I have two bundles and I want routes from one of the bundle only accessible if the user have a defined role.
The logic from the router matcher should be:
if the user have the role
| name | path | success |
|------------------|-------|---------|
| bundle_1_route_1 | / | false |
| bundle_1_route_2 | /test | true |
If the user don't have the role
| name | path | success |
|------------------|-------|---------|
| bundle_1_route_1 | / | false |
| bundle_1_route_2 | /test | false |
| bundle_2_route_1 | /aaa | false |
| bundle_2_route_2 | /test | true |
The problem is I can't do that using the security because the path are the same
I tried with the #security annotation http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html
But I have an access denied when on bundle_1_route_2 with no role and the others urls are not checked.
I want to continue checking all the available url if the role is not matching
I found an other solution, but this is not very clean, and it will create error if the session does not exists
bundle_1:
resource: "#Bundle1/Controller/"
type: annotation
prefix: /
condition: "'ROLE_FILTER' in request.getSession().get('bundle1.user').getRoles()"
Is there a way to create completely custom conditions on routing ?
Related
I am trying to define an OpenStack cloud for juju. To do this, I have first deployed Devstack using the following configuration in the local.conf file:
$ cat local.conf | grep -v "#" | grep -v "^$"
[[local|localrc]]
ADMIN_PASSWORD=admin
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
HOST_IP=172.29.21.181
FLOATING_RANGE=172.29.20.1/22
Q_FLOATING_ALLOCATION_POOL=start=172.29.21.182,end=172.29.21.184
PUBLIC_NETWORK_GATEWAY=172.29.21.181
ENABLED_SERVICES+=,tls-proxy
ENABLED_SERVICES+=,g-api,g-reg
LOGFILE=$DEST/logs/stack.sh.log
LOGDAYS=2
SWIFT_HASH=66a3d6b56c1f479c8b4e70ab5c2000f5
SWIFT_REPLICAS=1
SWIFT_DATA_DIR=$DEST/data
After a successful deployment, these are the endpoints:
$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| 0b489b8a683d4be489448230437e39ca | RegionOne | cinder | block-storage | True | public | https://172.29.21.181/volume/v3/$(project_id)s |
| 0b9e96cfe0b440b781171ac0b082de3a | RegionOne | keystone | identity | True | admin | https://172.29.21.181/identity |
| 29ce5b2061dd474492f3aebda164acd0 | RegionOne | cinderv2 | volumev2 | True | public | https://172.29.21.181/volume/v2/$(project_id)s |
| 45e10e75eb6848f5a934674373962e11 | RegionOne | glance | image | True | public | https://172.29.21.181/image |
| 8c35460b8c0d4c21ac9b7dd27bc92c48 | RegionOne | keystone | identity | True | public | https://172.29.21.181/identity |
| af451150c3094497936fd6877380d877 | RegionOne | placement | placement | True | public | https://172.29.21.181/placement |
| b3907f627f684ada8526b89c2c9683f9 | RegionOne | neutron | network | True | public | https://172.29.21.181:9696/ |
| c642b07700b54be39e1dd537e8c0f8be | RegionOne | nova | compute | True | public | https://172.29.21.181/compute/v2.1 |
| dbb94215bc89457383a390a0490a89f6 | RegionOne | nova_legacy | compute_legacy | True | public | https://172.29.21.181/compute/v2/$(project_id)s |
| e1037ed336d541b080e365caa0020e78 | RegionOne | cinderv3 | volumev3 | True | public | https://172.29.21.181/volume/v3/$(project_id)s |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
But when I try to add the cloud to juju using the "juju add-cloud" command (I am following the indications of this link: https://juju.is/docs/olm/openstack) I get the following error:
$ juju add-cloud openstack
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.
Cloud Types
lxd
maas
manual
openstack
vsphere
Select cloud type: openstack
Enter the API endpoint url for the cloud [https://172.29.21.181/identity]: https://172.29.21.181/identity
Can't validate endpoint: No Openstack server running at https://172.29.21.181/identity
Enter the API endpoint url for the cloud [https://172.29.21.181/identity]: https://172.29.21.181/identity/v3
Can't validate endpoint: No Openstack server running at https://172.29.21.181/identity/v3
Enter the API endpoint url for the cloud [https://172.29.21.181/identity]: http://172.29.21.181/identity
Can't validate endpoint: No Openstack server running at http://172.29.21.181/identity
Enter the API endpoint url for the cloud [https://172.29.21.181/identity]: https://172.29.21.181:5000/v3
Can't validate endpoint: No Openstack server running at https://172.29.21.181:5000/v3
I can curl the url:
$ curl https://172.29.21.181/identity
{"versions": {"values": [{"id": "v3.14", "status": "stable", "updated": "2020-04-07T00:00:00Z", "links": [{"rel": "self", "href": "https://172.29.21.181/identity/v3/"}], "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]}}
And I can connect to the port where Keystone is listening:
$ nc -vz 172.29.21.181 5000
Connection to 172.29.21.181 5000 port [tcp/*] succeeded!
