I am trying to achieve a form of authentication in HAProxy where 1 authentication ID can be mapped to multiple data ID's which pretty much restrict data access to my Api's when in the user is calling them. I want to do this in a map file since these ID's are going to change very frequently. So writing individual rules isn't plausible.
So in theory I want to do this:
user X calls endpoint with data ID 123. User is given access.
user X calls endpoint with data ID 456. User is given access.
user y calls endpoint with data ID 123. User is denied access.
Example map file:
Left coloumn is ID and right is DataID
X 123
X 456
X 789
Y 121
Y 111
Z 123
Is this doable? If not, what would be a good alternative to mimic this behavior?
The key (left column) should be unique in your case.
That said, this is perfectly doable with a map file like the one below:
X-123 allow
X-456 allow
X-789 allow
Y-121 allow
Y-111 allow
Z-123 allow
First, you must concatenate both username and data-id in a temporary HTTP header, then you use it like:
http-request set-header X-my-internal-key %[req.hdr(Username)]-%[req.hr(myendpoint_id)]
http-request deny unless { req.hdr(X-my-internal-key),map(/path/to/mapfile.map) -m found }
Baptiste
Related
As per this comment, I'm trying to use numeric channel IDs in my telethon code, so that I don't end up spamming the Telegram API with expensive name lookup calls and getting throttled, but I'm having some difficulty.
e.g. assuming I've already instantiated and connected client:
messages = client.get_messages(numeric_channel_id)
...fails with this error:
ValueError: Could not find the input entity for PeerUser(user_id=[numeric_channel_id]) (PeerUser)
I think there's some cacheing going on, because if I do a get_entity call using the account name first, then the get_messages call works. i.e. something like this:
client.get_entity(channel_name_which_belongs_to_numeric_channel_id)
messages = client.get_messages(numeric_channel_id)
That works just fine, but now I'm doing the expensive get_entity(name) call which is what I'm trying to avoid (because it will result in FloodWaitError problems).
Is there any way I can use the numeric ID of a channel to avoid the expensive get_entity call, in this scenario?
I've also tried forcing the entity type to Channel, like this:
channel = Channel(id=numeric_channel_id, title=None, photo=None, date=None)
messages = client.get_messages(channel)
...but the results are the same, except that the error mentions PeerChannel rather than PeerUser
ID usage is not going to work unless you cached the target as you stated, that's the only way to use the integer id.
you must have met the entity from events or manual requests (say, username fetching).
you should be using client.get_input_entity('username')
it will try to search the local cache first for the saved id + hash that equals the passed username, if found it won't do ResolveUsername (heavy one) and use the local access_hash + id and return you an inputPeer. you pass that to any request you want.
you mustn't use id alone unless you're certain you have met its holder, in other words, id you use has to be something you found out from within the library and within the same session, not something you knew/found out externally.
There is no magical way to fetch something with id you claim you know, if you actually know it, the lib has to create (when the access_hash is present) an InputPeer
As the other answer states, fetching by username will always work but is expensive. However note that such a call will fill the cache so it can later be fetched again much more cheaply by ID.
If you really need a stable reference to some entity and cannot rely on the session cache, and want to avoid usernames, the documentation for Entities vs. Input Entities may be helpful.
What it boils down to is, you can do this:
print(await client.get_input_entity('username'))
...which will show something like:
InputPeerChannel(channel_id=1066197625, access_hash=-6302373944955169144)
...and then, the account that made the get_input_entity call will always be able to use the printed result, without the need for it to be in cache:
from telethon.tl.types import InputPeerChannel
USERNAME = InputPeerChannel(channel_id=1066197625, access_hash=-6302373944955169144)
# ...
await client.send_message(USERNAME, 'Hi') # works without cache
Can I have in nagios host and service config, specified contacts and contacts_groups together? I mean if I'll not notify only contact or only group.
e.g.
define host{
host_name bogus-router
alias Bogus Router #1
address 192.168.1.254
parents server-backbone
check_command check-host-alive
check_interval 5
retry_interval 1
max_check_attempts 5
check_period 24x7
process_perf_data 0
retain_nonstatus_information 0
contacts specyfic-admin
contact_groups router-admins
notification_interval 30
notification_period 24x7
notification_options d,u,r
}
Yes.
From the documentation:
contacts: This is a list of the short names of the contacts that
should be notified whenever there are problems (or recoveries) with
this host. Multiple contacts should be separated by commas. Useful if
you want notifications to go to just a few people and don't want to
configure contact groups. You must specify at least one contact or
contact group in each host definition.
contact_groups: This is a list
of the short names of the contact groups that should be notified
whenever there are problems (or recoveries) with this host. Multiple
contact groups should be separated by commas. You must specify at
least one contact or contact group in each host definition.
Actually - now that I copy that I'm not so sure it describes the answer properly.
You may also want to look at Object Inheritance.
But, the short answer is still a yes.
I was recently asked this in an interview for a SDE role.
Suppose you have a list of User objects
class User {
String userId;
String email;
String ip_addr;
}
where userId field is unique among all users, while ip_addr and email are not necessarily so.
and you know some users have more than one user account (if any two User objects share a common email OR an ip_addr, you classify them as belonging to the same user).
you are required to write a function, whose signature is given as:
List<List<User>> findDups(User[] userList) {
// code here
}
[EDIT] so for example, if there are 7 users, only 2 of which are unique, the function can return something like the following (not necessarily in this specific order):
{
{user1, ip1, email1},
{user5, ip5, email1},
{user24, ip5, email2}
},
{
{user2, ip2, email2},
{user7, ip2, email7},
{user8, ip2, email0},
{user19, ip19, email7}
}
here, in this first group, the first user (user1) is the same user as the second one (user5) as they share the same email address. We also know that the third user (user24) is also the same user as it shares the same ip address (ip5) as the second user in the list.
[/END EDIT]
what data structure would you use and what would be the time complexity of the proposed solution?
I tried to use disjoint set union (quick union), which would give me linear complexity, however the interviewer constantly tried to steer me away from that and said just the Collection API would be enough (Using Lists and Sets and maps).
What would be your approach and solution and the corresponding time complexity?
I want to know if there is any Twitter API via which I can get to know that if the set of users either following or followed by a particular user.
For example:
set_of_users are: { a,b,c}
particular user is: d
Then the result is a kind of
a:
following: true //(means a is following d)
friend: true //(means d is following a)
b:
following: false //(means b is not following d)
friend: false // (means
c:
following: false //(means c is not following d)
friend: true //(means c is following d)
Also, some API which tells it a, b, c, and d are all interconnected with each other as friend or follower?
You can use the friends/ids endpoint for friends:
https://dev.twitter.com/rest/reference/get/friends/ids
Use the followers/ids endpoint for followers:
https://dev.twitter.com/rest/reference/get/followers/ids
These return ids, which is good because it's fast and lets you pull in the whole list with a smaller number of queries.
Once you have id's, use the users/lookup endpoint to pull in user data. It has a user_id parameter that you can use to gather multiple user records at a time, via a comma-separated list of id's:
https://dev.twitter.com/rest/reference/get/users/lookup
If you're new, you should visit the Twitter Documentation page and review Overview and Best Practices. These will answer a lot of questions you'll have. e.g. the type of querying you'll be doing will likely cause you to bump into rate limits, so reading up on that will save a lot of frustration later.
https://dev.twitter.com/overview/documentation
There isn't an API to manage graphs.
I have written policy in ALFA where:
if the amount to transfer is greater than the transfer limit, then the request should be denied.
I wanted to know how to specify a particular transfer limit. And from an administrator point of view, if in future i want to update the transfer limit, where and how should it be done?
For eg .I want to set current transfer limit to $2000. How do I do that and then how do I update the transfer limit, if I want to?
To add to what David mentioned, you could set this value in a database cell and update its value offline of ABA/XACML (using other processes in place in your org.). The value can then be queried at evaluation time by telling your PDP that withdrawalLimit is queried from a specific DB using the SQL "select limit from ...."
So, that is the advantage of XACML, As rules are defined in a policy, you can update the access control rules in dynamic manner. Transfer limit may have been configured in your XACML policy. You can update it using the by editing the XACML policy. Then this update must be eserveredffected for the PDP runtime and request would be severed according to it.
ALFA plugin would have easy way of updating the XACML policy attributes rather than just updating the raw policy. Hope you may find it. But if you update the XACML policy, it would also work.
It's good to see you are making progress. In your case, the authorization policy in ALFA would look as follows:
namespace com.axiomatics.banking{
attribute actionId{
category = actionCat
id = "actionId"
type = string
}
attribute resourceType{
category = resourceCat
id = "resourceType"
type = string
}
attribute amount{
category = resourceCat
id = "amount"
type = double
}
/**
* Policy to transfer money
*/
policy transferMoney{
target clause actionId=="transfer" and resourceType=="money"
apply firstApplicable
/**
* Deny access if amount is greater than 2000
*/
rule checkAmount{
target clause amount > 2000
deny
}
/**
* Grant access
*/
rule allow{
permit
}
}
}
Note that in my example I use a negative rule to deny access. This is great, for instance, if I want to add Advice or Obligation to that rule to indicate the reason for denial.
Now your question doesn't relate so much to the policy structure but rather to the values of the attributes. In XACML you have two options. Either:
you "hard-code" the value into the policy, or
you externalize the value and put it inside a policy information point (PIP) which could be a database, a web service, an LDAP... The benefit of externalizing the value is that you can now update the value without having to change the policy. The policy becomes more generic. Also it means you can have user-specific limits.
In the latter case, your rule becomes:
/**
* Deny access if amount is greater than the user's withdrawal limit
*/
rule checkAmount{
condition amount > withdrawalLimit
deny
}
In the Axiomatics Policy Server, you can configure a PIP / attribute connector to retrieve the value based on, say, the user id.
HTH,
David.