I want to add "Resgister" for Openstack. So, I want to create user without keystone authentication. Could someone tell me how to do it ? Thank you so much!
If you backend keystone to LDAP you could use any LDAP management interface. Alternatively you can directly manipulate the mysql database. However in the mysql scenario you'd probably want to setup a binlog and follow what keystone does when you do a user create from keystone client then replicate those queries with dynamic data identified and filled.
Related
I'm trying to test if we could use MaxScale 2.4 to add multiple MySQL servers to an existing application and route the queries to the appropriate server using the schema name.
I have set skip_authentication=true to let the MySQL servers handle authentication.
We use vault to create temporary users. When I add a user to one of the servers using vault, I can connect to MaxScale using the mysql cli; but when I try to run a query, it fails because MaxScale is trying to authenticate the users in all servers and it only exists on one of them.
Is this the expected behaviour?
This is expected behavior in MaxScale 2.4 but was changed in 2.5 to allow authentication on only a subset of servers (MXS-760).
I have an application that runs in a Service Fabric(SF) cluster and I wan't to access Key Vault from it.
The cluster hosts a number of applications and I want to give access to a Key Vault for my application without giving access to the other applications. By default an application runs under the same user as the SF cluster, but each applicatiuon has it's own unique name, mine has the name fabric:/application1.
My question is, is it possible to create an Active Directory application account for fabric:/application1 and grant access to the key vault?
I know it is possible to use the RunAs options in the SF manifest, but that requires me storing an encrypted password in the manifest/source code and I want to try and avoid this if possible.
AFAIK,
The only way to have this flexibility is using ClientID & Secret or Service Principal certificates and each application manage their own credentials.
Service Principal Certificate is already integrated to AD, but does not require the application, the user or the Host to be part of the domain, the only requirement is setup an user on AD to grant the permissions on Keyvault.
There are other solutions using AD integration, like Managed identities for Azure resources(Former: Managed Service Identity) but I am not sure if you are able to restrict access per application like you described, because the MI add this as a service in the node, so technically other applicaitons would have access as well, worth a try to validate if you can restrict this.
If you want to try this approach, you can use with Microsoft.Azure.Services.AppAuthentication for implicit authentication of the services running in your cluster, where the nodes are setup with Managed Identities extension like described here.
Something link this:
When you use the Microsoft.Azure.Services.AppAuthentication, the Step 2 will be handled by the library and you won't have to add much changes to your key vault auth logic.
When you run your code on an Azure App Service or an Azure VM with a
managed identity enabled, the library automatically uses the managed
identity. No code changes are required.
The following docs describe other options you can use for KeyVault Authentication.
PS: I've done other KeyVault integrations using Client Secrets and Certificates and they are secure enough, With Certificates you can store it on the managed store or with the application, I would recommend MI only if is a requirement for your solution.
What is the login name and password for Cassandra cqlsh?
I do not see data in tables ep_profile, ep_user etc. under anonymous access.
Thanks.
In Sandbox there are not additional users created for Cassandra database. There is default user "cassandra".
You can see data using anonymous access.
By default as NoSQL DB in Sandbox used MongoDB. Check your NoSQL database configuration.
Configure if it wasn't set to use Cassandra, restart kaa-node service and connect some client to the Kaa.
I am trying to implement the a .Net Web mechanism that will hold user profile and other activities.
On success the user will be able to chat hence have to be registered under MongooseIM server with JID creation.
This have to be done by the Asp .Net server to generate a JID for the user and execute the action similar to $sudo bin/mongooseimctl register username hostname password.
The similar activity will be done in case the Remove account is called to by user and Asp .Net will talk to MIM to execute the $sudo bin/mongooseimctl unregister username hostname command.
Do we have any way to achieve this by following ways.
1) Curl command we tried but its in PHP , but need more guidance how to do this.
2) Is MongooseIM having any facility to expose outside any web service to execute the mongooseimctl commands.
Appreciate for any leads given.
2) Is MongooseIM having any facility to expose outside any web service to execute the mongooseimctl commands.
Yes, it has. Since version 2.0.0beta2 we provide a REST API for backend services. More info about it can be found in our documentation:
http://mongooseim.readthedocs.io/en/latest/http-api/http-administration-api-documentation/
http://mongooseim.readthedocs.io/en/latest/swagger/index.html
Is it possible to use IAM to manage user accounts for EC2-hosted unix hosts by way of a PAM module similarly to LDAP, NIS, etc...?
My goal is to have a means to centralize host authentication on our EC2 hosts without the overhead of setting up a single sign on solution.
AWS IAM is meant to handle access to AWS resources. You can create new users but the basic authentication which EC2 instances get is via key pairs, which are not the same as IAM users.
You might be able to create a system of your own which manages IAM users and also generates a private and public key for them to be used inside the instances being created (maybe even re-using the keys you get when creating a new user in IAM).
All in all its not really meant to be used that way, as far as I understand.
Since you mentioned LDAP, you can use this project:
https://github.com/denismo/aws-iam-ldap-bridge
to sync an LDAP server with IAM.