I've managed to create a a new user from a servlet using VMM. The problem I now have is in allocating a role to the user. Does anyone know how I could make give the new user a websphere monitor role from within the servlet ?
cheers,
Trevor
It appears that you can't through the VMM service which is what I was really looking for. The best idea is to have groups to each role mapped in advance. Then you can use VMM to add users to the existing groups as required.
Related
I installed a vault and configured OIDC with gsuite, that was already an adventure in itself as the documentation is limited and even wrong at more than one place.
Finally I have a working authentication with my google accounts and I began to create roles, and there I saw a huge issue. How do you restrict google users from using a role. Let's say I create a gsuite-admin role that has access to all of vault administration, any user entering the role before login can assume it.
I tried to use the different claims but those seems to be only for vault created groups or other things.
Does anyone has a solution for that?
Thank you in advance.
EDIT:
The configuration I'm using whith group claims:
{
“allowed_redirect_uris”: “https://URL/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback”,
“user_claim”: “sub”,
“policies”: “vault_admin”,
“ttl”: “24h”,
“groups_claim”: “devops”,
“oidc_scopes”: “profile”,
“bound_claims”: {
“group”: [“devops”]
}
}
That configuration only provides a lock of the role that can't be used anymore by anyone. From what I could see the JWT doesn't have any informations and that is why we used the config with the fetchgroup option in the oidc configuration.
I found a solution for this problem. Firstly, we need to ensure that a user is part of a G Suite group. Then mapping the G Suite group with Vault group (that has a policy assigned) ensures that the user is bound to the Vault policy.
This article contains some example steps and might be helpful.
I'm new to wso2 and there are many new concepts to me ... I'm looking for a yes/no answer to the following question:
With wso2is, is it possible to authenticate users using one secondary user store (AD / LDAP) and authorize them using another secondary user store (JDBC, a database with only user and role tables)?
If the answer to the question is "yes", can you please provide me some links to some related examples or documents?
Any suggestions?
Thanks.
Yes, its possible. we can use different user stores.
Please refer
https://docs.wso2.com/display/IS530/Architecture
https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On
Yes!! it is possible. Write your own custom UserStore and overwrite the method getting claims from user store.
Google it and you will find steps to do that.
I'm working on a project where I've multiple ressources and multiple users, what I need to do is to associate different access rignts to every user depending on the ressource he wants to access to
The problem is that a simple LDAP server can't implement this kind of situation,
An idea is to use multiple LDAP servers, one for each ressource, then how could I manage them all?
Or is there another authentication process I can use in this case?
Spring Security has a special ACL module to handle such situations. The basic idea is that each domain object / ressource may have separate access control list. You need to fill this list with appropriate permissions and add corresponding checks in your code. You can have parent -> child relations between the objects to reduce number of permissions. Check it out.
If you have logic behind the access to the resources, you may want to use a rules authorization language such as XACML.
If the assignment of resources to users is arbitrary then the use of ACLs with Spring Security's ACL module is good enough.
The problem is that a simple LDAP server can't implement this kind of situation
Mine does. You use LDAP to define the roles associated with each user, then you use web.xml to associate the resources with the roles that are required to access them, then you configure/write your login module such that it looks up the roles of each user when you login. Container-managed security can do all that.
I m creating an application in which i have three roles.
(a) Admin
(b) Manager
(c) Supervisor
What i want is when user enter details on lo-gin page first system check whether user is whether its a valid user or not and then what kind of access he have. i think window authentication is good for this purpose now i want from you guys to tell how to should i go on this and can any one provide me a good article for it with example.
as i have create all my pages but i don't know how to communicate with database for it.
Thanks in advance..
You should take a look at the Membership Providers as these provide functionality for user authentication, and also at Role Providers that can provide functionality for managing user roles.
If you have any specific questions about how to go about implementing them, then please ask further questions here on stackoverflow.
Hello StackOverflow Community,
I've searched through Amazon EC2's API documentation, but I haven't seen an API to create/modify/remove an Amazon EC2 account programmatically. Does anyone know if this is possible?
Thanks,
Mauricio
If you are talking about creating new Amazon's user for EC2, it is not possible to do programmatically. As in any website registration it requires human interaction. Particularly you will need to provide credit card etc. I also was not able to find a way to create new set of credentials programmatically.
What is the overall problem you're trying to solve? Are you trying to create an AWS account? Or simply create a new set of credentials for accessing EC2?
It is not possible to create accounts programmatically, but depending exactly on what you are trying to achieve, you may want to use AWS IAM which allows you to create credentials with restricted access (so for example an user can list current instances, but not start or destroy them)