I try to use keycloak as the authentication service in my design. In my case, when the keycloak starts, I need one more realm besides default master realm. Assuming the new agency is called "demo".
So it means when keycloak starts, it should have two realms (master and demo).
In addtion, in the realm demo, I need to configure the default client "admin-cli" to enable "Full Scope Allowed". Also need to add some buildin mapper to this client.
In this case, I wonder whether I can use something like initialization file which keycloak can load when starting ?
Or I need to use keycloak client APIs to do this operations (e.g., Java keycloak admin client)?
Thanks in advance.
You can try the following:
Create the Realm;
Set all the options that you want;
Go to Manage > Export;
Switch Export groups and roles to ON;
Switch Export clients to ON;
Export.
That will export a .json file with the configurations.
Then you can tested it be deleting your Demo Realm and:
Go to Add Realm;
Chose the .json file that was exported;
Click Create.
Check if the configurations that you have changed are still presented on the Demo Realm, if there are then it means that you can use this file to import the Realm from. Otherwise, for the options that were not persistent you will have to create them via the Admin Rest API.
Related
I created a presto custom password authenticator plugin (internal) by making a copy of the LDAP plugin and modifying it. You can see that code here: https://github.com/prestodb/presto/tree/master/presto-password-authenticators/src/main/java/com/facebook/presto/password.
I created copies of the Authenticator, AuthenticatorFactory, and the config, and modified them to basically just take a user/password from the config and to only allow that user in. I also put the new class in the PasswordAuthenticatorPlugin registration code.
I can see the plugin loading when presto is started, but it doesn't appear to do anything despite no errors being present. What am I missing?
Note: I had already found a solution to this, I'm just recording it on SO as I originally came here and found no help.
To make a custom password plugin work, you actually need HTTPS enabled for communication with the coordinator. You can actually see this recommendation at the bottom of their documentation:
https://prestodb.github.io/docs/current/develop/password-authenticator.html
Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled.
So, the steps to make it work are:
Make sure your main config.properties has "http-server.authentication.type=PASSWORD".
Make sure you add a password-authenticator.properties next to config properties with content like the sample in the link above. But make sure you use your string from your authenticator as the name, and that you add your configuration properties instead (user name and password).
Set up a JKS store or a real certificate (some instructions here from Presto for JKS: https://prestodb.github.io/docs/current/security/tls.html).
Add SSL config to your config.properties.
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/presto-keystore/keystore.jks
http-server.https.keystore.key=password123
Set up your JDBC driver to use the same key store.
I wrote up a blog on it with a bit more detail as well if any of that doesn't make sense. But after doing all this, you should find that it does require a password and it does enforce your plugin.
https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/
I managed to gather data from single Tomcat instance to Telegraf as follows.
[[inputs.tomcat]]
## URL of the Tomcat server status
url = "http://127.0.0.1:19090/manager/status/all?XML=true"
## HTTP Basic Auth Credentials
username = "admin"
password = "fD*(*DSS"
## Request timeout
# timeout = "5s"
## Optional SSL Config
# ssl_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification
# insecure_skip_verify = false
Now, I want to monitor multiple Tomcat instances, but there does not seem to be an example of how to monitor multiple. Does anybody know?
The answer turned out to be very simple. Just declare the inputs.tomcat block multiple times as follows.
[[inputs.tomcat]]
## URL of the Tomcat server status
url = "http://127.0.0.1:19090/manager/status/all?XML=true"
## HTTP Basic Auth Credentials
username = "admin"
password = "fD*(*DSS"
[[inputs.tomcat]]
## URL of the Tomcat server status
url = "http://127.0.0.1:29090/manager/status/all?XML=true"
## HTTP Basic Auth Credentials
username = "admin"
password = "fD*(*DSS"
So as far as I recall there are couple of ways.
1) Easiest way is to create, use and try via using different configuration files where you may create tomcat1.conf place it under /etc/telegraf/telegraf.d/tomcat1.conf folder where you'd end up using the same plugin that you have mentioned above (inputs.tomcat) and similarly, create another configuration file for tomcat2.conf etc.. for all Tomcat instances. This way you may be able to monitor multiple Tomcat instances. See if that helps! Con of this approach is, you have to create N no. of tomcatXX.conf files under telegrad.d folder (Which can be easily fixed if you create these files on the fly while provisioning a machine using Ansible/similar tools - templating the file and iterating over the tomcatXX list).
2) Other way, which which may help as well using just one configuration file.
In one configuration file, use the following plugins together to capture what you are looking for. PS: If you use inputs.exec plugin, then the output you'll generate from your custom script (which you'll call in inputs.exec plugin) must generate the output in a known format (InfluxDB/Line Protocol) that Telegraf and InfluxDB can understand / store or you'll see some minor errors for which you can see few of my posts.
exec plugin: https://github.com/influxdata/telegraf/tree/master/plugins/inputs/exec
http_* plugin (especially http_response): https://github.com/influxdata/telegraf/tree/master/plugins/inputs/exec
filestat plugin: https://github.com/influxdata/telegraf/tree/master/plugins/inputs/filestat
logparser plugin: https://github.com/influxdata/telegraf/tree/master/plugins/inputs/logparser
procstat plugin: https://github.com/influxdata/telegraf/tree/master/plugins/inputs/procstat
Look at the plugin links mentioned above for what they do and how to set them up in Telegraf and that'd get you most of what you are looking at if you don't want to have multiple conf files for each Tomcat instance.
https://github.com/influxdata/telegraf/tree/master/plugins/inputs contains all input plugins (see if there are some that you may be interested in).
