I have a scenario where i hope someone somewhere might have tried implementing it.
Apache Nifi integrated with LDAP.
I get logged in using userid created in LDAP.
my hdfs is integrated with LDAP.
how do you think can i impersonate my nifi logged in user to access HDFS data.
Reason for implementing this approach is.
1. I am trying to avoid using kerberos which i know is supported by apache nifi.
2. I want to keep centralized logging system so that i dont need to worry and maintain multiple such repo.
3. Why LDAP, as i am using LDAP client to manage users and roles.
4. I am already using LDAP to autheticate users to access hdfs data for someother apache application thus sticking to LDAP will let me avoiding making changes to those applications.
Your ideas and inputs are much appreciated.
Thank You.
The short answer is that you can't do this.
The longer answer... Processors don't execute as the web users that are logged in to NiFi. When a user is in the UI they change the state of a processor to "running", the processor then runs according to its run schedule. At the time it is executing there is no knowledge of the user that was in the UI that set it to "running". The only identity it runs as is the kerberos identity specified in the processor, or if that is not being used then it will end up being the operating system user that launched the NiFi process.
Related
i have a django webapp running at work. we have some REST APIs available which get accessed by our flow in unix. currently to avoid asking the users to enter their credentials, we store a service account name and credentials in a "secret" location on disk. my python code reads credentials from there to login and access the REST API running on our django app.
i am sure there is a better way to do this. is there a way to leverage that the user is logged into unix somehow to get authentication to work with the REST API? i heard kerberos might be useful here?
thanks for the help!
We have an application with a script that create a conceptual model and a login role in a PostgreSQL database.
This login role will be used by the application for everything, independent of the logged application user.
How can we protect this login role password inside the application code?
Consider using a yaml file to store your credentials or alternatively place them in a .pgpass file.
The main three authentication mechanisms you could use, roughly in order of popularity, are:
Password. Here you somehow load a password in your application, and use it whenever you connect to the database. One easy way to store the password is in a text file protected by filesystem permissions (similar to how you protect SSH private keys).
LDAP. This requires an LDAP server on your network, but that is commonplace in corporate environments. It also requires loading a password in your application. The difference from the regular password mechanism is that the database server doesn't store the credentials or verify the password directly--it delegates these to the LDAP server.
Kerberos. This requires a Kerberos server on your network. Here, the application does not need to load a password; instead the user (or service account) which will run the application must first authenticate using Kerberos (either by typing in a password to kinit, or loading a credential file).
Of these, my personal preference would be Kerberos if that service is supported on the network in question. Second best would be LDAP, because it allows centralized control over things like password changes and revocation. And third would be the regular password mechanism, which works in any environment.
Details on all of the available mechanisms are here: https://www.postgresql.org/docs/10/static/auth-methods.html
You cannot.
If the user has a direct access to the application (they can directly launch it) everything that is hardcoded in the application should be seen as accessible to the user. Whatever obfuscation you can use, a determinated attacker will be able to find it (through decompilers an debuggers).
If a break point exist, all is different:
front end application back end application
launched by user --/--> launched with a sytem user
local machine local or remote machine
This is typically the use case for web applications: the user has no access to the application code, and does not launch it, so the database password can lie in a configuration file - it will always be accessible to administrators. Even when all runs on the same machine, decent OS allows for access protection to prevent unprivileged users any access to the backend program. For that latter case, the front end and backend can communicate through sockets, named pipes, messages or almost any other IPC mechanism.
TL/DR: only secure way:
split the application into a front end running under user account with no knowledge of the database server, and a back end running under a system (non admin) user
ensure that normal users have no access to the backend application files
store the database password in a configuration file of the backend (never in a source file)
We have two WFE servers and Application server for the SharePoint. User profile service is configured and we want use it. But User Profile Synchronization Service stays on starting state and after a while stops, then it makes the forefront identity manager services disabled too.
I just checked the farm user account access and also configure the service again and again to fix this issue.
The stuck on starting issue can be a real pain to deal with. Spencer Harbar wrote an article a few years ago that I, unfortunately, have to refer to from time to time. It's very comprehensive and there are several things that could cause the problem but it usually comes down to incorrect permissions on either a windows service, a SharePoint service, a DB, or issues in forefront. Bookmark this one... it will be your friend :)
http://www.harbar.net/articles/sp2010ups2.aspx
Make sure that the farm account is added to the local administrator group during starting and provisioning User Profile Sync Service service.
For more details check
User Profile Synchronization Service Stuck on Starting
User Profile Synchronization Service Starting then Stopped in SharePoint
We have some security requirements from customer, so we need to configure/develop detailed audit logging which will log user actions done in Carbon Management console - i.e. datasource modification, service modification in WSO2 ESB.
Is there any way do this using included log4j?
We are using WSO2 Enterprise Service Bus 4.8.1 and WSO2 Application Server 5.2.1
WSO2 products has an audit log which can be found in the repository/logs folder. But the problem is, this audit log has very little audit information. Reason is as follows.
WSO2 products are built using a collection of reusable osgi componentns. For example, for data sources related operations we have one component and for proxy related operations we have another.
Now, the problem here is, these individual components has not put enough audit logs to cover the user operations. Therefore, your requirement seems to be difficult to achieve.
There are some extension points in WSO2 products where you can use to do your own tasks upon certain actions such as user login, user creation. For example, you can implement a certain interface and print whatever log you want upon a successful user login or a failed login attempt. But, those extension points are limited mostly to user management related operations.
All the HTTP communication done with the server is already logged in HTTP access logs in CARBON_HOME/repository/logs. You can use a log analyzer tool or even grep to capture any desired user action.
Ex: To get the log ins to datasources page use
cat http_access_2016-06-02.log | grep "GET /carbon/ndatasource/index.jsp"
My question may be too broad or vague, but I cannot best describe it in any other way than I am doing it.
I have multiple Django applications. I have implemented SSO successfully for the same. All this things work. Now, I have been given a new task and its like this.
I have to integrate Microsoft ADFS authentication into my suite of applications and broaden the scope of current SSO.
My understanding of it is as, when I log into my laptop which is on corporate network (I assume this is how I have to put it) I also get logged into my django applications
I seriously have no idea of how this work as I have no experience with ADFS. Can anyone with experience of this explain it with a scenario of how it works so that I can understand it and think of a solution to it.
PS: If there is any more information needed I will provide. Also, if downvoting the question do put a reason so that I can edit the question and post it as it should be.
if Django supports SAML based login, then you set it up to trust ADFS. ADFS will automatically take care of logging in using your logged in credentials to a domain joined machine inside the corporate network. If the user accessed externally, it would prompt for password or a certificate based auth (e.g. smartcard) to login the user.