I've just installed apache superset following instructions at https://superset.incubator.apache.org/installation.html. I then login to the web interface as admin. I also loaded sample data with 'superset load_examples'.
If i go to 'Sources > Tables' and click on any of the tables ('wb_health_population', for example) i get an error: 'This endpoint requires the datasource wb_health_population, database or all_datasource_access permission'.
I check permissions set for the admin role and existing permissions: 'all_datasource_access' is not enabled for the admin role, and does not exist in the list of existing permissions.
As i told, i just followed standard instalation instructions from superset's doc website. Any help on this? Thank you.
EDIT: Superset version is 0.20.6, python's 3.6.3.
Try running superset init - this should initialize permissions.
See https://superset.incubator.apache.org/installation.html#superset-installation-and-initialization
(code-wise, init calls security.sync_role_definitions() which itself calls create_custom_permissions() which creates the said permissions)
I would also try all_database_access permission.
Related
i installed superset in aws ec2 follwed this link https://superset.apache.org/docs/installation/installing-superset-from-scratch/ after 2 months the server was down and i restarted the machine but i am getting the error while login as admin it shows me Invalid login. Please try again.
i am using the same credentials and checked for typo also please help.
i need dashboards also and pleSe help with the backup of all those thanks.
i am using default db in .superset/superset.db i didt changed anything but creds was wrong
Reinitiliase the database to recreate the users table.
superset db upgrade
superset fab create-admin . # To create admin user.
superset init # Create default roles and permissions
Use this to resolve the problem
flask fab list-users ## To view all the users
flask fab reset-password ## To reset user password
There are steps provided under section "Initialize a local Superset Instance" in the following link
https://hub.docker.com/r/apache/superset
So here's my situation...I have two React apps that need to talk to the same Cognito User Pool. I've been able to accomplish this by copying the aws-exports.js file from the first app to the second app I created (not sure if this is something I should be doing or not but it is working). The issue I am having however is when I run an Admin Query on the second app (to say list users in the Cognito User Pool) I get a 403 (Forbidden) error. Has anyone ever run into this before? Googling all day has not helped me so I figured I would ask.
You'll need "multi-frontend" solution:
https://docs.amplify.aws/cli/teams/multi-frontend
I'll give you some useful infos for this:
Open the Amplify Console and there the "first" app (wheres the backend was created).
Go to the first app's "backend" section
Select "Backend environments" tab
Search for "Edit backend" box and this text: "To continue working on the backend, install the Amplify CLI and make updates by running the command below from the root of your project folder"
copy that command, and paste/run in second app's root.
Beware!
do not modify (and push) the backend from the second application.
if you use git branch based environment you must always switch the env AND the branch parallel. Do not pull the "master" backend for your "dev" env.
try to avoid modifing on amplify console if you modify things with amplify cli. Those things cannot be syncronized... :(
If you store multiple apps in a git monorepo:
https://docs.amplify.aws/cli/usage/monorepo
I'm trying to build a Dockerized CouchDB to run in AWS that bootstraps authentication for my app. I've got a Dockerfile that installs CouchDB 1.6.1 and sets up the rest of the environment the way I need it. However, before I put it on AWS and potentially expose it to the wild, I want to put some authentication in place. The docs show this:
http://docs.couchdb.org/en/1.6.1/api/server/authn.html
which hardly explains the configuration properly or what is required for basic security. I've spent the afternoon reading SO questions, docs and blogs, all about how to do it, but there's no consistent story and I can't tell if what worked in 2009 will works now, or which parts are obsolete. I see a bunch of possible settings in the current ini files, but they don't match what I'm seeing in my web searches. I'm about to start trying various random suggestions I've gleaned from various readings, but thought I would ask before doing trial and error work.
Since I want it to run in AWS I need it to be able to start up without manual modifications. I need my Dockerfile to do the configuration, so using Futon isn't going to cut it. If I need to I can add a script to run on start to handle what can't be done there.
I believe that I need to set up an admin user, then define a role for users, provide a validation function that checks for the proper role, then create users that have that role. Then I can use the cookie authentication (over SSL) to restrict access to my app that provides the correct login and handles the session/cookie.
It looks like some of it can be done in the Dockerfile. Do I need to configure authentication_handlers, and an admin user in the ini file? And I'm guessing that the operations that modify the database will need to be done by some runtime script. Has anyone done this, or seen some example of it being done?
