I have a scenario that should be possible with RavenDB imho but I can't find any piece of information that could help me to implement this.
I've deployed the RavenDB as IIS application to my regular hosting. I have no dedicated server so this is almost all options I have. Another option is to create web application with embedded RavenDB which I think is more complicated and I want to keep things simple now. Having RavenDB as IIS application seems to be very handy.
I want some users to be able to log in into RavenDB application and edit documents. Other users (anonymous) can only read the data.
I found that there are 2 optional bundles in the app:
Raven.Bundles.Authentication.dll
Raven.Bundles.Authorization.dll
Unfortunately the documentation on this bundles is not complete enough :(
Here is a description of what I'm aiming for: http://www.youtube.com/watch?v=bS4UMp12PZM&feature=player_detailpage#t=899s
So the questions are:
How can I store user information in RavenDB and authenticate against this
information?
How can I grant edit rights on document collections for specific users?
How can I grant all (admin) rights to some specific user?
Here is a few resource that you can follow:
Authentication options with RavenDB
http://www.youtube.com/watch?v=bS4UMp12PZM
Authorization Bundle
http://ravendb.net/docs/server/bundles/authorization
http://ravendb.net/docs/server/bundles/authorization-bundle-design
Edit
For simple cases, use application users instead of database users.
Store a User entities and authenticate the users against it. Each user should have a user type property which says what permissions that have. Than control what action a user can do in the application level, not in the database level.
Related
I'm developing an application that manipulates data in Google Cloud Storage
buckets owned by the user. I would like to set it up so the user can arrange to
grant the application access to only one of his or her buckets, for the sake of
compartmentalization of damage if the app somehow runs amok (or it is
impersonated by a bad actor or whatever).
But I'm more than a bit confused by the documentation around GCS authorization.
The docs on OAuth 2.0 authentication show that there are only three
choices for scopes: read-only, read-write, and full-control. Does this
mean that what I want is impossible, and if I grant access to read/write one
bucket I'm granting access to read/write all of my buckets?
What is extra confusing to me is that I don't understand how this all plays in
with GCS's notion of projects. It seems like I have to create a project to get
a client ID for my app, and the N users also have to create N projects for
their buckets. But then it doesn't seem to matter -- the client ID from project
A can access the buckets from project B. What are project IDs actually for?
So my questions, in summary:
Can I have my installed app request an access token that is good for only a
single bucket?
If not, are there any other ways that developers and/or careful users
typically limit access?
If I can't do this, it means the access token has serious security
implications. But I don't want to have to ask the user to go generate a new one
every time they run the app. What is the typical story for caching the token?
What exactly are project IDs for? Are they relevant to authorization in any
way?
I apologize for the scatter-brained question; it reflects what appears to be
scatter-brained documentation to me. (Or at least documentation that isn't
geared toward the installed application use case.)
I had the same problem as you.
Go to : https://console.developers.google.com
Go to Credentials and create new Client ID
You have to delete the email* in "permissions" of your projet.
And add it manually in the ACL of your bucket.
*= the email of the Service Account. xxxxxxxxxxxx-xxxxxxxxx#developer.gserviceaccount.com
if you are building an app. It's Server to server OAuth.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
"Can you be clearer about which project I create the client ID on (the developer's project that owns the installed application, or the user's project that own's the bucket)?"
the user's project that own's the bucket
It's the user taht own the bucket who grant access.
It turns out I'm using the wrong OAuth flow if I want to do this. Thanks to Euca
for the inspiration to figure this out.
At the time I asked the question, I was assuming there were multiple projects
involved in the Google Developers Console:
One project for me, the developer, that contained generated credentials for
an "installed application", with the client ID and (supposed) secret baked into
my source code.
One project for each of my users, owning and being billed for a bucket that
they were using the application to access.
Instead of using "installed application" credentials, what I did was switch to
"service account" credentials, generated by the user in the project that owns
their bucket. That allows them to create and download a JSON key file that they
can feed to my application, which then uses the JSON Web Tokens flow of OAuth
2.0 (aka "two-legged OAuth") to obtain authorization. The benefits of this are:
There is no longer a need for me to have my own project, which was a weird
wart in the process.
By default, the service account credentials allow my application to access
only the buckets owned by the project for which they were generated. If the
user has other projects with other buckets, the app cannot access them.
But, the service account has an "email address" just like any other user, and
can be added to the ACLs for any bucket regardless of project, granting
access to that bucket.
About your answer.
Glad you solved your problem.
