I have created an angular application using composer and yeoman where transactions are happening correctly. Now I want to add users with different operational roles. I have added details in the permission file and created participants accordingly.
percmissions.acl looks like:
rule Govt {
description: "Allow all participants access to all resources"
participant: "org.acme.<network-name>.Govt"
operation: ALL
resource: "org.acme.<network-name>.*"
action: ALLOW
}
rule Farmer {
description: "Allow all participants access to all resources"
participant: "org.acme.<network-name>.Farmer"
operation: READ
resource: "org.acme.<network-name>.*"
action: ALLOW
}
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Participants 'govt1' and 'farmer1' are successfully added as suggested in https://hyperledger.github.io/composer/managing/participant-add.html
To issue identity, I run the command:
composer identity issue -p hlfv1 -n ‘<networkname>’ -i admin -s adminpw -u govt1id1 -a "resource:org.acme.cphnetwork.Govt#govt1”
The issue is that the command does not give any output.. neither success nor error.
on q1. You can use the --issuer, -x flag on composer identity issue command to create an identity (associated with a participant) that will also have 'issuer' authority -> https://hyperledger.github.io/composer/reference/composer.identity.issue.html … on q2. Your playground would need to be connected via a v1 connection profile (and then you would need to connect to that deployed business network in playground) to the same runtime fabric where you originally deployed your business network (which your REST APIs are consuming via rest-server)
To address the original question, as per discussion on rocketchat:
Original command:
composer identity issue -p hlfv1 -n ‘<networkname>’ -i admin -s adminpw -u govt1id1 -a "resource:org.acme.cphnetwork.Govt#govt1”
Solution:
Remove the 'single quotes' from the <networkname>
Remove the word 'resource:'
Remove "double quotes" from namespace#participant
So if the business network name is govt-application, the command should look like:
composer identity issue -p hlfv1 -n govt-application -i admin -s adminpw -u govt1id1 -a org.acme.cphnetwork.Govt#govt1
As per discussion on rocketchat, simply removing the word 'resouce:' and retaining the quotes also works.
Related
I'm working with the LetsEncrypt dns-01 challenge system which entails dynamically creating a TXT record in Google Cloud DNS with specific content, so LE can assert proof of ownership for generating a wildcard certificate (so I can't use http-01). The problem is sometimes LE tells me to create a TXT record that starts with a "-", for example -E_DFDFHJKF1783FSHDJ. I cannot get the gcloud cli to properly accept this data no matter what I do.
Example:
gcloud dns record-sets transaction start --zone=myzone
gcloud dns record-sets transaction add "-E_ASDFSDF" --ttl=30 --zone=myzone --name=test --type=TXT
gcloud dns record-sets transaction remove "-A_DSFKHSDF" --ttl=30 --zone=myzone --name=test2 --type=TXT
If you run those commands and inspect the resulting transaction.yaml you can see whether it properly contains the right string. If it did it correct, you should see something like:
- kind: dns#resourceRecordSet
name: test.
rrdatas:
- '"ASDFASDF"'
ttl: 30
type: TXT
I am executing this via Node's child_process, but I have the issue even if I execute it directly from bash, so Node isn't really meaningful issue at the moment. I've tried echoing the value in. I've tried setting an environment variable and using that in the string.
No matter what I do I get an error like the following:
ERROR: (gcloud.dns.record-sets.transaction.add) unrecognized arguments: -E_ASDFSDF
It turns out some characters need to be escaped in the CLI. I can confirm that the following works:
gcloud dns --project=myprojectid record-sets transaction add "\-test123" --name=test.mydomain.com. --ttl=300 --type=TXT --zone=myzoneid
I'm trying to convert snmp v1 traps to v3. I've followed this discussion but it's vague.
I've also looked here but without success.
To be more clear: I have a Centos 6 station, with net-snmp 5.5 on it. I need to generate v1 traps, receive them, convert them to v3, then forward them.
Regarding the first guide, this is what I managed so far:
Master:
snmpd -Lo --master=agentx --agentXSocket=tcp:192.168.58.64:42000 udp:1161
Listen:
snmpwalk -v3 -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.58.64:1161
Later edit:
I have made some progress, I was able to run snmpd as master, connect snmptrapd as agent to it, then have v1 traps mechanism functional.