See if you can utilize how to use prefix property efficiently to distinguish between various metrics/events coming from using these plugin(s).
I have Asterisk server with Freeradius server on the same machine and trying to authenticate with Radius if a user can make a call or not but I am getting an error while calling that is:
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Is there something that I am missing in one of Radius files that I have to add?
The issue is that no module in the authorize section of your virtual server has taken responsibility for processing the request.
You should remove the contents of the authorize section, and list the following modules:
authorize {
pap
chap
mschap
digest
eap
}
You should then run the server in debug mode radiusd -X to see which module is taking responsibility for the request (you'll see one returns ok or updated where the others return noop). We'll call this the auth module
Once you've figured out which module will take responsibility for the request you'll need to provide a suitably hashed password.
Here are the password hashes that will work with the different modules.
pap - any
chap - Cleartext-Password, CHAP-Password
mschap - Cleartext-Password, NT-Password
digest - Cleartext-Password, Digest-HA1
eap - Depends on inner method (respond to this answer and I can give further guidance).
For testing you can put the password in a flat file local to the server. The module which deals with these flat files is the files module.
To add entries to the users file, first truncate /etc/raddb/users (alter for your installation).
Then add the following entry to the top:
<username> <password attr> := <password>
With values in <> replaced with the real values.
Remove the unused modules in authorize, and add the files module at the top.
authorize {
files
<auth module>
}
Then remove all the modules from authenticate and add the <auth module>
authenticate {
<auth module>
}
That should give you up and running. If no modules take responsibility for the request, please post the list of attributes in the request from the top of the debug output, and i'll help you identify it.
You need configure your radius to add missing headers
You can enabled full debug on radius server, it will show you all packets radius server get.
Freeradius allow add any header into packet on any stage, see doc.
Hi I'm running into an issue where Symfony2 doesn't recognize the load balancer headers from Amazon AWS, which are need to determine if a request is SSL or not using the requires_channel: https security configuration.
By default Symfony2 $request->isSecure() looks for "X_FORWARDED_PROTO" but there's apparently no standard for this, and Amazon AWS load balancers use "HTTP_X_FORWARDED_PROTO".
I see the cookbook article for setting trusted proxies in config, but that's geared around whitelisting specific IP addresses and won't work with AWS, which generates dynamic IPs. Another feature, setting the framework config to include trust_proxy_headers: true is deprecated. This breaks my app by forcing endless redirects on the pages that require SSL-only.
You can now change the headers using setTrustedHeaderName(). This method allows you to change the four headers used throughout the file.
const HEADER_CLIENT_IP = 'client_ip'; // defaults 'X_FORWARDED_FOR'
const HEADER_CLIENT_HOST = 'client_host'; // defaults 'X_FORWARDED_HOST'
const HEADER_CLIENT_PROTO = 'client_proto'; // defaults 'X_FORWARDED_PROTO'
const HEADER_CLIENT_PORT = 'client_port'; // defaults 'X_FORWARDED_PORT'
The above, taken from the Request class indicate the keys available for use with the aforementioned method.
// $request is instance of HttpFoundation\Request;
$request->setTrustedHeaderName('client_proto', 'HTTP_X_FORWARDED_PROTO');
That said, at the time of writing, using "symfony/http-foundation": "2.5.*" the below code correctly determines whether or not the request is secure whilst behind an AWS Load Balancer.
// All IPs (*)
// $proxies = [$request->getClientIp()];
// Array of CIDR pools from load balancer
// EC2 -> Network & Security -> Load Balancers
// -> X -> Instances (tab) -> Availability Zones
// -> Subnet (column)
$proxies = ['172.x.x.0/20'];
$request->setTrustedProxies($proxies);
var_dump($request->isSecure()); // bool(true)
You're right the X_FORWARDED_PROTO header is hardcoded into HttpFoundation\Request while - as far as i know - overriding the request class in symfony is currently not possible.
There has been a discussion/RFC about this topic here and there is an open pull-request that solves this issue using a RequestFactory.
I'm trying to use socket.io in my spotify app and the get request for [domain]/socket.io/socket.io.js keeps getting canceled. I've added the domain to the manifest and everything.
Thanks!
Try restarting Spotify. Your app's manifest.json file is loaded when you first view your app, and cached until you quit, even if you modify it.
Note: How external resource permissions work
In order to request external resources, your application needs to specify each domain it plans to connect to in its manifest.json file.
Add a line like this:
{
// ...
"RequiredPermissions": [ "http://*.spotify.com", "http://spotify.com", "http://test.example.com" ]
// ...
}
For the full details check out the Permissions section of the Spotify Apps API Guide.
I can add that when you use socket.io it will try to initialize Flash to check if flash is available so if you find a white box in Spotify (only in Windows), remove the swbobjects initialization in the socket.io.js on the node server.