoken section in proxy-server.conf file do the job.
delay_auth_decision : delay_auth_decision defaults to False, but leaving it as false will prevent other auth systems, staticweb, tempurl, formpost, and ACLs from working. This value must be explicitly set to True.
Now only files owners can view/create/edit containers/objects -> ACLs and sharing won't works.
I have been trying to configure an SMS gateway service using Kannel and sqlbox. My system is successfully connected to the Airtel SMSC. But whenever I try to send SMS (Inserting data in send_sms table of course), I get this weird response from the SMSC
NACK/0x00000061/Invalid Scheduled Delivery Time
But I have nowhere mentioned about the scheduled delivery time.
Here is the log in SMSC side
and here is my kannel configuration
#CORE
group = core
admin-port = 13000
smsbox-port = 13001
admin-password = rasello
status-password = rasello
admin-allow-ip = "*.*.*.*"
wdp-interface-name = "*"
log-file = "/var/log/kannel/bearerbox.log"
#store-file = "/var/log/kannel/kannel.store"
log-level = 0
#box-deny-ip = "*.*.*.*"
box-allow-ip = "*.*.*.*"
dlr-storage=mysql
#SMSBOX SETUP
group = smsbox
bearerbox-host = localhost
sendsms-port = 13013
bearerbox-port = 13001
log-file = "/var/log/kannel/smsbox.log"
log-level = 0
# SEND-SMS USERS
group = sendsms-user
username = username
password = password
default-smsc = rasello
#mysql connection
group = mysql-connection
id = sqlbox-db
host = localhost
port = 3306
username = root
password = N3pal#312
database = kannel
max-connections = 10
# DLR SETUP
#mysql connection
group = mysql-connection
id = mydlr
host = localhost
username = root
password = N3pal#312
database = kannel
max-connections = 10
group = dlr-db
id = mydlr
table=dlr
field-smsc=smsc
field-timestamp=ts
field-destination=destination
field-source=source
field-service=service
field-url=url
field-mask=mask
field-status=status
field-boxc-id=boxc
# SMSC SMPP
group = smsc
smsc-id = rasello
smsc = smpp
host = ip
port = port
transceiver-mode = false
smsc-username = username
smsc-password = password
system-type = smpp
interface-version = 34
address-range = ""
#SMS SERVICE GET-URL
group = sms-service
keyword = default
send-sender = true
get-url = "http://localhost/receivesms?phone=%p&text=%a"
Please help resolving this issue
you have to contact ur SMPP provider for this coz they are rejecting your SMS with this NACK
As part of my new years learning new technologies initiative I have started messing around with the Apache Shiro Security Framework.
I managed to get the basic example working which stores usernames, passwords and roles in the shiro.ini file, but when I modified my shiro.ini file to use JDBC it just stopped working. I now keep getting prompted for my username and password when trying to access my application. I've kept it as simple as possible (the passwords aren't even hashed).
Below is my shiro.ini file, does anyone have any idea what I'm doing wrong?
[main]
authc.usernameParam = j_username
authc.passwordParam = j_password
authc.failureKeyAttribute = shiroLoginFailure
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = "SELECT password FROM user WHERE username = ?"
jdbcRealm.userRolesQuery = "SELECT role FROM user WHERE username = ?"
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = localhost
ds.user = root
ds.password = password
ds.databaseName = database
jdbcRealm.dataSource = $ds
# Use Built-in Chache Manager
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/* = authcBasic
If you are not giving permission query then better disable permission lookup. Also if you want to use basic Authentication why use authc attributes.
Try Following
[main]
#authc.usernameParam = j_username
#authc.passwordParam = j_password
#authc.failureKeyAttribute = shiroLoginFailure
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = false
jdbcRealm.authenticationQuery = SELECT password FROM user WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role FROM user WHERE username = ?
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = localhost
ds.user = root
ds.password = password
ds.databaseName = database
jdbcRealm.dataSource = $ds
# Use Built-in Chache Manager
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/* = authcBasic
I'm making some testing with Apache Shiro just for learn, and i have a problem with permissions. The method isPermitted() just not work I mean, it's always return false.
shiro.ini
[main]
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
authc.loginUrl = /faces/views/login.xhtml
authc.successUrl = /faces/views/index.xhtml
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = select senha from VUsuarioPerfil where usuario = ?
jdbcRealm.userRolesQuery = select perfil from VUsuarioPerfil where usuario = ?
jdbcRealm.permissionsQuery = select permissoes from VUsuarioPerfil where usuario = ?
jdbcRealm.credentialsMatcher = $sha256Matcher
ds = com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource
ds.serverName = 192.168.50.254
ds.user = xx
ds.password = xxx
ds.databaseName = shiro
jdbcRealm.dataSource = $ds
Each user should have his own permission, so on the view(VUsuarioPerfil) there is a column called permissoes where I placed a string, like "clientes:visualizar".
And on code I test this way
public void test() {
System.out.println(SecurityUtils.getSubject().hasRole("usuario"));
System.out.println(SecurityUtils.getSubject().isPermitted("clientes:visualizar"));
}
Result is output:
true
false
I don't now why just the permission isn't caught on database.
In the JDBC realm, the permissions query is not expected to map users->roles, it is expected to map roles->permissions.
So essentially, the query that is getting called is:
select permissoes from VUsuarioPerfil where usuario = usuario
And, as you would expect, it returns nothing. Therefore the role has no permissions, and the user has no permissions.
Perhaps considering the default permissions query would help you think about how to map a query to your data structure?
select permission from roles_permissions where role_name = ?
Check out your property:
select permissoes from VUsuarioPerfil
You need to correct permissions