I did the following:
In order to get snmptrapd connected as a subagent to snmpd you need to do the following:
###1 EDIT /etc/hosts.allow and add
snmpd: $(your_ip)
smptrapd: $(your_ip)
this is important because snmptrapd fails silently if rejected
by tcp wrap.
###2 EDIT /etc/snmp/snmpd.conf and add at the bottom of the other
com2sec directives.
com2sec infwnet $(your_ip) YOUR-COMMUNITY
add these lines
group MyROGroup v1 infwnet
group MyROGroup v2c infwnet
group MyROGroup usm infwnet
under
"# Second, map the security names into group names:"
add this view at the bottom of the other views
view all included .1 80
add this group acces at the bottom of other group access directives
access MyROGroup "" any noauth exact all none none
add this line as well:
master agentx
###3 TEST it with this:
snmpwalk -v1 -c YOUR_COMMUNITY $(your_ip) .
###4 CREATE THE FOLLOWING TRAP TEST EXAMPLE:
touch /usr/share/snmp/mibs/UCD-TRAP-TEST-MIB.txt
###5 COPY PASTE THE TEXT BELOW INTO IT:
UCD-TRAP-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS ucdExperimental FROM UCD-SNMP-MIB;
demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 }
demoTrap TRAP-TYPE
ENTERPRISE demotraps
VARIABLES { sysLocation }
DESCRIPTION "An example of an SMIv1 trap"
::= 17
END
###6 EDIT /etc/sysconfig/snmptrapd (not /etc/default/snmptrapd !!)
replace OPTIONS with this:
OPTIONS="-Lsd -m ALL -M /usr/share/snmp/mibs -p /var/run/snmptrapd.pid"
###7 TEST IT WITH
snmptrap -v 1 -c public $(your_ip) UCD-TRAP-TEST-MIB::demotraps "" 6 17 "" SNMPv2-MIB::sysLocation.0 s "Just here"
Now I just need to find a way to convert them to v3 and read/receive them from a remote snmpd
I have pulled this from a dumpsys of com.google.android.wearable.app
Service Resolver Table: Non-Data Actions:
com.google.android.clockwork.home.action.BIND_HOME:
adc4ff78 com.google.android.wearable.app/com.google.android.clockwork.home.watchfaces.HomeBackgroundService filter adc79b80
Action: "com.google.android.clockwork.home.action.BIND_HOME"
com.google.android.clockwork.action.TUTORIAL_FORCE:
adc9acc8 com.google.android.wearable.app/com.google.android.clockwork.home.tutorial.TutorialService filter adc9adf8
Action: "com.google.android.clockwork.action.TUTORIAL_START"
Action: "com.google.android.clockwork.action.TUTORIAL_FORCE"
Action: "com.google.android.clockwork.action.TUTORIAL_NEXT_STAGE"
Action: "com.google.android.clockwork.action.TUTORIAL_SKIP"
Action: "com.google.android.clockwork.action.TUTORIAL_NOTIFICATION_DISMISSED"
Action: "com.google.android.clockwork.action.TUTORIAL_DONE"
com.google.android.clockwork.action.TUTORIAL_START:
adc9acc8
I've tried to run:
am start -a com.google.android.clockwork.action.TUTORIAL_START -n com.google.android.wearable.app/com.google.android.clockwork.home.tutorial.TutorialService
However, I have not been able to restart the initial tutorial again. Any advice would be helpful
The answer was:
am startservice -a com.google.android.clockwork.action.TUTORIAL_FORCE -n com.google.android.wearable.app/com.google.android.clockwork.home.tutorial.TutorialService
I'm attempting to use the new incremental authorization for an installed app in order to add scopes to an existing authorization while keeping the existing scopes. This is done using the new include_granted_scopes=true parameter. However, no matter what I've tried, the re-authorization always overwrites the scopes completely. Here's a minimal Bash PoC script I've written to demo my issue:
client_id='716905662885.apps.googleusercontent.com' # throw away client_id (non-prod)
client_secret='CMVqIy_iQqBEMlzjYffdYM8A' # not really a secret
redirect_uri='urn:ietf:wg:oauth:2.0:oob'
while :
do
echo "Please enter a list of scopes (space separated) or CTRL+C to quit:"
read scope
# Form the request URL
# http://goo.gl/U0uKEb
auth_url="https://accounts.google.com/o/oauth2/auth?scope=$scope&redirect_uri=$redirect_uri&response_type=code&client_id=$client_id&approval_prompt=force&include_granted_scopes=true"
echo "Please go to:"
echo
echo "$auth_url"
echo
echo "after accepting, enter the code you are given:"
read auth_code
# swap authorization code for access token
# http://goo.gl/Mu9E5J
auth_result=$(curl -s https://accounts.google.com/o/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d code=$auth_code \
-d client_id=$client_id \
-d client_secret=$client_secret \
