Is there a way to configure user roles with SaltStack for MongoDB 3? I see that the mongodb module has relevant role management functions, but the mongodb_user state does not refer to roles anywhere.
Yes, there certainly is!
You'll want to use the Mongodb module, and execute it from a state using module.run.
so, for example, if you want to manage the roles of a user 'TestUser', you'd create 'manage_mongo_roles.sls', and it will contain states like the following:
manage_mongo_roles:
module.run:
- name: mongodb.user_grant_roles
- m_name: TestUser
- roles: ["admin"]
- database: admin
- user: admin
- password: ''
- host: localhost
- port: 27017
The 'name' paramater for the module MUST be prefaced with a m_, so that the state knows to pass this to the module and not use it as the name of the module to be executed.
Also note that the role MUST be of the format
["role"]
The documentation indicates that, if run from the salt CLI it should be contained in single quotes, like so:
'["role"]'
but doing so in the module.run state WILL cause it to fail, and return with a less than descriptive error message.
Related
I tried to configure Elasticsearch for monolog as mentioned here but the problem is that I don't find any way to pass my username and password for Elasticsearch since the ElasticsearchLogstashHandler service only takes an endpoint as input.
here's the service that I created:
elasticsearch_logstash_handler:
class: Symfony\Bridge\Monolog\Handler\ElasticsearchLogstashHandler
arguments: [ '%ELASTIC_SEARCH_ENDPOINT%']
I tried to put username and password in the URL (username:password#url) but since the password contains special characters it doesn't work this way.
thank you for sharing your ideas.
I am using Remote URL option which reaches out to remote web server to retrieve needed data. Simply using this,
https://rundeck:test#myserver.com works. However, I would like to pass the password in secure way so...
Option 1 uses 'Secure pass input' and pass is retrieved from key storage, however the password is then not added to the remote URL in
Option 2, which uses Remote URL, https://rundeck:${option.password.value}#myserver.com. My remote servers receives the password as ${option.password.value} and not the actual password value retrieved in Option 1. I understand that Secure Remote Authentication can't be used in Options, however i don't believe I have seen restrictions on what I want to do with Secure † Password input in Rundeck's docs.
Lastly, typing in the password in Secure † Password input option does add the password to the mentioned URL above. I have tested and verified that ${option.password.value} value can be passed in a job's step, that part works. However, it does not appear to work in cascading options.
Currently, secure options values are not expanded as a part of remote options, you can suggest it here (similar to this). Alternatively, you can create a specific custom plugin for that.
Another approach is to design a workflow that uses the HTTP Workflow Step Plugin (passing your secure password as a part of the authentication in the URL) to access the web service + JQ Filter to generate the desired data, then in another/step you can get that data using data variables.
Like this:
- defaultTab: nodes
description: ''
executionEnabled: true
id: 7f34f7ff-c4a3-4616-a2aa-0df491450366
loglevel: INFO
name: HTTP
nodeFilterEditable: false
options:
- name: mypass
secure: true
storagePath: keys/password
valueExposed: true
plugins:
ExecutionLifecycle: null
scheduleEnabled: true
sequence:
commands:
- configuration:
authentication: None
checkResponseCode: 'false'
method: GET
printResponse: 'true'
printResponseToFile: 'false'
proxySettings: 'false'
remoteUrl: https://user:${option.mypass}#myserver.com
sslVerify: 'true'
timeout: '30000'
nodeStep: false
plugins:
LogFilter:
- config:
filter: .
logData: 'true'
prefix: result
type: json-mapper
type: edu.ohio.ais.rundeck.HttpWorkflowStepPlugin
- exec: echo "name 2 is ${data.Name2}"
keepgoing: false
strategy: node-first
uuid: 7f34f7ff-c4a3-4616-a2aa-0df491450366
I'm trying to save encrypted data to DynamoDB with the help of the "Amazon DynamoDB Encryption Client for Java".
I also use the Serverless framework to deploy my application (some Lamdba functions using DynamoDB). The AWS Lamdba functions are written in Kotlin.
