Devpi's docs for the --restrict-modify param specify that in addition to specifying access rights for a user, access rights can also be modified for a group:
specify which users/groups may create other users and their indices. Multiple users and groups are separated by commas. Groups need to be prefixed with a colon like this: ':group'. [...]
There's no documentation about how to actually create a group, though; is this integrated directly with the Unix groups available on the host machine?
The devpi server does not do any group management itself. Instead, it delegates it to the auth plugins. Take a look at the devpiserver_auth_user hookspec:
return dict containing authentication validation results.
A dict must be returned with a key "status" with one of the following values:
"ok" - authentication succeeded
"unknown" - no matching user, other plugins are tried
"reject" - invalid password, authentication stops
Optionally the plugin can return a list of group names the user is member of using the "groups" key of the result dict.
AFAIK currently there is only plugin using groups: devpi-ldap, check out its code for usage example.
As for binding the access rights to unix groups, you could easily write such an auth plugin yourself. Here is a dumb example of a plugin that does not do any real auth, only returning the unix groups the user requesting access belongs to:
# myplugin.py
import grp
from pluggy import HookimplMarker
#hookimpl(tryfirst=True)
def devpiserver_auth_user(userdict, username, password):
# get all groups for the user
groups = [group.gr_name for group in grp.getgrall() if username in group.gr_mem]
return {'status': 'ok', 'groups': groups}
Now add devpi's entry point in the plugin's setup script and you're good to go:
from setuptools import setup
setup(
name='devpi-unix-group-auth',
py_modules=['myplugin'],
entry_points={
'console_scripts': {
'devpi_server': ['devpi-unix-group-auth = myplugin']
},
...
)
Related
I have a discord bot that checks for the user role by the command of:
#commands.has_role("Lab Demonstrator")
However, over the multiple servers, each has a slightly different roles setup and I would like to check for whether they have permission "Lab Demonstrator" OR "Staff" OR "teacher"
I've tried
#commands.has_role("Lab Demonstrator" OR "Staff")
and has not been successful.
Use the commands.has_any_role decorator:
#commands.has_any_role("Lab Demonstrator", "Staff", "Teacher")
async def ...
If you're checking the roles solely to ensure that the member has the permissions, then in general this is not a good practice. You can instead use
from discord.ext.commands import has_permissions
...
#client.command(name='whatever')
#has_permissions(administrator=True) #or whichever permissions you want here
A couple of examples are manage_webhooks, ban_members and create_instant_invite. This ensures consistency of permissions even when role names, or the servers in question, are changed.
I have a mutation. How can I create a permission in hasura using variables in the graphql query?
eg:
mutation MyMutation($name:String!) {
insert_post(objects: {name:$name}){
name
}
}
How can I use name variable in the permission?
It's me on Discord.
Just for somebody has the same question. For currently, Hasura doesn't support to check permission from user input value, It only accepts value from session variables like x-hasura-user-id, etc.
But I think Hasura approach is correct when doesn't allow set permission base on user input.
If my answer is wrong, please correct, thanks.
Hasura v2 allows for this sort of pattern now.
For example, if you had a table that had a list of allowed names,
you could check that the name being inserted was in the list of
allowed names by doing something like this:
insert_permissions:
- role: user
permission:
check:
_exists:
_table:
name: allowed_names
schema: public
_where:
name:
_ceq: ["$", "name"]
See also:
https://github.com/hasura/graphql-engine/issues/3459#issuecomment-1085666541
https://hasura.io/docs/latest/graphql/core/api-reference/syntax-defs/
Many examples on the web show the way to check current user for Administrative privileges using
[Security.Principal.WindowsPrincipal]
[Security.Principal.WindowsIdentity]::GetCurrent()
Is there a similar way to check not the 'current' identity, but any (local or domain, for example, retrieved from Get-ACL cmdlet) when running commands on a particular server.
I checked https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.-ctor?view=netframework-4.7.2#System_Security_Principal_WindowsIdentity__ctor_System_String_, but couldn't find a way to do it (only if you use constructor with UPN parameter, which is not suitable in my case). I would appreciate any hint.
