I want to restrict the default user from reading tables from a particular database but the revoke command gives following exception.
REVOKE SELECT ON test_db.* FROM default
Received exception from server (version 20.5.2):
Code: 495. DB::Exception: Received from localhost:9000. DB::Exception: Cannot update user `default` in [users.xml] because this storage is readonly.
users.xml has 666 permission. I am wondering how can this be done, so that default user can not view tables in the given database.
There are two ways to manage users. The old XML-way and the new create/grant/RBAC.
User default is created by old-XML-way (hardcoded in clickhouse source code)
You can remove this user "default" completely.
cat /etc/clickhouse-server/conf.d/z_user_def_remove.xml
<?xml version="1.0" ?>
<yandex>
<users>
<default remove="remove"></default>
</users>
</yandex>
I named the file with z_ to apply it the end (as the last one).
Or you can restrict databases for this user "default".
cat /etc/clickhouse-server/conf.d/user_def_db.xml
<?xml version="1.0" ?>
<yandex>
<users>
<default>
<allow_databases>
<database>system</database>
</allow_databases>
</default>
</users>
</yandex>
This answer is based on the fact that used the default settings for default-profile and inter-server credentials.
I am not sure that default user should be modified and be accessible outside of the cluster. By default, it has special purposes such as interserver interaction in a cluster.
I would recommend restricting default user for using inside cluster nodes:
<!-- users.xml -->
..
<profiles>
<default>
<!-- default-profile is full-access profile (like super user).
Do NOT restrict permissions of default-profile. The default profile has a special purpose: it must always be present
and is applied when starting the server and used by internal processes (Buffer storage, Distibuted DDL worker and so on)
-->
..
</default>
..
</profiles>
<users>
<!--
default user that used ONLY for inter-server interaction.
Password intentionally is EMPTY so this account MUST be restricted only inner network.
-->
<default>
<password replace="replace"></password>
<profile replace="replace">default</profile>
<networks replace="replace">
<!-- Restrict account to hosts belonging to the cluster. -->
<host>clickhouse-node-1</host>
<host>clickhouse-node-2</host>
..
</networks>
</default>
..
</users>
..
And add a dedicated users for your goals instead of using default one.
Related
I've set up a working instance of a ClickHouse server with docker-compose. Right now I'm trying to grant privileges (write permission) to a user who is defined in users.xml as such:
<users>
<deep>
<access_management>1</access_management>
<password>xxx</password>
<networks incl="networks" replace="replace">
<ip>::/1</ip>
<ip>192.168.65.155</ip>
</networks>
<profile>default</profile>
<quota>default</quota>
</deep>
</users>
I'm using this command
GRANT INSERT ON registry.simple_people TO deep
which gives me this error message:
Code: 495, e.displayText() = DB::Exception: Cannot update user `deep` in users.xml because this storage is readonly: Couldn't update user `deep`. Successfully updated: none (version 20.12.3.3 (official build))
I've read the docs from ch here https://clickhouse.tech/docs/en/sql-reference/statements/grant/ and also I've been setting the readonly option to 2 and 0 without any difference in the output. Can anyone of you see where I could've missed something or what I ought to do to be able to make users.xml "not-readonly"?
Note:
The user 'deep' can read from the DB.
I'm on WSL: Ubuntu-20.04
Most probably you are executing inserts using HTTP GET instead of POST.
https://clickhouse.tech/docs/en/interfaces/http/#http-interface
When using the GET method, ‘readonly’ is set. In other words, for queries that modify data, you can only use the POST method. You can send the query itself either in the POST body or in the URL parameter.
There are two ways to manage users.
The old XML-way and the new create/grant/RBAC.
XML created users cannot be granted. They are managed using XML settings.
By DEFAULT XML users have full access to EVERYTHING.
You can set READONLY using XML + profile and set this profile to the XML user.
<profiles>
<roprofile>
<readonly>1</readonly>
When I try to update the contact information for geoserver global settings using https://127.0.0.1:8080/geoserver/rest/settings doesn't work. When I try to update below info using the above call
<global>
<settings>
<contact>
<address>test</address>
<addressCity>Hyderabad</addressCity>
<addressCountry>India</addressCountry>
</contact>
</settings>
</global>
It resets all the details from contact info and put only the above three fields. Is there any attribute or a way to make it work as expected. My requirement is to update only the fields sent through the request and keeping the remaining fields unchanged.
