I need to implement VM creation workflow such that admin creates VM for a user after verifying his request.
Currently, if admin creates the VM, it is marked as owner of this instance.
Can we either change or add another owner to the instance?
Can admin impersonate as another user to create a VM?
An admin cannot impersonate another user. However, in practice this is not the problem you might think, because access to resources in OpenStack is controlled by projects (basically, groups) rather than by individual users.
You can add the admin user to other tenants, and then set OS_PROJECT_NAME (and/or OS_PROJECT_ID) in your environment to the appropriate project when creating resources (such as servers, networks, etc).
When you create a resource as a particular project, any member of that project will have access to that resource.
Note that in earlier versions of OpenStack, projects were referred to as tenants and the correponding variables where OS_TENANT_NAME and OS_TENANT_ID.
Related
Should we create one user assigned identity for all the services that a resource access or should we create one for each service the resource access?
Example: My WebApp needs access to a eventhub, servicebus, storageContainer etc. Should I create three identities (user_assigned_eventhub, user_assigned_servicebus, user_Assigned_storage) one for each service or create one (user_assigned_webApp) and access all services using this identity?
create one (user_assigned_webApp) and access all services using this identity
This is correct, you just need to create one user-assigned identity, then in your sample, navigate to the web app in the portal -> Identity -> User assigned -> add it to your web app, then you can use this MSI(managed identity) to access other resources. When using MSI to access other resources, the MSI is used to represent the client, the resource side does not need it, so you don't need to create MSI for them.
Background:
In my company, we have one firebase project which is linked to our iOS application and an internal tool(purely for our use and not the consumers). Now since the database is common to both the website and the iOS app, all the users who create an account on the iOS application automatically have access to our internal tool. I wish to allow only a handful of people or one person to have access to the internal tool.
Question:
Is there a way for me to give certain users access to the internal tool? (If it involves manually giving them access from the firebase console?)
Is there a way to make the user authentication check different for the internal tool?
Firebase Custom Claims let you specify custom access to database or tools.
You can specify an admin role to those users who should have access to the admin tool and make sure they have this role in your app's route (or route guard)
Is it possible to use IAM to manage user accounts for EC2-hosted unix hosts by way of a PAM module similarly to LDAP, NIS, etc...?
My goal is to have a means to centralize host authentication on our EC2 hosts without the overhead of setting up a single sign on solution.
AWS IAM is meant to handle access to AWS resources. You can create new users but the basic authentication which EC2 instances get is via key pairs, which are not the same as IAM users.
You might be able to create a system of your own which manages IAM users and also generates a private and public key for them to be used inside the instances being created (maybe even re-using the keys you get when creating a new user in IAM).
All in all its not really meant to be used that way, as far as I understand.
Since you mentioned LDAP, you can use this project:
https://github.com/denismo/aws-iam-ldap-bridge
to sync an LDAP server with IAM.
I am working on an intranet website using ASP.NET and was wondering what exactly I can gain by enabling roles when Windows authentication is enabled for my website. I can check if users belong to groups with the User object so why would I need to enable roles given that windows authentication is enabled?
It is often the case that someone in the "Adminstrators" group on active directory is not an administrator on a specific system. The "Administrators" group on your Windows network will point to the network administrators, but what you really want is a different administrators group specific to your application. If you had a system that handled some numbers for the Finance department, you wouldn't want the network administrators to also be the administrators for the Finance system.
That's where the role manager comes in. The role manager allows you to continue to use Windows Authentication, but create your own roles, separate from your network, and assign a different set of users to that role. On your intranet for example, you might want managers to be able to edit pages, so you assign them to the "Page Editor" role.
My ASP.NET MVC 2 application runs under built-in local NETWORK SERVICE account. I want to set up access permissions for the folder which resides in another computer, but in the same domain. I located that folder right-clicked to open its properties form, clicked to Security tab and pressed Add button which displayed Add user form with correct domain name in the location field. I referred to the account with following syntax:
<domain name>\<server name>$
because I learned that NETWORK SERVICE account uses machine account when connected to other computers in the domain.
However, the system couldn't find the account, so refuses to add the account. Without the domain name it adds a user, but that user seems to be local user, not web server's NETWORK SERVICE account. What am I doing wrong?
By the way, the above syntax worked when I created login for the sql server which is different computer from the web server.
OK, I will answer my own question. The above syntax \$ was correct. Just make sure to select computers checkbox in the object type, when adding user permissions.
I have been in this same situation before. I don't think I got it to work with the Server/Network Service but this might be worth a try.
Figure out the account network service is using to access the network resource.
Configure windows auditing (on the server the folder is located) to log the failed security events of the folder.
or monitor the folder with something like filemon.exe
.. from here you can try and add the account to the security settings of the forlder. (IIRC I did'nt ever get this to work)
Alternatively you can ensure the action is performed under the context of a domain user. Either by:
Impersonating the user in code and performing the action (my preference)
Setting the impersonation settings in web.config to a named user
setting the application pool to run as a domain user.