UPDATE:
Based on Kxepal's suggestion I now have it working. My Dockerfile is derived from klaemo's docker-couchdb, as mentioned below. The solution is to force the database to require authentication, but a fresh install starts out as Admin-Party. To stop that you have to create an admin user, which secures the system data but leaves other databases open. First, create an admin user in your Dockerfile:
RUN sed -e '/^\[admins\]$/a admin=openpassword\n' -i /usr/local/etc/couchdb/local.ini
(just following klaemo's sed pattern of using -e) and when CouchDB runs it will salt and hash this password and replace it in the local.ini file. I extract that password and replaced "openpassword" with this so that my Dockerfile didn't have the password in plain text. CouchDB can tell by the form of it not to hash it again.
The normal pattern to now secure the other databases is to create users/roles and use them in a validation function to deny access to the other databases. Since I am only interested in getting a secure system in place for testing I opted to defer this and just use the settings in local.ini to force everyone to be authenticated.
The Dockerfile now needs to set the require_valid_user flag:
RUN sed -e '/^\[couch_httpd_auth\]$/a require_valid_user = true\n' -i /usr/local/etc/couchdb/local.ini
And that requires uncommenting the WWW-Authenticate setting:
RUN sed -e 's/^;WWW-Authenticate/WWW-Authenticate/' -i /usr/local/etc/couchdb/local.ini
Which, since the setting shows Basic realm="administrator" means that the NSURLProtectionSpace in my iOS app needs to use #"administrator" as the realm.
After this I now have a Dockerfile that creates a CouchDB server that does not allow anonymous modification or reading.
This hasn't solved all of my configuration issues since I need to populate a database, but since I use a python script to do that and since I can pass credentials when I run that, I have solved most problems.
To setup auth configuration during image build, you need to check not API, but configuration for server admins. TL;DR just put [admin] section into local.ini file with your username and password in plain text - on start, CouchDB will replace password with it hash and CouchDB wouldn't be in Admin Party state.
P.S. Did you check docker-couchdb project?
NOTE: Sitecore 6.6 Update 6 (rev. 20130529)
Hey folks, I'm trying to allow for certain users in a role to be able to access the admin tool for the Update Installation Wizard so that they can deploy .update packages to an environment.
However, short of giving these users full "is administrator" privileges, I can't seem to figure out which roles will give this access.
I've tried the following roles:
sitecore\Developer
sitecore\Sitecore Local Administrators
These pull in a variety of developing and maintaining roles and give most of the tools (including standard package installation). However, users with this access are still prompted for login when visiting the admin URL (/sitecore/admin/UpdateInstallationWizard.aspx)
Any thoughts?
You could take a look at Sitecore.Ship as an alternative means of deploying Sitecore update packages into an environment.
Essentially the tool exposes an endpoint that allows remote installation of update packages over HTTP. This approach has some advantages over the Update Installation Wizard as it allows Indexing to be disabled whilst the package is installed, leading to faster package deployment.
Unfortunately, as the folder structure would suggest (/sitecore/admin) the users need to be full Administrators.
The CheckSecurity() method of the UpdateInstallationWizard base class specifically checks for this:
private bool CheckSecurity()
{
User user = Context.User;
if ((Account) user != (Account) null && user.IsAdministrator)
return true;
SiteContext site = Context.Site;
string url = (site != null ? site.LoginPage : string.Empty) + "?returnUrl=" + this.Server.UrlEncode(string.Format("{0}.aspx{1}", (object) this.PageUrl, string.IsNullOrEmpty(this.Request.QueryString.ToString()) ? (object) string.Empty : (object) ("?" + this.Request.QueryString.ToString())));
if (url.Length > 0)
this.Response.Redirect(url, true);
return false;
}
You can check this yourself in dotPeek decompiler. It's defined in class Sitecore.Update.UpdateInstallationBase in the Sitecore.Update dll
I want to restrict access to all but a few selected files per a user, but if I type: /media/userdocuments/FILENAME django happily spits back the file for even users who aren't logged in. How can I integrate the permission framework to work around this?
Thanks!
EDIT: I realize that the django development server is insecure, so I guess the question is: How would I do that in a production environment with apache, lighttp, etc.
Use RewriteMap along with a script that connects to Django and verifies permissions, rewriting to a "disallowed" URL on auth failure.