I am using elasticsearch-jetty plugin and trying to use it for the authentication of elasticsearch access.
I am wandering which security roles are available for users specified in realms.properties. I couldn't find definite list.
I saw in examples usage of: admin, readwrite and read-only. Are there any other and where can I specify new ones?
I have just found that roles are defined inside of jetty-restrict-*.xml files, depending on which is used. For default jetty-restrict-all.xml file, only "readwrite" role is defined, but for jetty-restrict-write.xml role "admin" is also used.
That is also the place where other roles can be defined.
Related
I'm using ovirt.ovirt.ovirt_role of ansible to create roles in RHV(Red hat Virtulization) environment. I need to create a role which will provide all permissions to user to perform operations. As per below example do I have to list all permissions or is there any keyword which will enable all permits? I have copied the example from below link. Thanks in advance.
link: https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_role_module.html
- ovirt.ovirt.ovirt_role:
name: role
administrative: true
permits:
- manipulate_permissions
- create_instance
sorry but as far as I know you need to enable one by one.
For further issues please add them also to GitHub which I check more frequently http://github.com/ovirt/ovirt-ansible-collection
Is there a way to create Mesos role using roles endpoint? I've tried different combinations of PUT / POST requests to http://mesos_master_url:5050/roles with different JSON body messages like
{
"frameworks":[],
"name":"new-role",
"resources":{
"cpus":0,
"disk":0,
"gpus":0,
"mem":0
},
"weight":1.0
}
but with no success. The docs itself are not that useful.
Roles is a part of resource definition and it must be done on node level. New role is declared when there is at least one resource attached to it.
To assign resource to specific role put role name after the resource in brackets. For example we want to run roles development and test on one cluster. We want to distinguish ports offered to these roles. The development tasks will be run on ports 31000-32000 and be tested on 41000-42000. To do it we define following resources.
ports(develop):[31000-32000]; ports(test):[41000-42000]
See Roles documentation and resources
Also, roles are actually created on the mesos masters.
Generally, the config lives in /etc/mesos-master/roles and the content is like this:
role1,role2,role3,role4,role5,...,roleN
I see an edit variable permission that is scoped to the environment. However, it seems like who ever is responsible for setting up the project, would be responsible for creating the variables, where some other security entity would be responsible for only modifying the values, specifically the secure ones. Is this possible?
Edit:
Adding a little more, I suppose I'm asking for permissions based on the project variable set. Only those with the "EditProjectVariableSet" permission would be able to add or remove variables from the project.
Edit:
Added uservoice:
https://octopusdeploy.uservoice.com/forums/170787-general/suggestions/18022360-separate-permission-for-editing-variable-values-wi
In the Configuration->Teams there is a link to Roles.
You could create a new role, for ex: Variable Editor and only assign VariableEdit, VariableEditUnscoped, VariableView, VariableViewUnscoped.
However I don't think you can restrict to a modification only.
I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.
What is equivalent LDAP attributes for Active Directory
I am looking for password using Net::LDAP.
I dont know to how to set the user password using Net::LDAP
Here is a helpful article from Microsoft with some sample code that you might be able to adapt: https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through
The essential attribute, it seems is: unicodePwd
(a.k.a. Unicode-Pwd
https://msdn.microsoft.com/en-us/library/ms680513(v=vs.85).aspx
)
Also note some cautions and advice from this answer: https://serverfault.com/questions/423345/changing-active-directory-password-over-ldap-using-passwd-ldappasswd-samba
AD attribute names with cross reference of LDAP attribute names
https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx