I have GITOLITE on my server and I want to configure access to my repository. I want to restrict access to some branches for some users. I try a lot of variants how to configure gitolite.conf file and I didn't find solution how to restrict acces to some branches.
1)
#developers1 = user1
#developers2 = user2
repo dbatest
RW+ = #developers1
R test = #developers2
- test = #developers2
RW+ = #developers2
When user2 executed command: git push origin test: push succeed
In gitolite log I had this lines:
http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
6453 pre_git dbatest user2 W any refs/.*
6453 system,git,http-backend
6453 END
2)
#developers1 = user1
#developers2 = user2
repo dbatest
RW+ = #developers1
- test = #developers2
RW+ = #developers2
When user2 executed command: git push origin test: push succeed
In gitolite log I had this lines:
http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
6457 pre_git dbatest user2 W any refs/.*
6457 system,git,http-backend
6457 END
3)
#developers1 = user1
#developers2 = user2
repo dbatest
RW+ = #developers1
R test = #developers2
- test = #developers2
RW+ = #developers2
option deny-rules = 1
When user2 executed command: git push origin test: push denied and he saw this message:
fatal: remote error: FATAL: W any dbatest user2 DENIED by refs/heads/test
(or you mis-spelled the reponame)
And in gitolite log i had this:
8161 http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
8161 die W any dbatest user2 DENIED by refs/heads/test<<newline>>(or you mis-spelled the reponame)
It's look like good, but when he try to push something into the master branch he had this meesage to.
I tryed mix this lines in my gitolite config file but they didn't work for me.
I will be happy if someone can help me with it. I want to restrict write access to some branches for some developers. I cann't create additional repository I must to use restrict policy on one main repository.
Big Thanks!
If I look at the official documentation:
repo foo bar
RW+ = alice #teamleads
- master = dilbert #devteam
- refs/tags/v[0-9] = dilbert #devteam
RW+ dev/ = dilbert #devteam
RW = dilbert #devteam
R = #managers
dilbert and the dev team has these restrictions
they can do anything to branches whose names start with "dev/"
**they can create or fast-forward push, but not rewind or delete, any branch except `master`**
So this looks right:
- test = #developers2
RW+ = #developers2
However gitolite has two checks:
one when the ref is unknown (in which case - test is ignored),
one for the ref is known.
In your case, the ref (test) should be known and the deny rule apply.
You can debug more by tracing the logic of your specific rules with:
gitolite access -s dbatest user2 W test
The OP Sufelfay confirms in the comments that it works with 3.5.3, not with 3.6.x.
I know it's an old topic, but I did some research recently and ended up here. Quick update about the commentary from the answer at the top .
I'm using v3.6.4 and the following solution is working:
#teamA = user1 user2
#teamB = user3 user4
repo foo
RW+ = #teamA
R = #teamB
RW+ ref/heads/banana = #teamB
In this case, the teamB is allowed to clone the repo "foo" and push only to the branch "banana"
As Sufelfay said in the comments to the other posting, this is a bug in recent versions of Gitolite.
The access check is split into two phases. During the inital phase the ref is unknown and Gitolite is supposed to skip all rules referring to refs.
In fact, however, it applies all rules but ignores the ref specification. Thus ...
- test = #developers2
... is evaluated as ...
- = #developers2
... during the first phase. To make matters worse, the error indicates the very last rule which was processed. This rule may be unrelated.
As workaround you can add an access rule for any before the deny rules:
RW any = #developers2
- test = #developers2
...
Related
This is similar to the existing one - Setting up LDAP for Jupyter Server
Where ,instead of using "bind_user_password", i want to try using certificate, i.e below lines that is being currently used :
ldap_uri = ldap://ldap:389
ldap_default_bind_dn = cn=serviceaccount,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = 0hdsvmofnvp
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/CA/ldap.ca
I did went thru this document - https://github.com/jupyterhub/ldapauthenticator and we couldnt find the way to use certificate, please help to share the info on how to enable the same in jupyter using above lines.
yes , we are using jypter hub v 3.3.2
I have started my WL Admin console. I went to the Security Realms -> myrealm -> Roles and Policies -> Global Roles -> Roles. There I clicked on "New" button, created a new role, then modified it, giving it a LDAP user as Role condition.
I was wondering if we can automate this job by creating wlst script. Could you please help us to identify the wlst commands for - Create a role & adding conditions.
I have done some study about cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper("XACMLRoleMapper") from Oracle pages but not much sure about the implementation.
