RestHeart ACL - User access controls for databases - acl

I'm using restheart 6, with mongoAclAuthorizer and mongoRealmAuthenticator.
I have no problem managing users or databases, but I'm not understanding how to restrict a user to access only the databases I allow.
I'm reading the documentation (https://restheart.org/docs/security/authorization/) about ACL, but I didn't find what I need.
By looking at the examples, looks like a user from the role "users" would be able to access all databases.
I guess the answer is in the predicate.
Let's say I have two users: userA and userB both with the role "user". I want userA to access database1 and userB to access database2.
The way the doc shows, looks like it's missing something that I wrote in brackets, which I know it doesn't exists, it is only to exemplify) ([user=userA] and [user=userB]).
role: user
predicate: [user=userA] and path-prefix[path="/database1"] and method[value="GET"]
role: user
predicate: [user=userB] and path-prefix[path="/database2"] and method[value="GET"]
Can anyone help me?

It's easier than it looks.
The roles "admin" and "user" are not mandatory.
You can create your own roles and use them as needed.
In my case above, I created four new roles: role-database1-rw, role-database1-ro, role-database2-rw and role-database2-ro.
And I've attached the userA to the roles role-database1-rw and role-database2-ro, and the userB to to the roles role-database1-ro and role-database2-rw.
Then, I created the ACLs:
roles: role-database1-rw
predicate: "path-prefix[/database1] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"
roles: role-database1-ro
predicate": "path-prefix[/database1] and method[GET]"
roles: role-database2-rw
predicate: "path-prefix[/database2] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"
roles: role-database2-ro
predicate: "path-prefix[/database2] and method[GET]"
This way, the userA can read from database1 and 2 and write on database1. And the userB can read from database1 and 2 and write on database2.

Related

Changes to /etc/phpmyadmin/config.inc.php do not have effect

I would like to configure PhpMyAdmin to access only one database through one user.
I tried before to restrict access via .htaccess using this answer from 2013 but it did not work:
phpMyAdmin Block Access to Single Database
I hence tried by adding deny,allow rules as stated in this answer:
How do I restrict access to specific database user accounts in phpMyAdmin?
But it did not work too. I continue to access all users. I have read the documentation and rewrote the lines in config.inc.php as
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny root from all',
'deny user1 from all',
'deny user2 from all',
'allow user3 from all',
);
where user1 and user2 are users to deny, and user2 is user to allow. But I can still access with all users. I hence tried only
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
that should block access to all users, but I can still access with all users. I hence believe that /etc/phpmyadmin/config.inc.php is being overwritten in some way, since no change has effect, but I do not understand how.
Any idea on where to check?
Looks like you are allowing access to all users and then again you are trying to restrict some of the users, seems bit confusing.
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
The correct pattern should be deny access to all users and then provide explicit access to the specific user
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
Please refer the official document
https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_order
The correct configuration should be something like this
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
$cfg['Servers'][$i]['AllowDeny']['rules'] = [
'allow user3 from all'
];
hope it works for you!

I need guidance about permissions in Xenforo

How to only first superAdmin access to a group permissions example(signature permissions), but other admin and superAdmin no access to that (signature permissions)
for example, first SuperAdmin with id = 1 only see and access some permissions and can change it,
and other superAdmin cannot see this permission.
Super admins are defined in the library/config.php file:
$config['superAdmins'] = '1,2,3';
1, 2 and 3 being three different user IDs.