I set no_proxy=127.0.0.1,localhost,172.29.21.181 and NO_PROXY=127.0.0.1,localhost,172.29.21.181
as environment variables, because searching for solutions on the Internet I understood that maybe it could solve my problem. But it didn't work.
Apart from this cloud I have another one deployed through Openstack-Ansible. In this cloud I have not encountered this error, the only difference I see is that the url is https://{HOST_IP}:5000/v3.
If anyone has any ideas it would be very helpful, thank you.
I have found a way to bypass this error, but I don’t know exactly why. I have modified the OS_AUTH_URL environment variable to end in “/v3”:
$ unset OS_AUTH_URL
$ export OS_AUTH_URL=https://172.29.21.181/identity/v3
Now, after using it as suggested value when running “juju add-cloud”, I don’t get the error when running “juju bootstrap”. I guess when you enter the url manually, juju checks the validity of it and fails for some code reason maybe. Having skipped that check, I guess the “juju bootstrap” command will directly use the url ending in “/v3” which is correct and works.
Now I get the following error:
$ juju bootstrap openstack --verbose
Adding contents of "/opt/stack/.local/share/juju/ssh/juju_id_rsa.pub" to authorized-keys
Creating Juju controller "openstack-regionone" on openstack/RegionOne
Loading image metadata
ERROR failed to bootstrap model: no image metadata found
But I guess I just have to add Swift to my deployment and follow the instructions in this link: https://juju.is/docs/olm/cloud-image-metadata
I'm starting with Docker and in my opinion is great! Now I'm looking solution for this organization:
Now I have this structure:
Applications
| +--app1
| | +--node_modules
| | +--package.json
| | +--...
| +--app2
| | +--node_modules
| | +--package.json
| | +--...
| ....
| docker-compose.app1.yml
| docker-compose.app2.yml
| ....
| Dockerfile //my personalized image for all projects
But I want reach this:
Applications
| +--app1
| | +--node_modules //empty in host
| | +--package.json
| | +--docker-compose.app1.yml //override compose
| | +--...
| +--app2
| | +--node_modules //empty in host
| | +--package.json
| | +--...
| ....
| +--node_modules //global node_modules folder (linked to projects)
| docker-compose.yml //principal compose
| Dockerfile //my personalized image for all projects
I thinking too about create one global "server" and link all projects on VHosts but how I'll get access to each of project?
You are looking for docker-comopose extends. Thas permits you override previus configurations.
web:
extends: file: common-services.yml
service: webapp
See full documentation in : https://docs.docker.com/compose/extends/#extending-services
I'm setting up Openstack on some machines. I was following this guide http://docs.openstack.org/liberty/install-guide-ubuntu/ until I ran into this problem:
When I'm verifying Image service (Glance), I got the following problem:
$ cat admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=passw0rd
export OS_AUTH_URL=http://Renaissance:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
$ source admin-openrc.sh
$ glance --debug image-create --name "cirros" \
> --file cirros-0.3.4-x86_64-disk.img \
> --disk-format qcow2 --container-format bare \
> --visibility public --progress
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}7ce8d893ef6cdaca2ed5a876c8211a841455ba65' -H 'Content-Type: application/octet-stream' http://Renaissance:9292/v2/schemas/image
Request returned failure status 401.
Invalid OpenStack Identity credentials.
I would get same error using any other glance function (e.g. glance image-list).
I think I'm having my configurations correct since I followed the guide.
Here's my Openstack services, projects, users, roles and endpoints
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| bf585630a5cb475b9e883493de3813fa | glance | image |
| fc29e468dae849e6afb97ecc3bf487f6 | keystone | identity |
+----------------------------------+----------+----------+
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 0bc473b2e77a4a9bb7871ed2afacb995 | admin |
| dcaf480621164c409b6704c3f42e0869 | service |
| e9f709d860fe46e2819b6bf1c78ccd0f | nonadmin |
+----------------------------------+----------+
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 485374adcbe54ce5b9ef465b84aa2c9f | admin |
| 7447f4cd56f64ccfb111cba74f9a4b92 | nonadmin |
| d9ffc32240d24328b10af8b2550ec414 | glance |
+----------------------------------+----------+
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 466fea231ef54d3ca4564fb42f51bb5c | admin |
| a36c726d27f04ebf92d336c3acfcd945 | user |
+----------------------------------+-------+
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| 01f62a7b9f7f4fa782e8bc695e74afc1 | RegionOne | glance | image | True | internal | http://Renaissance:9292 |
| abb7e5052d8646428e82ef58ca21b376 | RegionOne | keystone | identity | True | public | http://Renaissance:5000/v2.0 |
| d5b3180255b44a0eafe0810a20e104bc | RegionOne | glance | image | True | public | http://Renaissance:9292 |
| e0392842c6f64ac389a5688bc2581192 | RegionOne | keystone | identity | True | internal | http://Renaissance:5000/v2.0 |
| e0eb3dd0ed774669bce9a74dd3831c05 | RegionOne | keystone | identity | True | admin | http://Renaissance:35357/v2.0 |
| ec855dca8f87454e997fd55c47f17703 | RegionOne | glance | image | True | admin | http://Renaissance:9292 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
My auth configuration of glance (in glance-api.conf and glance-registry.conf) is listed below:
...
