I have a mesos cluster with a master and 6 agents. I have enabled authentication for users and passed user credentials with their roles while starting mesos-master. Now I wanted to dynamically add new users to the master. How can I do that without stopping mesos-master?
You can develop your own authentication module
Authenticatee and Authenticator modules allow for third parties to quickly develop and plug-in new authentication methods. An example for such modules could be to support PAM (LDAP, MySQL, NIS, UNIX) backed authentication. — Documentation / Modules
Here you can see example how to do it. This code is quite old but it shows basic concept.
Related
How do we map LDAP groups to the teams in OLAM? OLAM is based on the upstream project Ansible AWX.
I am trying to implement RBAC in OLAM. It seems we need to create new LDAP object in OLAM every time we want to map new LDAP group to the team.
OLAM documentation:
https://docs.oracle.com/en/operating-systems/oracle-linux-automation-manager
I have a puppet module that is deploying a standalone nifi instance. It's all working and it will deploy the application with an initial admin user etc via authorizers.conf.
But in order to configure additional users and groups there is a long process of creating policies and adding users and groups via the gui. I want to automate some of this in my puppet module.
It would be good to be able to automatically create an admin group which is already assigned to a load of policies.
It doesn't seem like this is possible though as the best-practice is to only edit authorizers.xml and allow that to create the resulting authorisations.xml and users.xml, and there is no setting within authorizers.xml to create initial groups or initial policies.
My only idea at the moment is to use something like the nipyapi python module to create users and groups via the api during the initial install.
Or perhaps ignoring the authorisers.xml and just deploy a pre-configured authorizations.xml and users.xml.
Am I missing any other simple or better options?
We are trying to set up a SonarQube server (v. 6.5) to run in Kubernetes. Because of this, we need everything to be configured "as code" not through the web interface.
We have successfully set up single sign-on (SSO) against LDAP server, and that works as such. But since users can then not log out in order to log in as a static admin, we need some way to configure a group that has admin privileges.
It is my understanding that this should be done via group mapping, but all documentation and examples I can find only suggest setting up the groups through the UI.
Is there some way to configure groups via sonar.properties (or other properties file) that are then automatically mapped against groups from LDAP, and configure a group to get admin rights?
I am pretty new to SonarQube (and no ldap expert either), so I hope the question makes sense.
There is no way to configure groups through properties. There are web services (which are used by the UI itself) with which you could script this.
Alternately, see if you can turn on group synching with your SSO. Then you just have to grant admin rights (via the UI? via web services?) to the appropriate group in SonarQube.
I am working on a cloud based application using Apache Nifi, for this we required to support Multitenency. But the current Nifi implementation only supports role based access for users, for a single flow.
I could understand that the flow state is saved as a single compressed XML file for a Nifi instance. So that who ever logins into that instance can view the same flow. Our requirement is to create unique flows for each user login. I tried to replicate state saving gz XML file for each users, but couldn't succeeded as the FlowService/FlowController which loads the XML file, is instantiated at the application startup and they are singleton. Please correct me, if Iam wrong with this approach. Or is there any other solution for adding Multitenant support with Nifi. I also wonder the reason behind the Nifi as a single user application.
Multi-tenant support will be introduced in Apache NiFi 1.0.0. There is a BETA release available [1]. This will support assigning permissions on a per component basis. However, the different tenants still share a canvas. There has been discussions of introducing a workspace concept that could provide visually separate dataflows.
[1] https://nifi.apache.org/download.html
One of my clients wants to understand IAM feature before migrating business application to Amazon cloud.
I have figured out two use cases which we can recommend to our client, these are:
Resource-Level Permissions for EC2
• Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
• Control which users can terminate which instances.
• Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s)
IAM Roles for Amazon ec2 resources
Command Line Usage
• Unix/Linux/Windows - Use the AWS Command Line Interface, which is a unified tool to manage the AWS services. We can access the Command Line Interface using the EC2 instance launched with IAM role support without specifying the credentials explicitly.
Programmatic Usage
• Use the appropriate AWS SDK for your language of choice. Configure it without specifying the credentials.
I would like to know other capabilities of IAM which we can recommend to our client and other use cases which you can recommend to us. Please let us know if any further explanation is required.
Any prompt response will be highly appreciated.
Thanks in advance
This is a very useful feature of AWS !
User Management - If you are a large team, you will have to give different users (or developers/testing, deployment) different type of permissions. Access levels like (say S3 read-only, DynamoDB full-access etc).
Manage Users : http://aws.amazon.com/iam/details/manage-users/
Not to keep credentials in code. Is you use IAM roles, you can mention that say an EC2 should work on this role. This will help you achieve things like "cluster with only access to S3, not DB")
IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Handle Release staging. This is a benefit from the ROLE. You move apps from dev, qa, staging and prod. I usually keep different accounts for this. In this case, if you configure the EC2 to run on roles, then the stage difference can be handled witout code change. Just move the build from one account to another, and it works with no risk!
Lot of other benefits;
Product Details : http://aws.amazon.com/iam/details/