Apache Airflow: User creation, access and permissions on DAG - airflow

I am using airflow (1.8.0) and using web UI I can create a user but it doesn't allow me to set a password. But is it possible via command line to
create new user with password
assign role/permissions to a user
how to limit and manage access of user/group so that they cannot change or trigger someone else's DAG
I have seen apache-airflow (1.10.0) which does have cli feature to create a user with password (https://airflow.apache.org/cli.html#create_user), but cannot see anything around setting access level and permissions.

Airflow 1.8.0 doesn't support CLI password creation.
You can create user and set a password as it is described here.
Airflow 1.10.0 doesn't allow to manage permissions for a given user, future releases should have this feature.

Related

How to change the password for phpmyadmin

Recently I installed the Bitnami Wordpress canned deployment on Google Cloud Platform.
I can view the phpMyAdmin instance at a local address (http://127.0.0.1:8888/phpmyadmin/) but I cannot determine the username and password to log into the database cluster. I have tried the username specified in Deployment Manager, but the temporary password is not working. When I attempt to login, I receive the following error:
mysqli_real_connect(): (HY000/1045): Access denied for user 'user'#'localhost' (using password: YES)
I have tried to use various common passwords, such as root/root, with no success. If we assume the password is lost, how I can I figure out the password, recover it, or change it by using an SSH shell to the hosting compute instance?
Resetting password by supporting team if possible try
This issue seems related to phpmyadmin. I found this similar post where they stated:
This is asking for your MySQL username and password.
You should enter these details, which will default to "root" and ""
(i.e.: nothing) if you've not specified a password.
UPDATE
Have you tried to create a new user or change the password? Check this guide on how to do it.
Bitnami Engineer here,
As our guide mentions, once you create the SSH tunnel to access phpMyAdmin, you need to use the user 'root' and the password we configure at boot time (it's the same password we configure in the application). More information in our documentation
https://docs.bitnami.com/google/components/phpmyadmin/
Oh it's opened now, the user was (root) which it's not mentioned anywhere when i created the instance, the password is the one which generated by Bitnami when the instance is created on the bitnami platform lunchpad website.
the password is used for 2 users :
username: user
username : root (hidden) for new users who are decided to try cloud servers is not easy to figure this username and which password must use.
thanks for trying to help.

Account Locked in API Manager Store & Publisher 2.1.0

Is there a way to lock a user's account after a certain number of failed login attempts to the API Store and API Publisher? I already check at FAQ API Manager, but then the documentation redirect to Identity Server files.
Its there any method on how to solve this issues?
Thank You.
You can change the following properties in APIM_HOME/repository/conf/identity/identity-mgt.properties file.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts
Authentication.Policy.Password.Expire.Time=0
# If account verification is not enabled, following property will decide where user must be lock or not after user is created
Authentication.Policy.Account.Lock.On.Creation=false
Authentication.Policy.Account.Lock.Time=0
Authentication.Policy.Account.Lock.On.Failure=false
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=0
You should first install following Identity Feature in WSO2 API Manager.
Account Recovery and Credential Management
version : 5.7.5
Then you will get the identity-mgt.properties file in your /repository/conf/identity directory.
By changing the following property value to the preferred number you can achive the account locking after several attempts.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=0
Note :
To install the above feature,
Login to Management Console of API Manager 2.1.0 (httpso://localhost:9443/carbon)
Go to Configure > Features > Repository Management and add the following repository.
http://product-dist.wso2.com/p2/carbon/releases/wilkes/
Then search for "Account Recovery and Credential Management Feature".
Select and install the version 5.7.5 as below.
Restart the Server.

Alfresco : ldap sync after user login authentication

After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false

Switching to root user in unix

To switch to an admin user(root) in unix I use :
sudo su -
so now I'm an admin user with admin privilages. To achieve same in windows I would need to login with an admin password before becomming an admin.
Why is this different in unix ? I'm a unix newbie so maybe there is something more going on that I am not aware of ?
I will use admin and root interchangeable for explaining the following:
When you use sudo su, you are basically saying "use my permission in the sudoers file and log me in to the root user."
When you use sudo, you are basically saying "use my permission for current user (who is in sudoers file) and execute the following command which comes after sudo."
Sudoers file is a file that defines the permission for various users in UNIX and Linux and whether or not they can run commands as sudo (super user do).
When you use su, you are saying "start a new session and log me in as root directly, without checking sudoers files, and I will provide the credentials (password)."
The difference in UNIX is the management of the admin account. Root exists for the entire system. All users are allowed to log into root if they provide the correct credentials. For all accounts, any user can run things as though the user is root (su) by adding the particular user account to the sudoers file. This means that any user account can execute sudo commands as if it was an admin account by only providing the user's password. And the user does not have to know the root password. It basically says: "I know what I am doing, let me do it." And it means that a user can execute as both a regular user and admin in one session, without having to log in and log out of accounts.
While in Windows, the admin management is handled differently. A sudoer file does not exist in Windows. A user is either administrator or not. However, if the user is administrator, he can still run things as a normal user without going to OS permissions right-clicking an doing Run as administrator. Also, there is no overall root account for Windows unless it was set by whoever set up the system.
The way admin privileges are managed is different, nothing else.
Hmm... I'm not sure I'm understanding your question, but here is my answer:
When you write sudo su - (or sudo -s), you'll be asked your current user password. If that user doesn't have the privileges to perform sudo tasks, you won't be able to do that.
You're saying:
...I would need to login with an admin password before becomming an admin.
As I said, your user is kind of an admin one, because someone gave you that privilege (either by adding you to the sudoers file, adding you to the adm group, etc).
if you want to be root on unix and have the root password you can do
su - which is the same as su - root.
Back in the day you had the option to login as root aka admin but that has gone away due to security reasons. Now you are required to login as yourself and then become root.
In the windows world this is the same as logging in as a non-privledged user and running a program as administrator. When you do this in windows you will also be prompted for the admin password. Basicly the same thing in unix.
The reason for the sudo is because most places dont want a user to have the root password.
sudo su - will prompt you for your personal unix password not root's. And then check the sudoconfig to make sure you are allowed to run that command.
sudo also has the abilty to give a user very restricted access. It can be set up so only certain users or groups can run specfic commands as root or other users.
In addtional to making sure you are allowed to run the command it will also keep a log as to who ran what. Or if someone is trying to become root who is not allowed.

Swift user's authorization

everyone. I installed Swift 1.7.4 , and I want to add a new user to Swift, How could I do it? I find that in 1.4.8 version, somebody had said that I should install the swauth first and I notice that the Swift api also said that choose one authrize way, so I must install a authorization service first? I also find that there is a tempauth middleware in the proxy-server.conf file, could I use this to add user and how?
Yes. You can choose from swauth or tempauth. The most difference of these two auth systems is where they store user information.
Swauth stores user/password information in swift cluster itself. It uses a special container and store every user's information in it. Swauth provides a set of commands for user management such as swauth-add-user, swauth-prep, etc.
In tempauth, it stores user information in proxy-server.conf, so it is very easy to use.
In your proxy-server.conf, enable tempauth in pipeline and put user information in tempauth section. For example,
[pipeline:main]
pipeline = healthcheck cache tempauth proxy-server
[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin
user_hi_hihi = testing
Then you will have two users. One is admin:admin whose password is admin. The other is hi:hihi whose password is testing.

Resources