Thanks in advance.
You need to GET all the contact info as an XML or JSON file and then make the changes you need and then POST the changed file back to GeoServer.
In my development environment my custom domain wired up to a custom membership provider has an anonymous user myDomain\Anonymous however when I deployed to QC it does not contain the anonymous user (other users work fine).
For some background, I need the anonymous user to lock down pages with the deny read.
The domains configuration for both instances are the same, see below:
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" />
<domain name="default" isDefault="true" />
<domain name="myDomain" ensureAnonymousUser="false" />
Any ideas? I'm running Sitecore 7 Update 2
It might be that you haven't set the switchingprovider correctly. So if you on one environment have: storeFullNames=true and the other environment have storeFullNames=false. This means that in one instance you have created "myDomain\Anonymous" and in the other instance you are trying to look after "Anonymous".
The property indicates whether domains should be included in the name.
Anyway, why don't you just set ensureAnonymousUser="true", then it will create the user for you?
Having multiple development stages, I'd like to keep some magento configurations in a file, and not in the database, so i can have my development version and the production version in sync.
So i need to put in a different place the "base url", that is not the database, because I'd like to export it from production to development
is it possible?
It's possible:
<default>
<web>
<unsecure>
<base_url>https://foo.dev/</base_url>
</unsecure>
<secure>
<base_url>https://foo.dev/</base_url>
</secure>
</web>
</default>
<websites>
<ws_code>
<web>
<unsecure>
<base_url>http://ws.foo.dev/</base_url>
</unsecure>
<secure>
<base_url>https://ws.foo.dev/</base_url>
</secure>
</web>
</ws_code>
</websites>
<stores>
<store_code>
<web>
<unsecure>
<base_url>http://store.foo.dev/</base_url>
</unsecure>
<secure>
<base_url>https://store.foo.dev/</base_url>
</secure>
</web>
</store_code>
</stores>
However if anyone ever saves (or has saved) the System > Configuration > Web section in the admin, the values in your config file for that scope will not apply.
There are a couple of strategies for protecting your entries
Use the file-based config approach and disable access to the Web section via admin user roles (for all users). Caveat: you'll need to provide all of the configuration options in your config.
Use setup scripts (PHP) to write the base_url entries to the core_config_data table, and protect them from being overwritten via an observer configured under the adminhtml event area for the core_config_data_save_before event.
You could also combine the observer protection from strategy #2 with the file-based config from strategy #1.
I have liberty profile authentication working with MS Active directory. But I am not able to setup a role mapping to a group.
I have created a security role in my web.xml:
<security-role>
<description>Users who are authorized to do update and insert operations</description>
<role-name>AuthorizedUser</role-name>
</security-role>
And for full WAS with wmm I have mapped the role to a group in ibm-application-bnd.xml which works:
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:defaultWIMFileBasedRealm/CN=mygroup,OU=myorg,DC=mydomain,DC=AD,DC=myco,DC=com"/>
</security-role>
But this is not working with liberty profile.
Do I need to alter the access-id?
The accessId must use exactly the same realm name as your user registry is configured to have. For example, if your registry is configured thusly:
<ldapRegistry realm="myLDAPRealm"/>
Then your accessId values must take on the same value
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:myLDAPRealm/..."/>
</security-role>
The default realm name for the LDAP registry is "LdapRegistry", and for reference, the default realm name for the basic registry is "BasicRegistry".
As AJ_R pointed out, you can remove the access-id field entirely and let the access-id be generated automatically. More often than not, specifying the access-id value manually is not necessary.
The issue was b/c 'o' != 'O' in "memberOf", I don't think this was case sensitive in TWAS.
Customizing the MS Active directory groupMemberIdMap fixed the group searches:
<activedFilters groupMemberIdMap="memberOf:member"/>
Did you use the same realmName (defaultWIMFileBasedRealm) when configuring the MS Active directory?
You can also try removing the access-id (just use the group name) and let the liberty server generate it using the relamName defined for the registry to see if that would help.