You can also reduce the access to only ONE bucket of the projet. For example, if you have several buckets and the application does not need access to all.
By default, the service account has FULL access Read, write and ACL of all buckets. I usually limited to the needed bucket.
I have written an application that I have listed in the Google Marketplace. I am trying to get my app to use the Directory API (part of the Admin SDK). According to the documentation here: https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites, this will require anyone who installs my app to enable API access.
The only scope I need is:
https://www.googleapis.com/auth/admin.directory.user.readonly
Is there any way to access the above scope without requiring API access to be enabled? All I am ultimately trying to do is import users from a domain into my app so that they do not have to visit my app to have an account.
I am trying to avoid having to have the domain administrator enable API access. I have also seen other apps that require the same exact scope as I do that seem to work without requiring API access. I'd be willing to drop back to the older, deprecated Google Data APIs, but I don't think I can even register an app to use them.
This is not possible today. You have you have guidance in your app to remind the admin to turn this on.
We understand this is suboptimal for both admins (expecting that authorizing an app should give it access) and developers (needing to write unnecessary code to handle this). We are looking into improving this flow but not specific plans on launch yet.
I'm building a Web Application using ASP.Net and MVC4. This web application is going to be used by another company but we are hosting it. We were told that we had to use ADFS. We don't know what kind of information is going to come over to us in the authentication but we need to allow for users to have roles. I assume that when authenticated a username should be returned. So i'm thinking I would build a user table in the database for admins and super admins. When a user comes over, we will check if there username exist in the database and if so we would read their role from the database If they do not exist in the database they are public.
All that being said here is my dilemma that I need to solve. How do I do this without writing custom code everywhere in the application to check for authorized and check for role? I would like to use the [AuthorizeAttribute(roles)]. Should I create a custom role provider? All ideas are welcome. BTW, we can not have the client manage the roles and pass it over because this company is a Fortune 100 company and they do not have time to handle these request.
I would recommend looking at some of Dominick Baier's work on securing MVC with claims. He's worked with some other developer's as well to build Thinktecture, which has both an Identity Server component and libraries for assisting in the processing of claims while abstracting some of the nitty-gritty details.
As for the roles portion of what you need to do, you can build a custom ClaimsAuthenticationManager and have that perform whatever transformations or additions to the users claim set at initial login. Dominick has a couple of excellent PluralSight courses that go into much more detail on this process. He also has this free video out there, which details the authorization portion around minute ~44.
I recently went through the effort of getting ADFS setup and authenticating some of the MVC apps at our company. The resources I have referenced were invaluable in helping me in that process.
I am writing a desktop WPF application that uses SQL CE as its data store and syncs to a remote SQL Server database via a web service. The desktop application provides the same functionality as an ASP.NET web application I wrote but, provides the functionality for the user when no connectivity is available.
The SQL Server database also provides membership functionality for the Web version of the application.
My question is this...how can I provide the user login functionality for the WPF application when it is in "disconnected" mode? I want the user to have the same login functionality that they would have if they were logging in through the web application. I know how to sync the necesarry aspnet_Membership tables (users, roles, etc) but, how do I create the membership provider for WPF? I haven't been able to find examples.
(The WPF app won't need to create or delete users but, edit functionality would be nice...It is essential that application allows the user login and have their password checked against the one synced from the main database so, I am not sure how that encryption/decryption would work).
Thanks for whatever advice you can give
Membership was built as an ASP.NET feature. The risk I see with a local Membership approach is now those tables with passwords are on the local machine and open to being hacked. The user has to logon at the local machine so the Windows principal is validated. You might be better off mapping the Windows logon to roles and groups to provide Membership type features without MembershipService. You can iterate through the users, roles, and groups in .NET but it is slow. It is not very hard to decipher the Membership SQL tables directly and build a query to get that information and it is much faster. You can even map your MembershipProvider to the domain at IIS but then you cannot use TSQL to get the users, roles, and groups.
In my external application i need to find all sites with write permission for logged in user.
I am using WSS.
Is there any web service available for this task?
Or can i send a Query and get the desired results?
You need to use the client object model (see this msdn article http://msdn.microsoft.com/en-us/library/ee535231.aspx) to work with SharePoint for outside the system.
use SharePoint webservices. They have a special asmx for permissions:
/_vti_bin/permissions.asmx
This Web service is used to obtain the permissions assigned to a list or site, add new permissions, and update or removing existing permissions.
Here's a blog post about using the permissions webservice:
example