I have the couchbase couchchat sample app. I have everything working. I can add a user. I can use the admin port of the sync gateway and see the user.
Where in the code can I see an example of the call to the sync gateway to create the _user entry?
It's a sync_gateway side process. It handles processing the results Ref:
Related
I'm trying to stream data from DynamoDB to ElasticSearch. I've checked the documentation by AWS + some other sources online but I'm stuck on a security issue. So I'm using a lambda function, the process of retrieving data from DynamoDB is fine, but then when I try to write back to ElasticSearch I get an error:
"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::account number:role/dynamodb_to_es, backend_roles=[arn:aws:iam::account number:role/dynamodb_to_es], requestedTenant=null]"
This is my Lambda function. I realized it would always fail because of the "_bulk" extension. Thank you!!
My Lambda function:
https://github.com/YassineRjl/Lambda-Func---DynamoDB-to-ElasticSearch/blob/master/lambda_func.py
My IAM role:
You don't have to disable "fine-grained access control". Instead, you can edit role mapping.
For detailed information & steps please check:
https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/
"I'm unable to stream my CloudWatch log group to an Amazon ES domain when fine-grained access control is enabled." subject.
If you're finding this from Google like me, this worked for my use-case:
Open your Kibana dashboard (https://your-domain-somerandomstring.us-east-1.es.amazonaws.com/us-east-1.es.amazonaws.com/_plugin/kibana/app/opendistro_security#/roles/view/all_access/mapuser)
Navigate to Security in the left nav
Select Roles
Select a role that you'd like to attach your user to (in the example above, it's "all_access")
Add your Username from the error log, or use the ARN for your username (mine was related to the instance profile associated to the instance I was connecting from)
I found the solution. During the creation of the ES instance, make sure to unselect "fine-grained access control" & avoid VPC for the sake of Https, then on the roles, create a role on IAM and copy-paste the ARN in the ES dashboard during the instance setup
You should map your user to role: kibana_user, which defines basic permission to access index.
We have a scenario where we are polling users from Active directory to keycloak and this works perfectly fine and any recently changed user automatically gets added in keycloak .But here I have to load same users from Keycloak to my SpringBoot application DB on certain interval say 1 hour . So the high level data flow is like below
Active Directory -> KeyCloak ->Spring Boot Service Poll->Application DB
Need to find a best way to process only users who have recently been modified in keycloak so that I shall have less number of records to update in Application DB.
Keycloak keycloakInstance=// pass Keycloak URL to KeycloakBuilder
Userresource userResource=// using keycloakInstance pass realmName and getUsers
List uersListFfromkeyCLoak// Here need only users who have changed in last one hour
You can implement a Keycloak plugin based on the EventListenerSpi. In your custom EventListenerProvider you can react to any change of user objects. You may write the change events to a message queue and read from that queue with your spring boot application.
For more information and a code snippet have look at my answer on that quite similar question.
I am aware of adding/managing users from GUI in NiFi i.e. a admin user and add user and groups/policies etc.
This is maintained in users.xml file.
I wanted to know, can we manually add records in users.xml instead of GUI?
If yes, how is identifier tag of user derived by NiFi. For e.g. I see a tag:
How is above identifier generated?
The reason for above is, we can maintain the users.xml file in our code base and whenever new users need to be added in NiFi, team can update its details in this file and release and we re-start NIFi. We do not have to rely on GUI to add new users.
Is it possible?
EDIT:
To be more clear, currently we have ldap authentication in place using ldap-provider. So that part is fine. I am not lookng for ldap authentication to NiFi.
Now for actual roles/permissions for "authorized users" i.e. who can see the processors/components, create new processors, query data provenance etc admin go to NiFi UI and add users/groups/policies etc. These details are then updated in users.xml.
I am specifically looking to achieve this activity via automating or from backend.
As per the response from Bryan, I think the feasible solution is using Nifi REST API for that.
The users.xml and authorizations.xml really shouldn't be manually edited/maintained, they are internals of the file-based authorizer that are not meant to be a public API.
It would be better to maintain a script that looped through a list of users and used NiFi's REST API to see if the user existed, and if it didn't then created the user using the REST API.
Another option would be to load your users from a Directory Server. This is detailed in the admin guide [1]. This implementation is configured with an interval for retrieving new users from the Directory Server.
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
users.xml doesn't intended to updated by users. This can be overcomed if you use external authentication providers ex. ldap-authentication provider
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
I have a multi tenant FreeSWITCH setup and I am trying to retrieve the registrations belonging to a particular tenant.
I am aware of the mod command show registrations described here which returns all the current registrations on the FreeSWITCH.
I am also aware of sofia status profile <profile name> reg described here which shows registrations on a particular profile. This won't help either as the profiles on my FreeSWITCH are shared by multiple tenants.
Is there a way I can retrieve the data through event socket for a specified tenant?
you can execute show registrations via ESL and retrieve its output. The second field is realm, which is basically the name of the tenant. So, you would get all the registrations, and later you can filter by realm name. Also in theory, you can get direct access to the registation SQL database and run the queries directly in it.
I have done something similar to this.
first get all the registration of profile using following command:
"api sofia status profile internal reg" using event socket
after this based on your need convert data into json and search based on realm and print the result.
Please refer sofia_presence_data list|status|rpid|user_agent [profile/]<user>#domain cmd.
Even if this doesn't work. You need to get register and unregister events from ESL and save it to common DB and retrieve the user data, which i think a much simpler way.