Airflow has the ability to impersonate a unix user:
run_as_user can be specified as a task parameter to tell which user to impersonate.
core:default_impersonation can be set in the config, to specify the 'user' to impersonate, when 'run_as_user is not specified.
In addition to above, I also want authorization of who can impersonate whom. Is it possible to create groupings, where only a certain group of users can impersonate a particular user?
Related
For your information I tried to search for the different links but I didn't find the right answer. The below link looks like the same problem but there is no proper answer for this
Artifactory: SAML SSO group matching not working
I am facing a problem with respect to artifactory group association with SAML. Tried to follow the process mentioned in the below link but it doesn't work. Any kind of help is much appreciated.
https://jfrog.com/knowledge-base/how-do-i-configure-artifactory-saml-sso-with-adfs/
Our goal is to create the same group in artifactory which is present in ADFS. So that we can give permissions to that repective group in artifactory. But the problem is people are able to login using their domain credentials where as if we provide the permissions to the group it doesn't work as expected.
If you need more clarity I am happy to explain more on this issue.
The ADFS side is handled by other team even they are not sure why it is not working. Is there any bug in artifactory? I have configured SAML with jenkins it works super fine.
I will try to elaborate about the process.
After a login request, the user and it's groups are available for Artifactory in the assertion response that is sent back to Artifactory by the SAML Identity Provider. The data should be available in the assertion XML response, as long as the Identity Provider configured to include it. For example, the Identify Provider can exclude the groups information and include user data (i.e. username, mail) only.
In order to ensure that Artifactory can assign the user to the SAML a group, you will need to do the following:
Configure the ADFS to include the user groups attributes on login response. You have mentioned that this is handled by other team, but you can see how this can be done in the link that you have attached in your post.
Create the relevant groups in Artifactory, or import them to Artifactory from another authentication provider (such as Artifactory LDAP integration group screen). It is mandatory that there relevant groups will be existed in Artifactory.
Open the Artifactory Web-UI SAML configuration screen, mark the Auto Associate groups checkbox
Edit the Group Attribute textfield, and put the SAML attribute name of the group declaration. The group attribute name that required is the one that is returned in the SAML assertion response.
In the assertion it should look like this:
<saml:AttributeStatement>
<saml:Attribute Name="memberof">
<saml:AttributeValue>group1</saml:AttributeValue>
<saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
In your case, you can either get the group association attribute name from the other team that managed your ADFS as you have mentioned, or just view the assertion in any kind of SAML tracer browser plugin (as long as the ADFS was configured to send the groups attributes)
Once you have the above configured, when a SAML user will log in into Artifactory, the user will automatically be associated to the group that returned by the SAML assertion response (as long as the group exists in Artifactory)
Note: the SAML groups association is not persisted and valid for the current login session only, therefore, if you will edit the user/group screen in the UI, will not that the user/group association, however, if you grant a permission for a specific resource to the group that you expect the user to be assigned to, you can see that the user who logged in is capable of using the granted permission.
Does anyone know how to have a restlet run as a different role? (e.g. similar to how Suitelets can be configured to run as the Administrator role)
Any tricks to make this possible?
There is no configuration of role on the Restlet script itself.
The role is defined when you send a request to the Restlet.
The header of the request contains the role that the restlet will execute as.
If you are using NLAuth to authenticate then one of the parameters is the role id. So if you want to execute it as admin, send "3" as the role id.
If you are using token authentication, then when you are creating the token, one of the steps is to choose the role.
In this case, you can not execute as admin, you will have to define a role that will correspond to your needs.
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
Background
Another team within our organization has a fully configured Active Directory server. My team builds Ruby on Rails applications and we authenticate users of our web applications against their setup. Due to some new security policies that are being put in place, our development machines will no longer be able to talk directly to the production servers. As a result, I'm trying to install OpenLDAP on my local machine (running Fedora) and use that to authenticate users when I'm developing.
Setup
I have been able to fully configure OpenLDAP and insert a record. My database looks like:
dc=dev,dc=com
ou=Users
cn=User 1
Inside the cn=User 1 entry, I have an attribute called accountName and I also have the standard userPassword attribute. As a test, I downloaded an LDAP browser and I'm able to successfully authenticate when I specify the full DN (cn=User 1,ou=Users,dc=dev,dc=com) and give the password that's in the userPassword field.
Question
In our production environment, all I have to give for authentication is the base DN (dc=dev,dc=com), the value for an accountName and the associated password. Once I authenticate, I'm able to access the other fields in the User 1 entry. What do I need to do to authenticate using the accountName field instead of a full DN?
There are two things to address here:
First off, if your production environment is ActiveDirectory and you can't access it from your developer workstation, ask the team in charge of the AD environment to create a "dev" environment that you can access.
While the basic concepts of LDAP are standardised, the implementation specific details will vary greatly between AD and OpenLDAP.
Secondly - the way that most^ software is able to authenticate against LDAP using just a username and password is thus:
User: submits a form (web, native app, whatever) with their username and password
Login process: binds to the LDAP server, either anonymously, or with a fixed service account DN and password.
Login process: does an LDAP search for the supplied username, matching against which ever attributes are relevant for the environment (e.g. "accountName" in your case)
Login process: fetches the DN of the found record (if any)
Login process: attempts an authenticated bind using the fetched DN and the supplied password from step 1.
Edit:
^ In some situations, the username supplied is the value component of the user's RDN, e.g. if my login is stephenr, my user entry's RDN might be cn=stephenr. If this is the case, and all user entries have the same parent object, the DN to authenticate as (step 5 above) can be created just by building a string, e.g. "cn={userid},ou=users,dc=example,dc=com" where {userid} is replaced with the supplied username value in step 1.
I want to show a table with permission flags. It means who is allowed to do something.
In my Application I set all permissions in ACEs with UserSecurityIdentity/RoleSecurityIdentity and a valid mask. All values are as expected in mydatabase and I can check it for logged in user.
$securityContext->isGranted('EDIT', $model);
But how can I check if a different user or role has the permission EDIT on this object?