Here is a sample to script used to create a global role and a policy on a jms resource :
connect('...','...','t3://localhost:7001')
realm=cmo.getSecurityConfiguration().getDefaultRealm()
rm=realm.lookupRoleMapper(""XACMLRoleMapper"")
rm.createRole(None,""role1"",None,"""")
rm.createRole(None,""role2"",None,"""")
authorizer=realm.lookupAuthorizer(""XACMLAuthorizer"")
authorizer.createPolicy('type=<jms>, application=SystemModule-0, destinationType=queue, resource=Queue-0','{Rol(role1)}')
authorizer.removePolicy('type=<jms>, application=SystemModule-0, destinationType=queue, resource=Queue-0','{Rol(role1)}')
authorizer.getPolicyExpression('type=<jms>, application=SystemModule-0, destinationType=queue, resource=Queue-0')
rm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper("XACMLRoleMapper")
print rm.getProviderClassName()
print rm.getName()
cursor = rm.listAllRoles(1000)
print cursor
userReader = rm
while userReader.haveCurrent(cursor):
usrrd = userReader.getCurrentProperties(cursor)
print usrrd.get('RoleName')
#print usrrd
print "\t",usrrd.get('Expression')
userReader.advance(cursor)
userReader.close(cursor)
Am trying to automate users and groups mapping to application in WAS below is the script that am trying i want to verify if this is how to do since i don't know much about WAS
import sys
filename=""
fileread = open(filename, 'r')
filelines = fileread.readlines()
for row in filelines:
column=row.strip().split(';')
user_name=column[0]
print user_name
pass_word=column[1]
first=column[2]
last=column[3]
AdminTask.createUser(['-uid',user_name, '-password', pass_word, '-confirmPassword', pass_word, '-cn', first, '-sn', last ])
AdminTask.mapUsersToAdminRole(['-roleName','Administrator','-userids',user_name])
AdminConfig.save()
print 'Userid creation completed for', user_name
AdminApp.install('myapp.ear', '[-MapRolesToUsers [["All Role" No Yes "" ""]
["Every Role" Yes No "" ""] [DenyAllRole No No user1 group1]]]')
agmBean = AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*')
AdminControl.invoke(agmBean, 'refreshAll')
fileread.close()
Judging by your previous question, I'm assuming you have the LDAP server set up. If you are mapping users from the LDAP server to administrator roles, then you don't need to create new users. Something like this command will map user1 from LDAP to the admin role:
AdminTask.mapUsersToAdminRole('[-accessids [user:defaultWIMFileBasedRealm/cn=user1,ou=users,dc=yourco,dc=com ] -userids [user1 ] -roleName administrator]')
The realm name can be found in wimconfig.xml under CELL_DIR/wim/config; defaultWIMFileBasedRealm is the default. I would suggest running the command manually, and when you get everything to work, write the script.
I've been using a web application I've written to remotely create users/mailboxes on my Exchange server. However, users created using this method have been unable to see other users' calendar information within the same organization. Did I forget some important parameter?
I'm almost certainly not following best practices, but I essentially craft a command and send that to the Exchange powershell for my organization, like so:
Dim runspace As Runspace
runspace = ConnectToExchange()
Dim command = New Command("New-Mailbox")
command.Parameters.Add("Name", firstName & " " & lastName)
command.Parameters.Add("Alias", userName)
command.Parameters.Add("OrganizationalUnit", ou)
command.Parameters.Add("UserPrincipalName", userName & "#" & domainName)
command.Parameters.Add("SamAccountName", userName)
command.Parameters.Add("FirstName", firstName)
command.Parameters.Add("Initials", "")
command.Parameters.Add("LastName", lastName)
command.Parameters.Add("Password", securePassword)
command.Parameters.Add("ResetPasswordOnNextLogon", True)
command.Parameters.Add("Database", db)
command.Parameters.Add("AddressBookPolicy", abp)
runspace.Open()
Dim pipeline = runspace.CreatePipeline()
pipeline.Commands.Add(command)
' Execute the command
Dim results = pipeline.Invoke()
runspace.Dispose()
I should mention that I've reviewed the docs, but the only thing that stands out to me is the Sharing Policy parameter. Reviewing now..
EDIT: I have the same Sharing Policy applied as a test user I've just created. I can view others calendars, but the test user cannot.
SECOND EDIT: I ran the following cmdlets for both my normal account (which can see calendars) and the test account (which cannot see calendars):
Get-Mailbox identity.here | Format-List * | Out-File C:\Users\MyName\Desktop\file.txt
I then ran these through a diff tool and found the differences. There was nothing notable that would cause this issue! I don't know where to turn to next.
please run the following CMDlet on both accounts:
Get-MailboxFolderPermission -Identity john#contoso.com:\Calendar
Please note that the "Calendar" part seems to depend on your Exchange installation language (in German its "Kalender" for example).
If i get you right your account probably has AccessRights:{PublishingEditor} set.
If so run the following CMDlet on the account that doesnt have access:
Set-MailboxFolderPermission -Identity john#contoso.com:\Calendar -User Default -AccessRights Reviewer
Hope that helps
Paul
I have an active Trac installation with multiple projects. I am using the AccountManagerPlugin to manage user accounts, and to allow users to manage their own accounts.
My current AccountManagerPlugin configuration looks like this:
[account-manager]
account_changes_notify_addresses =
authentication_url =
force_passwd_change = true
generated_password_length = 8
hash_method = HtDigestHashMethod
htdigest_realm = TracRealm
notify_actions = []
password_file = /home/sms/trac_sites/trac.htdigest
password_store = HtDigestStore
persistent_sessions = true
user_lock_max_time = 0
verify_email = false
This works great, except: Each Trac project currently requires separate authentication. The projects are unable to share their authentication cookies.
Setting auth_cookie_path = /trac does not work, because session data is stored in each project's own database; therefore one project cannot validate the cookie of another. Worse, this causes projects to overwrite each other's cookies.
Using an undocumented two-year-old monkey patch (SharedCookieAuthPlugin) seems like a bad idea.
Is there a solution?
SharedCookieAuthPlugin is indeed the way to go. The author of the plugin (k0s, alias Jeff Hammel) was the person who requested the auth_cookie_path option, specifically for his plugin. The fact that it hasn't been updated in two years just means that it works as it is.