I've just installed Apache Bloodhound in my server. It's working fine. But with the default settings, anyone can view the list of tickets. I want to change this so that only logged in users are able to view the tickets.
Is it possible? How can I do this?
Default Trac ticket permissions are TICKET_VIEW for 'anonymous' sessions (everyone) and editing for 'authenticated' users, yes.
You'll want to remove TICKET_VIEW, so only authenticated users will see (and modify) tickets. To accomplish that, any user with PERMISSION_REVOKE (inherited by TRAC_ADMIN and PERMISSION_ADMIN as well) is allowed to navigate to the permission web admin page, can check and submit the 'remove' action. Alternatively you could use the trac-admin command:
trac-admin <path_to_trac_env> permission remove anonymous TICKET_VIEW
where you need to replace the path with you real one, like /var/www/trac_env/myTrac.
Related
In our SonarQube instance we have recently enabled LDAP authentication. Prior to LDAP integration the users were manually created. It so happened some of the users were created using the same LDAP user ID and custom password.
Now when LDAP is integrated we want all users use the LDAP ID/pass instead of previously manually created ID/password. SonarQube login works with manually created password rather than LDAP password. So how do remove the manually created users and only activate the LDAP users?
PS: I dont see the option to delete but only to de-activate
As replied by Jeroen Heier in comments, removing users from Administration > Security > Users will allow you to reuse the login of the removed user with an LDAP account.
If it's not the case, please describe what you're doing.
While I'm concerned with the deletion of an account... why can't you re-activate a user if you de-activated them through the UI. This is incredibly painful if a user was accidentally deactivated.
My Jenkins instance is currently open for every user, there is no authentication. I want to protect Jenkins against access by unauthorized users. I'm looking for a very simple/basic solution -- one user. If this "admin" user hasn't authenticated himself, he should not be able to do anything. If he has, he should get the full access the Jenkins instance (including all projects). How to configure this?
Follow these steps:
Go to Configure Global Security --> Security Realm : Jenkin's own user database and authorization Logged-in users can do anything. After saving, Jenkins should prompt you to create a new user. Please create the required user by filling in details like username and password.
Then, log in with that user and change the authorization to Matrix-based security. The matrix configuration should be as shown below i.e., it should have all privileges for the required user and none for anonymous users.
First you need to create an admin user or whatever you want.
To do that, go to your jenkins dashboard page and find "Credentials" option.
In credentials, you can create your user.
With your admin user created, just go back to your jenkins dashboard page and find "Manage Jenkins" option, in there, click on "Configure Global Security".
In Global Security Page, check the box "Enable Security", scroll down to "Access Control" and chose "Jenkins’ own user database" and select what users can do after login.
I have added the SEOptimizer add-on to my site, and need to restrict who can access the SEO tab. I'm not sure how to manage permissions for this.
Default add-on permission use the "Modify portal content" permission, so users able to edit the content will see the tab: https://github.com/quintagroup/quintagroup.seoptimizer/blob/5d0ee147f2b094ea8a05849f1d77161a8329bb44/quintagroup/seoptimizer/profiles/default/actions.xml#L14
You can change this behavior by changing the permission related to this action and the permission in the ZCML: https://github.com/quintagroup/quintagroup.seoptimizer/blob/f55624284a7daa6c225801990e6b2e9801b9eeac/quintagroup/seoptimizer/browser/configure.zcml#L95
Change the permission used by the action is simple (you can do it also TTW accessing ZMI and portal_action tool).
Changing the ZCML permission needs a registration of a new ZCML that will override the old registration: See http://docs.plone.org/develop/addons/components/zcml.html#overrides
You probably need to register a new permission, to be given to your "SEO" role.
BTW: this can be a really good change for the original product too: think about open an issue.
Iam using Apache Directory Ldap. I started using it just recently. I had one query:
I had one attribute called 'user-last-date', so as soon as this user end-date reaches, I should be able to disable the user account in ldap and also should send out an automated email to his manager. So, Is that possible to disable the user automatically in ldap as soon as the 'user-last-date' reached?
I already searched in google on this, not finding much info on this.
No, it is not possible by default, however you can write a custom interceptor to achieve this.
Or you can set the value of attribute pwdAccountLockedTime to 000001010000Z to permanently lock the account, but this will be effective only if the passwordpolicy is enabled.
Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.
I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?
It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension
Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious.
If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.
It states
The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with
Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.
Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
Select the 'Matrix based-security' mode for Authorization
Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
Save the settings
Reload Jenkins
Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.
Hope this helps.