You can try the following function, which, for a given user name:
tries to find the underlying identity (NT user account) in the same context as the calling user (domain vs. local); the user name may be specified in several formats, among them the NTLM format (<domain>\<username>).
then tests that identity for (static) membership in the built-in local Administrators group.
function Test-LocalAdminGroupMembership {
param([string] $user)
# Load the required assembly (a no-op if already loaded).
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
# Obtain the specified user as a UserPrincipal instance.
$up = try {
if (-not $user) { # default to current user
[System.DirectoryServices.AccountManagement.UserPrincipal]::Current
} else {
[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity(
[System.DirectoryServices.AccountManagement.UserPrincipal]::Current.Context,
$user
)
}
} catch {
Throw
}
# See if the well-known SID of the local Administrators group
# is among the SIDs of the groups that the user is a member of (PSv3+ syntax).
$up.GetGroups().SID.Value -contains 'S-1-5-32-544'
}
I'm trying to define the type of entered credentials with:
SID_NAME_USE pe;
...
resolved=LookupAccountNameW (NULL,L"builtin\users",&sid,&cbsid,buff,&dd,&pe);
No matter if I enter "builtin\users" or "users" it resolves successfully but returns SidTypeAlias in pe enum.
But I expect SidTypeWellKnownGroup or SidTypeGroup.
Question: How to reliably define if given string is a Windows Group name ?
The MSDN page Well-known SIDs briefly describes the meaning of "alias" in this context:
The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local groups (aliases).
One of the table entries is for the Users group, so the behaviour you are describing is as expected.
You can continue to use LookupAccountName() as you planned, you simply need to modify your code to recognize that any of SidTypeAlias, SidTypeWellKnownGroup, or SidTypeGroup represent groups.
The Glossary of the Security Account Manager Remote Protocol specification gives some hints as to what SidTypeAlias might be:
alias object: See resource group.
resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.
This suggests that "alias" means "Domain Local group" in this context.
I confirmed this in my domain, by obtaining all domain groups using DirectorySearcher and calling LookupAccountName on each. Results:
all Global and Universal groups had SidTypeGroup;
all non-builtin Domain Local groups (groupType 0x80000004) had SidTypeAlias;
builtin Domain Local groups (those with groupType 0x80000005 = system-created domain local, such as Account Operators or Users) also had SidTypeAlias, but I had to run the code on a DC - when executed on a member workstation, LookupAccountName failed (ERROR_NONE_MAPPED) for all such groups except IIS_IUSRS.
Bottom line - SidTypeAlias should be treated as a group.
Am I supposed to be using the ldap.yml file to make sure whose authenticating with ldap has the right groups assigned to them to allow them in?
I am not an AD pro by any means and this is confusing me...whats a group and attribute. From what I understand. We have a user in AD, they have a samAccount name, I can get it to let them into the app but it doesn't care at this point what their groups are. Its a specialized app and really those that have a memberOf attribute of:
HD Admin
HD Helper
HD Reset
Security
should all be allowed into the app, I also (after using apache directory studio) have realized that there are many memberOf entries:
Bob for instance might have two memberOf entries:
memberOf CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu
memberOf CN=HD Admin, OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu
So how would my yaml look and is that the right spot to do these things?
authorizations: &AUTHORIZATIONS
group_base: OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=nmsu,DC=edu
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
# If only a group name is given, membership will be checked against "uniqueMember"
- CN=HD Admin
- CN=HD Reset
- CN=Security
# If an array is given, the first element will be the attribute to check against, the second the group name
- ["memberOf", " CN=HD Admin,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=HD Helper,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=HD Reset,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
- ["memberOf", " CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"]
require_attribute:
memberOf: HD Admin
I couldn't get the required attributes to work, so am I off base ? Is there some way to do this in the devise scaffolding that was built from ldap devise gem? Because it really is they can be any of those groups so an OR they don't have to be in all to be let into the app.
At least maybe is the yaml the place or not the place to try this?
Update:
I did try it with the arrays I mentioned above, and the config.ldap_check_group_membership = true; and it does not let me in no matter what now, so its either all or nothing. Even took all the memberOf arrays down to one I know my test user has and it still doesn't let me in.
I also wanted to ask, should I just keep the following development: line and deal with all the checking of roles in code (and is there any sort of link on how to do that), maybe I guess an api document (probably on github somewhere) , though it might just be easier to by hand code all the checking etc...means I will have to become much more familiar with devise too.
I should add the rest of my ldap.yml that is important:
development:
host: directory.ldapstuff.com
port: 636
attribute: sAMAccountName
base: OU=Main Users, OU=Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
admin_user: CN=EASApps, OU=LDAP, OU=Service Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu
admin_password: asfssfaf
ssl: true
# <<: *AUTHORIZATIONS
I think you just need to uncomment the # <<: *AUTHORIZATIONS merge.
Old question, but if you're still having this issue, you can try to also enable ldap_ad_group_check in the devise.rb configuration file.
# devise.rb
...
config.ldap_check_group_membership = true
config.ldap_ad_group_check = true
...
I was having the same issue and this worked for me.