-d redirect_uri=$redirect_uri \
-d grant_type=authorization_code)
access_token=$(echo -e "$auth_result" | \
grep -Po '"access_token" *: *.*?[^\\]",' | \
awk -F'"' '{ print $4 }')
echo
echo "Got an access token of:"
echo $access_token
echo
# Show information about our access token
info_result=$(curl -s --get https://www.googleapis.com/oauth2/v2/tokeninfo \
-H "Content-Type: application/json" \
-d access_token=$access_token)
current_scopes=$(echo -e "$info_result" | \
grep -Po '"scope" *: *.*?[^\\]",' | \
awk -F'"' '{ print $4 }')
echo "Our access token now allows the following scopes:"
echo $current_scopes | tr " " "\n"
echo
echo "Let's add some more!"
echo
done
The script simply performs OAuth authorization and then prints out the scopes the token is currently authorized to use. In theory it should continue to add scopes each time through but in practice, the list of scopes is getting overwritten each time. So the idea would be on the first run, you'd use a minimal scope of something like email and then the next run, tack on something more like read-only calendar https://www.googleapis.com/auth/calendar.readonly. Each time, the user should only be prompted to authorize the currently requested scopes but the resulting token should be good for all scopes including those authorized on previous runs.
I've tried with a fresh client_id/secret and the results are the same. I know I could just include the already authorized scopes again but that prompts the user for all of the scopes, even those already granted and we all know the longer the list of scopes, the less likely the user is to accept.
UPDATE: during further testing, I noticed that the permissions for my app do show the combined scopes of each incremental authorization. I tried waiting 30 seconds or so after the incremental auth, then grabbing a new access token with the refresh token but that access token is still limited to the scopes of the last authorization, not the combined scope list.
UPDATE 2: I've also toyed around with keeping the original refresh token. The refresh token is only getting new access tokens that allow the original scopes, the incrementally added scopes are not included. So it seems effectively that include_granted_scopes=true is having no effect on the tokens, the old and new refresh tokens continue to work but only for their specified scopes. I cannot get a "combined scope" refresh or access token.
Google's OAuth 2.0 service does not support incremental auth for installed/native apps; it only works for the web server case. Their documentation is broken.
Try adding a complete list of scopes to the second request, where you exchange authorization code for an access token. Strangely enough, scope parameter doesn't seem to be documented, but it is present in requests generated by google-api-java-client. For example:
code=foo&grant_type=authorization_code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmyapp%2FoauthCallback
&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.me+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.stream.write
In the web server scenario, a complete list of granted scopes is returned together with authorization code when include_granted_scopes is set to true. This is another bit of information that seems to be missing from linked documentation.
Edit 1 Including a complete list of scopes in the code exchange request works for us in our Java app, but I have just tried your original script with no modification (except for client id/secret) and it works just fine (edited just the ids and tokens):
$ bash tokens.sh
Please enter a list of scopes (space separated) or CTRL+C to quit:
https://www.googleapis.com/auth/userinfo.profile
Please go to:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/userinfo.profile&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=189044568151-4bs2mcotfi2i3k6qp7vq8c6kbmkp2rf8.apps.googleusercontent.com&approval_prompt=force&include_granted_scopes=true
after accepting, enter the code you are given:
4/4qXGQ6Pt5QNYqdEuOudzY5G0ogru.kv_pt5Hlwq8UYKs_1NgQtlUFsAJ_iQI
Got an access token of:
ya29.1.AADtN_XIt8uUZ_zGZEZk7l9KuNQl9omr2FRXYAqf67QF92KqfvXliYQ54ffg_3E
Our access token now allows the following scopes:
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/plus.circles.read
You can see that the previously granted scopes are included...
