In order to allow users to see a specific job but not actually be able to do anything with it I have the following in place in the relevant .aclpolicy file (edited down for brevity):
context:
project: '.*'
for:
job:
- deny: [run,create,delete,kill,killAs,runAs,scm_create,scm_delete,scm_update,toggle_execution,toggle_schedule,update,read]
equals:
uuid: ee70e193-733c-4cb2-bdf0-0d6672da563f
- allow: '*'
by:
group: [users]
The deny line here is listing all available actions except view. I want my users to have access to all other jobs (in the example above I have '*' for the allowed actions, just by way of example).
What I'm wondering is if there is a way to shorten the deny line to something like - deny: [!view] or something -- basically an "everything except view" shortcut.
While the above works, I'm worried that a future update might add in extra actions, and these will then be available for this job as they are not specifically denied.
By default Rundeck ACLs denies all actions (works like a network firewall, denies all and you need to open step by step), in your case, you can use - allow: [view].
EDIT: Right now doesn't exist a rule like the question.
Related
I want to configure Apereo CAS 6.0.x to perform X.509 authentication and then retrieve principal attributes from a database table.
Rudimentary X.509 authentication is working with these lines in application.properties (and appropriate reverse proxy setup):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
The default "Log In Successful" page shows that it knows how to get my certificate's subject DN.
But I can't figure out how to tell CAS to then use that subject DN value to query my database for additional attributes.
This page explicitly mentions my need (though with LDAP instead of JDBC), but does not say specifically how to achieve it:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
What properties need to be set so that the X509 authentication handler resolves the principal against the database?
The missing ingredient was this line in application.properties:
cas.authn.x509.principalType=SUBJECT_DN
Without it, CAS does not attempt to query any attributeRepository settings that you may have.
I'm pushing gunicorn metrics from multiple applications into datadog from the same host however I cannot find a way to group the statsd metrics using either a tag or proc_name.
Datadog gunicorn integration
https://app.datadoghq.com/account/settings#integrations/gunicorn
Datadog agent checks are being updated automatically with the app:proc_name tag. I can use this to group and select the data for a specific service.
https://github.com/DataDog/dd-agent/blob/5.2.x/checks.d/gunicorn.py#L53
For the statsd metrics however, I do not see how to assign a tag or proc_name. This is not being done automatically nor do I see a way to specify a tag.
https://github.com/benoitc/gunicorn/blob/19.6.0/gunicorn/instrument/statsd.py#L90
Datadog config:
cat /etc/dd-agent/datadog.conf
[Main]
dd_url: https://app.datadoghq.com
api_key: <KEY>
bind_host: 0.0.0.0
log_level: INFO
statsd_metric_namespace: my_namespace
tags: role:[service, test]
Gunicorn config:
# cat /etc/dd-agent/conf.d/gunicorn.yaml
init_config:
instances:
- proc_name: service
- proc_name: another_service
Any ideas on how this might be achieved?
Examples using notebooks:
In this example, I am able to select app:service in either the 'from' or 'avg by' drop downs.
Timeseries - `gunicorn.workers` - from `app:service`
For the metrics with the my_namespace prefix I am unable to reference the same application name. Only host and environment related tags are available.
Timeseries - `my_namespace.gunicorn.workers` - from "Not available"
Timeseries - `my_namespace.gunicorn.requests` - from "Not available"
Spoke with Datadog support. Very helpful but the short answer is that there is currently no option to add additional tags to specify the specific proc_name in the individual gunicorn.yaml file.
As a workaround to enable grouping we enabled unique prefixes for each application but the trade-off is that the metrics are no longer sharing the same namespace.
I've submitted a new feature request on the Github project which will hopefully be considered.
https://github.com/DataDog/integrations-core/issues/1062
all!
I'm configuring exim mail-server and I'm a newbie to it. It is not my first mail server configuration, but first of exim.
So far, I have read different config docs (e.g. this one) in the Internet and an exim's configuration manual, as well. And now it is more clear to me. But one issue is not clear yet - it is concerned .ifdef, .ifndef directives.