I have this in my serverless.yml in the iamRoleStatements section (under the provider section):
- Effect: “Allow”
Action:
- “kms:GenerateDataKey”
Resource: “*”
I thought that it should be enough but I'm getting this error when I'm trying to save encrypted data to DynamoDB:
com.amazonaws.services.kms.model.AWSKMSException: User: arn:aws:sts::120102300450:assumed-role/appname-username-eu-west-1-lambdaRole/appname-username-functionname is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:120102300450:key/12d3f45c-6fff-0007-b123-5bfe5678e012 (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ...)
(the alphanumeric IDs are obfuscated here to not disclose real data)
I also tried to add several other KMS permissions but it didn't help:
- Effect: "Allow"
Action:
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
- "kms:CreateAlias"
- "kms:CreateKey"
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:EnableKey"
- "kms:UpdateAlias"
Resource: "*"
So, the whole purpose of the "Amazon DynamoDB Encryption Client for Java" cannot be achieved in this case.
What is missing here?
I've found what was the problem. I used the default KMS key, and I had to use a custom key. Then it worked.
I'm having difficulties to fully understand the concept of the client creation explained here.
I followed the post to set up the OAuthBundle, and tried to make the changes needed to comply with FOSUser. Though I'm not sure it's perfect.
My situation
My Website is a RESTFul API, which return json or xml only. My frontend will be in AngularJS
I combined FOSUser, FOSRest and FOSOAuth, it's possible I'm having errors in the configuration.
The Problem
I finished setting up the first part of the article up to the doctrine:schema:update command. Now I'm supposed to create a client.
How can I set the security for parts of the ^/api for differents ROLES ?
example:
Anonymous users can access POST /api/users but not GET /api/users.
Only users with ROLE_ADMIN can access DELETE /api/users/{id}
For testing I'm using Postman (that support OAuth1 & 2, along with other means of auth).
Using expressions in security.yml
In order to secure certain routes by a conditional combination of (request)-method AND (user)-role ...
... you can make use of Expressions in your security.yml.
More information can be found in the documentation chapter Securing by an Expression.
Example
Only users with role ROLE_ADMIN shall be allowed to access /api/users/{id} using a DELETE request:
# app/config/security.yml
security:
# ...
access_control:
- path: "^/api/users/\d+$"
allow_if: "'DELETE' == request.getMethod() and has_role('ROLE_ADMIN')"
Regex explanation
^ begins with
\d+ one or more digits (= user id)
$ string end
I am trying to define a Bundle that helps to index some data (from an Entity) within a sqlite fts table, in order to do some full-text search.
I know I can define alternate connection and Entity Manager using the app config file (like shown in the cookbook), but I was wondering if it was possible to do so within the bundle configuration - by defining, for example, a service with the doctrine service injected, so that it can instantiate a new connection.
Sqlite is not mandatory, it can be any database type (supported by doctrine).
Thanks in advance for your help.
I would suggest looking at FOSUserBundle for how they handle multiple persistence layers (ORM, Couch, MongoDB). You would essentially be doing the same thing. It's just a matter of loading different configurations depending on the driver specified in app/config/config.yml.
As far as i know it it not possible. Also database connections should be managed centralized in app/config.yml.
I would suggest to define the connection there and add a configuration option to you bundle where you can specify wich connection to use for the indexing stuff.
# app/config.yml
doctrine:
dbal:
default_connection: default
connections:
default:
dbname: database
host: localhost
user: user
password: secret
driver: pdo_mysql
my_data_index:
dbname: database
driver: pdo_sqlite
# configuration option of you bundle
acme_indexer:
connection: my_data_index
Then in your bundle you can read this config option and obtain the connection/entity manager and inject it into your indexing service.
Edit:
You can for sure create a custom connection programaticly in your bundle
$params = array(
'driver' =>'pdo_sqlite',
....
);
$factory = $container->get('doctrine.dbal.connection_factory')
$connection = $factory->createConnection($params);
But as i said before it is bad practice because you would evade the symfony standart way of defining database connections.