I need to add new user in Wso2 CEP (3.1.0) and I know that is possible by "clicking" few steps in console (example from documentation). I wonder if it possible to add new user without login into console, but connect to H2 database and insert user there?
I know that new user is save into "UM_USER" table.
Maybe someone knows what class write user into H2, how passowrd is enrcypted and what is "UM_SALT_VALUE" and why I need it?
If all you want is to manage users programmatically, a better way rather than trying to modify H2 DB is to do it through the relevant admin service. This way you don't have to bother about the underlying user-store or the salt values used for hashing passwords etc.
In Carbon-based products, most of the configurations done through the web console can be done programmatically by calling the relevant admin web service, such as user management, adding/managing deployment artifacts etc.
So for you use case, you can use the User Management admin service at:
https://localhost:9443/services/UserAdmin?wsdl
Note that in order to access this wsdl, you should make these admin service wsdl's visible by editing <CEP>/repository/conf/carbon.xml and restart the server.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
Related
I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.
I am trying to create a centralized authentication server for multiple Django apps (APIs). I've seen posts/recommendations but none fit exactly what I am looking for.
Overview:
Users can be associated to one or multiple projects
Users have same credentials to all projects they are associated to
Use JSON Web Tokens - use payload to add user data, sub-domain (project) to route to, role, etc
Sub-domain will not be used for login. All users will login to same site and will be routed to project they are associated to (or given list if there are multiple). SSO is optional.
Questions/uncertainties:
Q: Should the authentication tokens be created on the authentication server or on each project? ie) Each user having one auth token for all projects or have one auth token for each project?
Q: Roles will be stored in each app. I would like to send the roles along with the authentication token in the JWT. Should this data be redundantly stored on the authentication server? Another other way would be for the authentication server to access the project databases. What is the best way to handle this? Users will have different roles for each project.
Q: Auth server will have basic user information (email/username, password, first/last name, etc). Since foreign keys can't be used between databases I can use a user proxy based on usernames to create the user on each project. Do the app servers need to have access to which authentication tokens are valid?
Taking advantage of pre-existing software:
Another approach I had in mind was to use django-tenant-schemas which takes advantage of Postgres schemas where each one of my projects would be a schema (currently using MYSQL databases). Does it make sense to take advantage of this?
Can I take advantage of an IdP service to offload some of the authentication? Does this easily tie into the Django auth layer?
Your question seems to be multiple so I would split the answer too:
ABOUT THE USERS
Since your users are not part of your "mutitencancy model" you have two options here:
Replicate your user data among the different tenant databases (via triggers and what not).
Write your own authentication middleware that verifies users in the right database (lets call it root database since now on). You can use user ids to from the root database and verify manually that they match, which is a bad idea.
That means your database schema will be something like this:
root database (all common data here)
project 1 database (with it's own user data or referencing root)
project 2 database (with it's own user data or referencing root)
Now for authentication tokens
You have the same options as above:
Keep them in the root database and write your own middleware.
Replicate them.
How to implement the whole thing
Since your use case is pretty particular, you may encounter some resistance from existing software. But creating your own multitenant solution is not that hard
I am a 30+ year programmer, but almost all of it was in the semi-conductor world and none of that was with web sites. I have been given the task of getting wso2is to work with 1 new app and eventually add the already existing apps. Most of the terminology is foreign to me. I have read much of the documentation, it is beginning to make sense. I can get it to run and create some of the items needed, user, role, permissions and claims. But there are some concepts that I don't get from the manual.
Ok I know that what I need to get out of it is simple authorization.
Person->web_app->wso2is->authorization->web_app
We will eventually have several apps that our internal users wish to forgo multiple logins.
So if I have AppA and AppB and I want to use both Apps. I login to AppA, it sends authorization request to IS and it sends back true/false that all is good for AppA, but now I need to get into AppB from the same browser, new tab. It is my understanding that wso2is is single sign-on (SSO). So it looks like I would have to sign also to AppB completely independent to AppA. Our developers are looking to use curl to communicate with IS. So how does IS tie all this together?
I'm very confused.
I understand users, roles, permissions and claims, at least I think I do.
I've managed to add users with REST and SCIM. I've had no luck in getting ANY of the samples to work.
Hope it is not too late to answer this question. I will try to expalin the steps as simple as possible.
Add App A, as service provider in WSO2 IS.
Add App B as service provider in WSO2 IS.
Note: Both apps can be ( and should be) fully independent to each other. By that I mean, App A can be java, App B can be a .net application. They can have different certificates for encryption etc.
When you try to log in to App A in new browser session, it will redirect you to WSO2 login page and there you can authenticate yourself with user id and password.
Now when you try to open App B in same browser in new tab, WSO2 will not ask you again for user id and password, rather it will allow you to access App B. All this happens because of SSO.
This is SSO in the simplest way.
We would like to move the users from a one Identity system to WSO2 IS. Both userstores reside on a SQL DB. We would use SELECT INTO (INSERT INTO SELECT) at the database level to move the users from the old Identity Store to WSO2 IS. Will this cause any issues with the data integrity? Or should we just use the WSO2 IS APIs instead?
You have your users in separate user DB (say foo user store) and you need to move all users in to WSO2IS user store schema..? It mostly depends on the how user's password has been stored in the foo user store.
If password is stored as plain text (or encrypted as it can be decrypted), you can WSO2IS APIs to add users which is mostly the best option. You can write some tool to read from foo DB and call the API of WSO2IS. User Mgt API can be used for it. More details from here
If password is stored as hashed, then we can not use the APIs and we need to use some database level migration. You can move to username and user's password in to UM_USER table and user's attributes in UM_ATTRIBUTE tables.
But, please note, if your foo DB has used some different password hashing schema which is not supported by WSO2IS, above migration also would not be success out of the box. By default WSO2IS supports for SHA-1, SHA-2 hashing methods only. If it is not, you may need to do some customization.
However, why you are trying migrate it to WSO2IS schema? Can't you write a custom user store manager implementation for your foo DB and connect WSO2IS in to your existing user store ? I guess, it is more convenient than migrating.
When I go to "My Identity -> My Profiles", it does not give me the option to Add New Profile (as seen on the documentation for User Profile Management), but I can only edit the default profile.
I am using an external MySQL server as the JDBC user store, and creation and editing of users works fine.
I did not find any parameter in the xml files to enable this multiple profile feature. How should I proceed?
Thanks.
Yes. I also find the same. Adding multiple profile for user has been removed from UI. But with JDBC user store, I guess, we can add this using the web service API. Following is the API
https://{ip}:{port}/services/UserProfileMgtService?wsdl