Our workspace has created a new project which we wish to add all of our 1,000+ users to. This seems most easily done via a script interfacing with the API, rather than making the edits by hand, since Rally doesn't seem to offer a batch update function for user permissions. My question is, are user permissions even editable via the API? I've made changes to user records in the past, but not their permissions.
For context, I'm using Pyral to interface with the WSAPI.
Thanks!
You can definitely batch script User Permissions via the WSAPI.
While it's not written in Python, there is an open-source set of Ruby scripting tools built to do exactly this:
https://github.com/RallyTools/Rally-User-Management
You might want to check it out - if nothing else, the User Management scripts could provide good hints as to how to accomplish certain User updated/edits in pyral as well. Obviously the pyral mechanics would differ from those in the Ruby rally_api used by Rally-User-Management.
Related
I'm trying to confirm all the calls we currently make are supported in Gooddata's java sdk (https://github.com/gooddata/gooddata-java/) before we decide whether to update to use this.
I have confirmed all cases except 2 and am hoping that someone might be able to suggest how I might make these calls in the java SDK today.
list all users in a domain: (https://help.gooddata.com/display/API/API+Reference#/reference/users/manage-users-in-a-domain/list-all-users-in-a-domain)
assign a userfilter to a user (https://help.gooddata.com/display/API/API+Reference#/reference/data-and-object-permissions/assign-a-data-permission-to-a-user/assign-a-data-permission-to-a-user)
I just want to confirm these operations are not currently supported before I investigate effort to add them.
As far as I know, you are right and there is no built in support for GoodData domain (also called organisation) user handling (yet). On the other hand using "com.gooddata.sdk.service.httpcomponents" you can easily work with any GoodData API within your code.
In case you wouldn't be tied to strictly to Java - there is possibility to use bit more robust "Ruby SDK" - https://sdk.gooddata.com/gooddata-ruby-doc/docs/getting_started.html which natively contains user management
Another possibility is to shoot feature request directly into the repository (https://github.com/gooddata/gooddata-java/issues) - we will check that up and most likely add the support soon (or at least give you the estimate).
Like most people, we're pretty impressed with BigQuery. We're willing to put up with it being based on proprietary "Dremel" in exchange for not having to configure a ton of servers in our LAN, on EC2, or anywhere else.
The REST API is excellent, and we're incorporating that into our apps, but we still find ourselves using the BQ Browser interface as well. We'd like to incorporate something like a 'generic SQL window' into our app, without divulging that the backend is BQ or that data is stored in Google at all, for that matter. Does Google provide a way to use their BQ browser tool in a white-label manner?
Note also, that even extending access to the existing browser tool is problematic. It relies on user-accounts existing in one's own domain - something that can't be done, in our case, with a customer's email address. The REST interface solves this with service-level accounts, but that doesn't get you to the SQL window/browser tool.
If the folks at Google are listening (and I know that you are), consider the benefits of white-labeling the browser tool: I think you'd find a lot of software companies integrating it into their suites of products and, then, running circles around any Hadoop/CDH/EMR/Impala/Hive combination.
So, to summarize: How does a software developer import or emulate the BQ browser tool (with all it's autocompletes, query histories, etc..) in their own web-based app?
The initial version of the BigQuery web interface was considered just an 'example' UI that anyone could create themselves. It uses only the public BigQuery API to talk to BigQuery.
There are a couple of Google-internal things we've added since then, such as the current design of 'saved queries', and an auth shortcut so that users don't have to explicitly grant permission to the UI to access BigQuery data. But it is still mostly plain-ol-javascript talking to BigQuery via the REST API the same way anybody else does.
The javascript is obfuscated, however, but my understanding is that this is just for compression purposes so that it downloads more quickly.
The SQL highlighting is done by CodeMirror with special configuration for the BigQuery SQL variant.
I'll talk to the other members of the BigQuery team about open-sourcing the javascript code in the Web UI. It may be difficult to do at this point, but it doesn't hurt to have a conversation about it. I'll bring this up with the team and update this thread. The most likely answer will be "We'll think about it", but hopefully we can also think about it and start working on it too :-)
Let me know if that sounds like it would meet your needs. It might not solve the auth problems you mention, since your users likely won't have BigQuery accounts, but you may be able to solve that by proxying oauth2 access tokens.
I recently finished one of my first AgilityJS projects, which is a web-based file browser that lets you create and manage folders and files, and navigate around the folder tree. I followed the various AgilityJS recommendations regarding the design and ended up with all my HTML and Javascript in a single Javascript file.
Now, I would like to provide a "read-only" version of this app which does not have the ability to add/edit/remove files and folders. I'd like to have 2 user types on the website, one type which can only read the files and folders, and another user type who can administer.