For example,
.ifdef CHECK_MAIL_HELO_ISSUED
deny
message = no HELO given before MAIL command
condition = ${if def:sender_helo_name {no}{yes}}
.endif
As far as I saw from the manual, this clause means if the macros CHECK_MAIL_HELO_ISSUED is declared, then followed actions will be applied. But if it is not present anywhere, the actions will not be applied.
And if I want to apply that acl (it is a part of acl), it is better to use that without .ifdef directive.
So, please, correct me if I'm wrong,
You could either just delete the .ifdef and .endif directives or define CHECK_MAIL_HELO_ISSUED = yes somwhere logically 'before' that deny statement.
I'm checking if this is a sitecore bug, or if I'm missing something obvious.
EDIT FOR CLARIFICATION: The problem I'm having is that I'm trying to set up the configuration settings in the Domains.config file so that Sitecore shouldn't be creating (and/or returning) an anonymous user for a domain set up this way. However, if I use the Domain.GetUsers() function on the domain, I still get the anonymous user returned.
The membership provider is a custom built and connects to LDAP in read only mode.
Details
Using Sitecore 6.4.1 and given the following domain configuration in App_Config/Security/domains.config
<domain name="DOMAINNAME" ensureAnonymousUser="false" anonymousUserName="" everyoneRoleName="" />
and these comments in that domain.config file
anonymousUserName: <snip> Set to blank to disable the anonymous user for the domain. Optional
ensureAnonymousUser: Indicates if the domain should ensure that an anonymous user for the domain exists in the Membership database. Optional - default value: false
everyoneRoleName: <snip> Set to blank to disable the everyone role for the domain. Optional - default value: Everyone
If I use the following code,
List<Sitecore.Security.Accounts.User> users = new List<Sitecore.Security.Accounts.User>();
var domain = Sitecore.Security.Domains.Domain.GetDomain(DOMAINNAME);
users.AddRange(domain.GetUsers().ToArray<Sitecore.Security.Accounts.User>());
I get the anonymous user included in users list. I assumed from the comments in the domain.config file that I shouldn't get the anonymous user if I set up my domain as above.
Is there something obvious that I'm missing?
Just a guess as I have not used 6.4 yet or tweaked any of those types of setting before... but I believe Sitecore always comes pre-packaged with the Anonymous user in the membership. By setting ensureAnonymousUser to false you're just telling it not to ensure its there, but its already there by default. Why don't you try this test:
Set ensureAnonymousUser to true then delete [*] the Anonymous user from the user manager.
Log out and back in and see if it's there again. If so then the "ensure" aspect of that worked. So...
Set ensureAnonymousUser to false then do the same thing. Does the user come back?
This is really just a hunch on how it works -- I don't have an environment like that setup right now to play with, but its worth a shot.
[*] - to delete a user form the User Manager, go to Sitecore > Security > User Manager
I think it's more question to membership provider you use. Take a look at Active Directory Module
Maybe this is something that could help you.
I have set up trac on my domain for issue tracking. How to I configure it so that when anonymous users visit the domain, ALL they see is a login form. Basically I want 2 security levels:
anonymous - visitors only have access to a login option
users (i.e. everybody else who has logged in) - have access to everything
Thanks!
You can remove all permissions for the anonymous user:
trac-admin /path/to/projenv permission remove anonymous '*'
For details see the Trac permission docs
Trac offers two different permission groups by default:
authenticated
anonymous
The docs describe how to change the group defaults and how you can form new permission sets in the permission groups section.
The solution given by Thomas Zoechling does not work anymore, with trac 1.0.2 one needs to copy the permissions of anonymous user to authenticated manually:
trac-admin /path/to/projenv permission list anonymous
#gets: BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_VIEW TIMELINE_VIEW WIKI_VIEW
trac-admin /path/to/projenv permission remove anonymous '*'
trac-admin /path/to/projenv permission add authenticated BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_VIEW TIMELINE_VIEW WIKI_VIEW
You'll want to look at the AccountManagerPlugin. It allows form-based authentication. You also want to remove permissions form anonymous as described in the other post.