Create Mesos role via REST API - mesos

Is there a way to create Mesos role using roles endpoint? I've tried different combinations of PUT / POST requests to http://mesos_master_url:5050/roles with different JSON body messages like
{
"frameworks":[],
"name":"new-role",
"resources":{
"cpus":0,
"disk":0,
"gpus":0,
"mem":0
},
"weight":1.0
}
but with no success. The docs itself are not that useful.

Roles is a part of resource definition and it must be done on node level. New role is declared when there is at least one resource attached to it.
To assign resource to specific role put role name after the resource in brackets. For example we want to run roles development and test on one cluster. We want to distinguish ports offered to these roles. The development tasks will be run on ports 31000-32000 and be tested on 41000-42000. To do it we define following resources.
ports(develop):[31000-32000]; ports(test):[41000-42000]
See Roles documentation and resources

Also, roles are actually created on the mesos masters.
Generally, the config lives in /etc/mesos-master/roles and the content is like this:
role1,role2,role3,role4,role5,...,roleN

Related

Why won't the Authorize attribute work with my roles?

I cannot figure out why ASP.NET Identity does not work with my roles. I created a custom UserStore and a custom RoleStore. In my UserStore I implemented the IUserRoleStore interface, and I expected at least one of those methods to be called when ASP.NET determines if the user should be authorized to call a given endpoint, but none of the methods are getting hit.
I registered the services like this:
builder.Services.AddIdentity<User, ProReceptionRole>();
builder.Services.AddTransient<IUserStore<User>, UserStore>();
builder.Services.AddTransient<IRoleStore<ProReceptionRole>, RoleStore>();
I also tried registering the services using this variant (with and without the AddRoles part - and with different ordering of the extension methods):
builder.Services.AddIdentity<User, ProReceptionRole>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddRoles<ProReceptionRole>();
When I add the [Authorize(Roles = "MyRole")] attribute to my controller class, then I get 403 Forbidden, even for users that have the given role.
I read through the documentation but I can't spot my problem. The only part that I am unsure about is that it says If you are using Roles, update the RoleManager to use your RoleStore class. - and I am assuming that this is done when I register my RoleStore, but maybe I have to do something extra?
Any pointers are greatly appreciated.
Thanks!

How to group users together by aws-cognito attributes?

I am trying to group users of my application together under a 'Company'.
I have done this in other applications by giving the user's an account attribute/property called "company", which equals a string.
Then all data associated with that company is available to that user.
How can I do this with the AWS Amplify framework?
After some research I was able to figure this out.
In case anyone else runs into this problem...
What I was looking for was what AWS Amplify classifies as a 'Custom Resolver'. Essentially the resolver is the API logic for the GraphQL server on AWS' end.
Within your Amplify project structure there should be a folder called 'Resolvers'.
Mine was in
/backend/api/[API_NAME}/resolvers
Inside of this folder you are able to place different types of customer resolver logic for your backend.
Ideally you would place two custom files for every custom endpoint.
The two custom files would be as follows:
Query.listSomeTable.req.vtl
Query.listSomeTable.res.vtl
OR
Mutation.createSomeTable.req.vtl
Mutation.createSomeTable.res.vtl
These two files will override the resolver logic that AWS produces automatically. The files are in Apache's Velocity Engine format; '.vtl'.
You can read more about it here:
https://aws-amplify.github.io/docs/cli-toolchain/graphql#add-a-custom-resolver-that-targets-a-dynamodb-table-from-model

Serverless deploying multiple functions

I've recently updated my serverless project, and I've found that many things have changed in the last few updates.
https://serverless.com/
I don't fully understand whats the correct way to have multiple lambda functions and api gateway endpoints related to the same project. With the old serverless I have every lambda and endpoint as a completely seperate function, this worked pretty well for me.
I can't seem to do this anymore, if I try my second lambda function overrides my first, presumably because my "service name" for both is the same. My service name is the same because I want both rest endpoints in the same API in API Gateway. Since serverless creates the API name based on the service name.
So then I tried to add both functions to the same "Service". this worked for the most part, except that now I need to include my custom role statement for all my functions into the same role (because this one role is now being linked to all my functions). Effectively giving more permissions to each individual function than it should have. The other issue is that all my handler files for the different functions are being put into each functions deployment bundle.
So basically, I'm not sure what is the correct approach to have multiple functions that relate to the same project but are separate in functionality. It used to make sense, now doesn't.
If anybody can give me some pointers please
Thanks
I understand your frustration. I had the same feeling until I looked deeper into the new version and formed a better understanding. One thing to note though, is the new version is not completely finished yet. So if something is completely missing, you can file an issue and have it prioritized before 1.0 is out.
You are supposed to define multiple functions under the same service under the functions: section of serverless.yml. To package these functions individually (exclude code for other functions) you will have to set individually: true under package: section. You can then use include and exclude options at the root level and at the function level as well. There's an upcoming change that will let you use glob syntax in your include and exclude options (example **/*-fn.js). You can find more about packaging here https://www.serverless.com/framework/docs/providers/aws/guide/deploying.
Not sure how to use different roles for different functions under the same service.. How did you do it with 0.5?
I was trying to find a solution for individual iam roles per function as well. I couldn't find a way to do it, but while I was looking through the documentation I found the line: "Support for separate IAM Roles per function is coming soon." on this page, so at least we know they are working on it.
The "IAM Roles Per Function" plugin for Serverless allows you to do exactly what it says on the tin: specify roles for each function. You can still use the provider-level roles as well:
By default, function level iamRoleStatements override the provider level definition. It is also possible to inherit the provider level definition by specifying the option iamRoleStatementsInherit: true
EDIT: You can also apply a predefined AWS role at both the provider and function level.

available security roles in elasticsearch-jetty plugin

I am using elasticsearch-jetty plugin and trying to use it for the authentication of elasticsearch access.
I am wandering which security roles are available for users specified in realms.properties. I couldn't find definite list.
I saw in examples usage of: admin, readwrite and read-only. Are there any other and where can I specify new ones?
I have just found that roles are defined inside of jetty-restrict-*.xml files, depending on which is used. For default jetty-restrict-all.xml file, only "readwrite" role is defined, but for jetty-restrict-write.xml role "admin" is also used.
That is also the place where other roles can be defined.

How to enumerate nested groups across domains?

I am using MemberOf Attribute to enumerate nested groups. I have 2 domains, 2 groups and one user. Please see below for configuration:
Domain DOMAIN-A has domain global group GROUP-A and USER-A.
Domain DOMAIN-B has domain local group GROUP-B.
USER-A is member of GROUP-A.
GROUP-A is member of GROUP-B.
Ideally, GROUP-A should contain GROUP-B in MemberOf Attribute but it does not even have a MemberOf attribute. (I am using an Softerra LDAP Browser 2.6)
Will it be populated after replication? If yes, how to change replication interval? I want to have instant replication.
Thanks
What you want to use is a special attribute called tokenGroups. If you're on FX3.5 you can use this sample - http://dunnry.com/blog/2007/08/01/GettingActiveDirectoryGroupMembershipInNET35.aspx.
If you're wanting to use an older version of .Net or have some control over the process, you can parse out the attribute manually with something like this - http://dunnry.com/blog/EnumeratingTokenGroupsTokenGroupsInNET.aspx.
Finally, your service account or whatever context you're connecting to AD with will need to be in the Windows Authorization Access group if you use tokenGroupsGlobalAndUniversal.

Resources