I have to create a script to manage maintenance pages server for my hosting company.
I will need to do a CLI interface that would act like this (example scenario) :
(here, let's suppose that mcli is the name of the script, 1.1.1.1 the original server address (that host the website, www.exemple.com)
Here I just create the loopback interface on the maintenance server with the original ip address and create the nginx site-specific config file in sites-enabled
$ mcli register www.exemple.com 1.1.1.1
[DEBUG] Adding IP 1.1.1.1 to new loopback interface lo:001001001001
[WARNING] No root directory specified, setting default maintenance page.
[DEBUG] Registering www.exemple.com maintenance page and reloading Nginx: OK
Then when I want to enable the maintenance page and completely shutdown the website:
$ mcli maintenance www.exemple.com
[DEBUG] Connecting to router with SSH: OK
[DEBUG] Setting new route to 1.1.1.1 to maintenance server: OK
[DEBUG] Writing configuration: Ok
Then removing the maintenance page:
$ mcli nomaintenance www.exemple.com
[DEBUG] Connecting to router with SSH: OK
[DEBUG] Removing route to 1.1.1.1: Ok
[DEBUG] Writing configuration: Ok
And I would need a function to see the actual states of the websites
$ mcli list
+------------------+-----------------+------------------+
| Site Name | Server I.P | Maintenance mode |
+------------------+-----------------+------------------+
| www.example.com | 1.1.1.1 | Enabled |
| www.example.org | 1.1.1.2 | Disabled |
+------------------+-----------------+------------------+
$ mcli show www.example.org
Site Name: www.example.org
Server I.P: 1.1.1.1
Maintenance Mode: Enabled
Root Directory : /var/www/maintenance/default/
But I never did this kind of scripting with Ruby. What gems do you recommend for this kind of things ? For command line parsing ? Column/Colorized output ? SSH connection (needed to connect to cisco routers)
Do you recommend me to use a local database (sqlite) to store meta datas (Stages changes, actual states) or do you recommend me to compute on the fly by analyzing nginx/interfaces configuration files and using syslog for monitoring changes done with this script ?
This script will be used at first time for a massive datacenter physical migration, and next for standard usages for scheduled downtimes.
Thank you
First of all, I'd recommend you get a copy of Build awesome command-line applications in Ruby.
That said, you might want to check
GLI command line parsing like git
OptionParser command line parsing
Personally, I'd go for the SQLite approach for storing data, but I'm biased (having a strong SQL background).
Thor is a good gem for handling CLI options. It allows this type of organization in your script:
class Maintenance < Thor
desc "maintenance", "put up maintenance page"
method_option :switch, :aliases => '-s', :type => 'string'
#The method name is the name of the task that would be run => mcli maintenance
def maintenance
#do stuff
end
no_tasks do
#methods that you don't want cli tasks for go here
end
end
Maintenance.start
I don't really have any good suggestions for column/colorized output though.
I definitely recommend using some kind of a database to store states though. Maybe not sqlite, I would probably opt for maybe a redis database that stores key/value pairs with the information you are looking for.
We have similar task. I use next architecture
Small application (C) what generate config file
Add nginx init.d script new switch update_clusters. This script will restart nginx only if config file is changed
update_clusters() {
${CONF_GEN} --outfile=/tmp/nginx_clusters.conf
RETVAL=$?
if [[ "$RETVAL" != "0" ]]; then
return 5
fi
if ! diff ${CLUSTER_CONF_FILE} /tmp/nginx_clusters.conf > /dev/null; then
echo "Cluster configuration changed. Reload service"
mv -f /tmp/nginx_clusters.conf ${CLUSTER_CONF_FILE}
reload
fi
}
Set of bash scripts to add records to database.
Web console to add/modify/delete records in database (extjs+nginx module)