Is it possible to have user access control on file level of HDFS?
Currently, everyone can access the data when clicking on the link like http://<domain>/webhdfs/v1/xxx.txt?op=OPEN.
Can I set certain groups of people and they can only access certain files or directories? The purpose is, not letting others access files which don't belong to them.
If this cannot be set on HDFS, is there any suggestion?
When security is off, the authenticated user is the username specified in the user.name query parameter. If the user.name parameter is not set, the server may either set the authenticated user to a default web user, if there is any, or return an error response.
When security is on, authentication is performed by either Hadoop delegation token or Kerberos SPNEGO. If a token is set in the delegation query parameter, the authenticated user is the user encoded in the token. If the delegation parameter is not set, the user is authenticated by Kerberos SPNEGO.
Below are examples using the curl command tool.
Authentication when security is off:
curl -i "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?[user.name=<USER>&]op=..."
Authentication using Kerberos SPNEGO when security is on:
curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."
Authentication using Hadoop delegation token when security is on:
curl -i "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?delegation=<TOKEN>&op=..."
Ref: https://hadoop.apache.org/docs/r2.9.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Authentication
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
I used this curl command to retrieve session details for a user in keycloak:
curl -X GET \
-H 'Authorization: Bearer $TOKEN' \
http://192.168.X.X:8080/auth/admin/realms/$REALM_NAME/users/$ID_OF_CLIENT/sessions
and in response we have:
[{
"id":"194d6b10-5b94-42c3-86d8-4d1780f70f52",
"username":"admin",
"userId":"e258f775-3597-4a72-a490-7bgd7c1cdfdb",
"ipAddress":"192.168.X.X",
"start":1589006511000,
"lastAccess":1589007060000,
"clients" :
{
"53d98bf8-fffd-484c-aae8-500a7cf7a8b6":"authz-servlet",
"9bc56128-972e-41fe-8946-3ce4b5660e24":"authz-client-app3"
}
}]
now I need to add some more details in the session information such as browser version for the logged-in user. Is there any way to add these details?
I suggest you to take a look at userinfo OIDC endpoint. Comparing to you current approach (utilizing Admin REST Api with administrative token) it accepts token issued for end user. If it ok for you, you will be able to customize endpoint output as you want. Customization available at Client Scopes and Mappers tabs in client settings.
Set of mappers available by default is quite wide but
i'm afraid by default Keycloak is not preserve information about UA, so you have to develop your own logic to extract it during login flow and than to store it in user session. If you are not familiar with implementing Keycloak Java SPI you can try to do implement your logic via JS mapper.
https://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers_oidc-user-session-note-mappers
https://www.keycloak.org/docs/latest/server_development/#_script_providers
AFAIK some examples should be in keycloak github
I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).
You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.
We have to configure a time limited access per user and per client in keycloak. E.g. User a should have access to confluence from 2017-11-06 until 2018-11-06.
We configured a time-based policy in the keycloak admin console and checked sucessfully the conditions with the built-in evaltation page.
Clients >> Confluence >> Authorization >> Policies
But keycloak didn't evaluate the policies during the login of the user.
Our first assumption was that keycloak sould evaluate these policies while user authentication, but none of the policies we configured had any impact to the user authentication (The user can login independent of the policy configuration of the keycloak). We assumed that the client (e.g. Confluence) has to evluate the client policies. Is our assumption correct?
Please could you be so kind to give us hint how to configure user access policies in keycloak that will be evaluate during the user authentication?
The policies are all about authorization only!
They have no impact on authentication.
Authentication is just the verification of the login credentials.
Keycloak itself is not making any authorization decision. It just provides data, such as claims, roles and permissions that can be used by a client (i.e. application) to make authorization decisions.
Depending on the defined policies an authenticated user has specific roles and permissions in the corresponding access token.
The application then is responsible to allow or deny access for specific functionality or data based on the user's provided roles and permissions in the token.
That is, the policy you described will influence the permissions of the user. Before 2017-11-06 and after 2018-11-06 some required permissions will not be in the user's access token and therefore access to some functionality will be denied by the application.
Sorry, but I have no idea how this works in Confluence.
I am using spring boot for backend and Android device for frontend of my system.
Right now I am facing the challenge to use Spring-OAuth2 to secure my resource server.
I have some questions, which I want to discuss with you:
My knowledge + this tutorial are saying that I should use the OAuth2.0 "password" grant type for my mobile app to obtain an access token. The official spring tutorial for security gives an example how to obtain the access token using password grant type:
$ curl client:secret#localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
And here comes my first question: Is there any possibility to obtain access token using the password grant type without sending the "client secret" ?
Since the client secret could be "reverse engineered" by decompiling the client app. The obtaining access token without secret should be somehow possible, because Facebook SDK for Android also does not need the client_secret in the mobile app.
I think here I have a little trouble understanding why the clientID + clientSecret needs to be included in the request above, because, since there are already username + password included, it should be possible to generate the access token, so does this brings a next level of security ? and does it implies the following (example): I am logged in as Filip in my Android client and I am sending the access token A with each request to the server. Then I log in as Filip into web client and I try to access the resource server from web client using the access token A, which is not possible because access token A was issued only for Android client ?
The next question is how can I refresh the obtained access token ?
I was trying to do so using the command below, but I got "Full authentication is required to access this resource." After I got the new refreshed token, can I use the refresh token to refresh my new access token again ?
curl -v --data "grant_type=refresh_token&client_id=acme&client_secret=acmesecret&refresh_token=REFRESH_TOKEN" http://localhost:9999/uaa/oauth/token
Thank you
The OAuth 2.0 spec allows for so-called public clients i.e. clients that don't authenticate themselves. So it is possible to use the Resource Owner Password Credentials grant with a public client, i.e. one that does not need to send a client secret. It does mean that the Authorization Server cannot assume anything about the client since a client_id is not a secret and there's no way to prevent a malicious client using this grant type or clients from impersonating each other. So using it in this way comes at the cost of reduced security although one may argue that in your case there's no way to use confidential clients anyhow, so there's no difference.
In general the Resource Owner Password Credentials grant is an anti-pattern for OAuth and only meant for migration purposes because it defeats most of the goals of OAuth in itself.
Access tokens are issued on a per-client basis.
You refresh token request seems OK but the Authorization Server may require basic authentication instead of providing the client_id/client_secret as post parameters, considering that you did the same for the original access token request.