[keystone_authtoken]
# Complete public Identity API endpoint. (string value)
auth_uri = http://Renaissance:5000
auth_uri = http://Renaissance:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = glance
password = passw0rd
...
And I can get token using Openstack:
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-01T01:16:48.482839Z |
| id | 2a4e052a2c4140a28f550158d95ecd3b |
| project_id | 0bc473b2e77a4a9bb7871ed2afacb995 |
| user_id | 485374adcbe54ce5b9ef465b84aa2c9f |
+------------+----------------------------------+
I'm guessing its the api version problem, but I've been changing the version number in the uri but it didn't work. Any help is appreciated. Thanks!
in your glance configuration, the project name is service, but your env var project name is admin.
solutions:
ensure passw0rd is the real pw to glance:service account
change glance conf to use admin project instead
For some applications my team creates authenticated users with a password/email combination. This will get the user an firebase user uid. The problem with this is that the keys in firebase itself are external id's, and they do not match the auth.uid. How would I go about creating security rules then?
Sample auth.uid:
9dkad6c7-s649-9623-99e2-5a0dbgf5dfdz
Then a sample of the structure:
database
|
—— conversations
|
——{external id 1}
| |
| ——{external id 2}
| |
| {data here}
|
messages
|
——{externalid1|externalid2}
| |
| —{-KFasdahsduids}
| |
| {data here}
|
|
users
|
——{externalId}
| |
| {first name}
| {last name}
| {firebaseUID}
| {more data here}
|
——{externalId2}
|
{first name}
{lastname}
{firebaseUID}
{more data here}
The problem really is that the auth.uid is not the same as the external ones, and we really need those external id's. Can I do something with the UID that is stored in the /users/? Any suggestions?
I've just started using symfony and I'd like to get a list of bundles from a particular vendor, iterate through them and call a $bundle->renderSomething() function on each default controller.
Firstly, I need to get the list of bundles to iterate, or iterate through each object. Any ideas on the best way to do that?
The easiest way to do it in console and that outputs bundle names correctly is:
Symfony 2
php app/console config:dump-reference
Symfony 3
php bin/console config:dump-reference
The key here is not to provide any options or arguments. In this case, the command simply outputs all available bundles:
Available registered bundles with their extension alias if available:
+------------------------------------+-----------------------------------+
| Bundle name | Extension alias |
+------------------------------------+-----------------------------------+
| FrameworkBundle | framework |
| SecurityBundle | security |
| TwigBundle | twig |
| MonologBundle | monolog |
| SwiftmailerBundle | swiftmailer |
| DoctrineBundle | doctrine |
| AsseticBundle | assetic |
| GearmanBundle | gearman |
| SMMemcacheBundle | sm_memcache |
| PrestaSitemapBundle | presta_sitemap |
| DoctrineCacheBundle | doctrine_cache |
| CybernoxAmazonWebServicesBundle | cybernox_amazon_web_services |
| FOSFacebookBundle | fos_facebook |
| HWIOAuthBundle | hwi_oauth |
| FkrSimplePieBundle | fkr_simple_pie |
| RMSPushNotificationsBundle | rms_push_notifications |
| RobertoTruToInlineStyleEmailBundle | roberto_tru_to_inline_style_email |
| InsomniaMaxMindGeoIpBundle | insomnia_max_mind_geo_ip |
| EWZRecaptchaBundle | ewz_recaptcha |
| MopaBootstrapBundle | mopa_bootstrap |
| JanThomas89MailSafeBundle | jan_thomas89_mail_safe |
| WebProfilerBundle | web_profiler |
| SensioDistributionBundle | sensio_distribution |
| SensioGeneratorBundle | |
+------------------------------------+-----------------------------------+
If you have container object available then you can get array of the enabled bundles by $this->container->getParameter('kernel.bundles');
You can define a static function in each bundle. Ex: YourBundle::yourStaticFunction();
Use $this->container->getParameter('kernel.bundles') to get the list of bundles. This only returns the bundle class names instead of the Bundle object. Go through each bundle, check if the bundle has the function yourStaticFunction(), Hint: Use method_exists(). If the method exists, then call ::yourStaticFunction();
In console you can use php app/console container:debug --parameter=kernel.bundles
If you want to call a non static method of registered bundle object (not class) then you can do the following:
$kernel = $this->container->get('kernel');
$bundles = $kernel->getBundles();
$bundles['YourBundleName']->someMethod();
Where 'YourBundleName' is the name of your bundle, which you can get by calling from console:
php app/console config:dump-reference