My question is, how do I proliferate these permission differences to my AgilityJS app? I know how to secure my endpoints and operations on the server side, but I'm wonder about the best way to do this on the client side. Should I create a separate version of the app with a limited set of functionality? Should I simply hide certain buttons/features? Are there theories, frameworks, etc.? which deal with this issue? Any point in the right direction would be helpful.
LOL - probably one could write books about that topic. Some very basic ideas:
I would start with the philosophical debate according to MVC. There are people argue with the help of MVC that any piece of code and also any piece of data model should never be implemented twice. Business logic and model to the server. The opposite view is focussing on serving users at any cost - even if that means to double maintain code or the model for the sake of avoiding extra round trips. The way in between defines a master source for business code and model and makes sure to follow on other places that leading master (the master will be changed first). Take your choice. Your answer to that question results into boundaries for how the user interface can/have to look like for the user.
You need to think by hard about a permissions concept. Looking at Microsoft I would assume that they invested for all their applications a couple of dozens man years to make up the permission concepts. The ideal permission concept very much depends on your application. So it is close to impossible to work this out without knowing at least a very little of your application. However the permission concept has to come up with policies deciding on roles, groups, access rigths, access levels, context driven permissions (eg. based IP address), permissions black or white listing (permissions each user has at creation). An example from Microsoft: http://office.microsoft.com/en-us/windows-sharepoint-services-help/permission-levels-and-permissions-HA010100149.aspx
Data on the client is not secured!!! Whatever you do on the client, be it data hiding, encryption, compression... - if this is done on the client there are ways to read the data (even by disabling the data manipulation) or by reverting those. Somebody can send data to your server, where the client should not even have given an update form could be implemented by hackers. So as soon as you start to implement permissions make sure, that for all data you send to clients users are permitted to read and that you inlcude permissions checking for each time you add/update data to the database.
I know of 2 ways to implement admins:
add admin role flag to the user entity
add a new admin entity
I don't know if there are more ways of doing it
1. Does it matter in terms of admin usability? security?
2. which is easier to scale or maintain?
for a rails-specific (but not limited to) sub-question
Is using a premade admin services such as active_admin or adminium are worth it for the long run (heavy use application, not small sized), or would it just be better to make my own admin panel and incrementally add features as I need them?
The answer to that question depends on your needs for a particular project.
Using the premade admin services makes life easier as what you can do is to customize the services by the help of ease that they provide and then use them in your application.
In ActiveAdmin railscasts, there is a video about ActiveAdmin that shows that how it is very customizable. Apart from that there are comments by various people in the railscasts from their experience about its usage.
This will clearly give you the idea in the right direction.
There is also a very good article by batsov which explains the differences between RailsAdmin and ActiveAdmin.
Short version: Do it yourself with the admin role flag. For security do not allow mass assignment of this flag. Build your own admin interface, especially for a big project nothing premade will suit your needs.
Long Version:
I haven't actually used any of the premade admin services as in general my experience has shown me that my users are either normal/admin or semi-admin.
Having your own flag means that you have full control over how to add admin users.
Example: some apps I have allowed anyone with admin access to make anyone else an admin.
Rails allows you to quickly scaffold/build your own custom admin interface and here I can't see anything 'off the shelf' beating the add as you go/need mentality as the end result will be custom built to fully suit your needs vs spending your time with an admin interface that you have to customize yourself.
I am trying to use BetterAuthorizationSample rather then go the so called "malicious" way of using setuid in order to get root privileges.
Currently I am using AuthorizationCreate(); with BLAuthentication to have root access to changing some files, but I am somewhat irritated by the fact that I have to constantly enter my password in every time the app launches.
So I came across Apple's method of a HelperTool, and I just can't figure it out.
I've been working with Cocoa for a couple months now, but this is just out of my reach, yet I still need it. How would I implement this tool to do simple root-privileged tasks?
Is there a simpler way to use the concept of a HelperTool, so that my users can just enter their password once and it would grant root-privileges forever?
The "modern" way to do a helper tool on Mac OS X is to ship it as part of your app, and use the ServiceManagement framework to deploy it. Your users enter their password once, when deploying the tool. That installs it as a launchd job; from then on you use any launchd on-demand mechanism to launch the helper and get it to do work for you.
Notice that the blog post linked above recommends that you protect subsequent invocations of the helper with an Authorization Services escalation, to avoid having an arbitrary privilege escalation that anyone can use. This seems like it somewhat impacts the "users can just enter their password once" benefit, although you can use AuthorizationRightSet() to create your app's authorization token in the policy database, so you can actually define whether users need to present passwords on first deployment.
The sample code from that post is on GitHub, and demonstrates using ServiceManagement to deploy the helper tool and Authorization Services to control access to it.