Friend circle by sqlalchemy

Say i have the following Users model-
class Users(Base):
__tablename__='users'
id=Column(Integer, primary=True)
friends=relationship(
'Users',
secondary='friend_associations',
primaryjoin='and_(FriendAssociations.user_id==Users.id,'
'FriendAssociations.pending==False)',
secondaryjoin='and_(FriendAssociations.friend_id==Users.id,'
'FriendAssociations.pending==False)',
uselist=True,
)
And the FriendAssociations model is-
class FriendAssociations(Base):
__tablename__='friend_associations'
id=Column(Integer, primary=True)
user_id=Column(ForeignKey('Users.id'), nullable=False)
friend_id=Column(ForeignKey('Users.id'), nullable=False)
pending=Column(Boolean, default=True)
__table_args__ = (UniqueConstraint(
'user_id','friend_id', name='uq_user_friend_id_pair'
),)
The target was, user A sends a friend request to user B. Until user B accepts the request, the request stays as pending. When B accepts the request, pending is False and one more friend_associations entry
is created on user B to state that user A is friend of user B and vice versa. The problem is, i can do these things, but when i want to remove a user entry, the database(i am using PostgreSQL) throws up error saying friend_associations depends on the user(because the association entry isn't deleted). As a result i can't delete any user entry.
So -
Is my solution to the problem correct?
If not, what should i do to correct it?
Please give basic query examples like adding, deleting friends and user entries with such solution or mine.
Thanks in advance.
Ok, I found the solution reading the docs a little more. combining cascade, single_parent and passive_deletes i could achieve 3 relationships -
friends - who have accepted friend request
sent_friend_requests - who are sent a request from the user and yet havent accepted
awaiting_friend_requests - who have sent request to the user and yet not accepted
Thumbs up for SQLAlchemy documentations.

Flask-Admin/SQLAchemy: Standard idiom to produce a row-filtered user view

Using SQLAlchemy through Flask-Admin/Flask-Security.
I have 2 roles: "admin" and "user"
Normal users own certain parts of the data (certain rows of the tables) and should only access their own data.
What is the standard idiom only allowing users to access their data but not other users' data? I created a special UserView and overrode get_query and get_count_query and included a filter in these methods. Is that the standard way?
I am new to SLQAlchemy, and I am having trouble filtering tables that are "distant" from the User table.
For example: User to Project (many-to-one), Project to X (many-to-many), X to Y (many-to-many), all with backrefs.
How would I filter in the Y view for a non-admin user to filter only those rows that are reachable from the current user (through Project)?
Thanks!

OpenLDAP : ACL : Allow users to manager their own groups

I need your advice on a LDAP structure and associated ACL.
Our LDAP will manage 10 (number may vary) organizations which contains users (total of 250 users)
I want 1 user by organization to be allowed to manage all the users of his own organization.
Users will also be attached to custom groups.
What is the best LDAP structure for that ?
My first idea is the following :
Groups :
dn: cn=Manager,ou=Roles,ou=Groups
objectClass: posixGroup
objectClass: top
cn: Manager
gidNumber: 10100
memberUid: user1
memberUid: user3
dn: cn=Structure1,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure1
gidNumber: 10000
description: Structure1
memberUid: user1
memberUid: user2
dn: cn=Structure2,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure2
gidNumber: 10001
description: Structure2
memberUid: user3
memberUid: user4
user1 should be allowed to edit user user2 but not user3 or user4
user3 should be allowed to edit user1 but not user2
I actually get stuck on ACL because I don't success to user the groups of an entry using ACL set method.
I would like doing something like this :
{1}to dn.children="ou=Users" by set="[cn=]+this/groups+[,ou=Structures,ou=Groups]/memberUid & user/uid" write by * read
I am able to use groupOfNames if better than posixGroup
I've already read :
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html
My contribution is one option to solve this situation. I know it's been a while, but i hope this helps to someone out there.
- Change to groupofnames or organizationalrole (the last one support empty groups) both require a dn as member.
- Enable memberof overlay, to enable the memberof operational attribute on the user (this will add the list of groups where the user is a member of, to an attribute in the user entry)
olcMemberOfGroupOC: organizationalRole
olcMemberOfMemberAD: roleOccupant
olcMemberOfMemberOfAD: groups ("groups" is the operational attribute added to the user)
Once both actions where performed and you're sure the users has values on the groups operational attribute, according to the original question, here are 2 scenarios:
1st scenario - user1 is allowed to write user3,ou=users as they belongs to cn=Manager,ou=Roles,ou=Groups
2nd scenario - user1 is allowed to write user2,ou=users as they belongs to cn=Structure1,ou=Structures,ou=Groups
by set="this/groups & user/groups" write
This acl allows write whenever both users (the modified and the modifier) have the same group, the the acl will set write privileges.
user=user1,ou=users
"user/groups" get the values of the modifier groups attribute. cn=Manager,ou=Roles,ou=Groups - cn=Structure1,ou=Structures,ou=Groups.
this=user3,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure2,ou=Structures,ou=Groups
this=user2,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure1,ou=Structures,ou=Groups
I hope this solves the question and be useful to anyone struggling with openldap acl's as i did some days ago.
Best regards!!