Having trouble to get user that belongs to group "user" having access (at least read) to projects. I've read and tried several examples I found on the internet, none seems to work.
What I need for now is: allow any users who belong to group "user" to read project named MYPROJECT. I have this, saved in a file named user.aclpolicy under /etc/rundeck. I have waited for 60+ seconds. I've also tried restarting RunDeck. No luck.
I keep getting:
You have no authorized access to projects.
Contact your administrator. (User roles: raka, user)
description: application access to a project
application: 'rundeck'
for:
resource:
- equals:
kind: project
deny: [create] # deny create of projects
- equals:
kind: system
allow: [read] # allow read of system info
- equals:
kind: user
deny: [admin] # allow modify user profiles
project:
- equals:
name: 'MYPROJECT'
allow: [read] # allow access
deny: [import,export,configure,delete] # deny admin actions
storage:
- deny: [read,create,update,delete] # allow access for /keys/* storage content
by:
group: user
What's wrong with YAML above? I've also checked the web.xml under /var/lib/rundeck/exp/webapp/WEB-INF to make sure role-name "user" is registered there.
My realm.properties contains this line:
raka:greentooth60,user
I've also tried this. Basically copying whatever was there for the "admin" group. And for that I also tried it putting it direcly in the admin.aclpolicy instead of separate file. Still no luck.
description: User, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: user
RunDeck version: Rundeck 2.6.9-1 cafe bonbon indigo tower 2016-08-03
This is a debian installation of RunDeck (.deb). Which log file(s) can I look at to analyze situations like this?
Thanks,
Raka
RunDeck ACLs can be counter-intuitive and take some time to get used to. For visibility, especially when you are starting out writing RunDeck ACL policies, it is better to only set what users are allowed to do, instead of denying access. By default, nothing is allowed, so you only really need to add allow statements to give users access to resources.
RunDeck needs ACL policies for both the "application" context, and the "project" context. You are specifying read access to the project in the application context, and access to all jobs by name (in your case .*) in the project context, but there you also need to give access to read the resource type job in order for jobs to be visible. See the example below.
Useful logs
For troubleshooting RunDeck I have found the following logs useful:
tail -f /var/log/rundeck/{rundeck.log,service.log}
Testing ACL policies
If you want to test specific user actions against your ACL files, you can use the tool rd-acl which is installed together with RunDeck. For example, to test that a member of group user can read the job restart some server in the project MYPROJECT, you can do:
rd-acl test -p 'MYPROJECT' -g user -c project -j 'restart some server' -a read
For more details, see the rd-acl manual.
Read-only ACL example
Here is an example (tested on Rundeck 2.6.9-1) that should give anyone in the group "user" access to read everything on your RunDeck server:
context:
application: rundeck
description: "normal users will only have read permissions"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: user
---
context:
project: '.*'
description: "normal users will only have read permissions"
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: user
Another thing you can stumble upon when dealing with the "You have no authorized access to projects" are the permissions.
If for whatever reason you have created the aclpolicy file with a simple copy using the root user, you will need to change the owner and group to 'rundeck' (unless you changed the user rundeck runs under, of course).
That made me loose 30 minutes today, hope this helps someone.
Related
I tried openshift redhat k8s distro and now there are 2 projects that i need to delete. I can only login as user 'erjcan', this is my primary acc and it seems not to be allowed to do admin actions.
The 'delete button' is inactive in gui console, i tried to create a role for myself but can't.
I tried to create admin-like role and assume it as a user, but it is not allowed either.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: all-stuff
namespace: erjcan-stage
rules:
- apiGroups:
- ''
resources:
- '*'
verbs:
- '*'
This code above gives me RBAC not allowed error:
An error occurred
roles.rbac.authorization.k8s.io "all-stuff" is forbidden: user "erjcan"
(groups=["system:authenticated:oauth" "system:authenticated"]) is
attempting to grant RBAC permissions
not currently held: {APIGroups:[""], Resources:["*"],
Verbs:["*"]}
I tried to delete via cli, but i can only login as erjcan user.
Logged into "https://api.sandbox-m2.ll9k.p1.openshiftapps.com:6443" as "erjcan" using the token provided.
You have access to the following projects and can switch between them with 'oc project <projectname>':
erjcan-dev
* erjcan-stage
Using project "erjcan-stage".
bash-4.4 ~ $
bash-4.4 ~ $ oc delete project erjan-dev
Error from server (Forbidden): projects.project.openshift.io "erjan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjan-dev"
bash-4.4 ~ $ oc delete project erjcan-dev
Error from server (Forbidden): projects.project.openshift.io "erjcan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjcan-dev"
How to delete a project in redhat openshift gui console?
You appear to be talking about using Red Hat's developer sandbox. Which, indeed, does not allow you to delete projects. There's no way around that: RBAC is specifically set up to not allow you to create or delete projects.
You don't say why you need to delete the projects. They will go away eventually do to inactivity. But, if you just want a clean slate, or just need to remove what you have inside that project you do have permission to delete everything in the project (just not the project itself).
oc delete all --all will remove everything inside the current project. Obviously use that command with strict care: there is no confirmation or warning. (BTW, the first "all" is saying all types of objects: pods/deployments/routes/etc, the second --all is saying "yes, I'm deliberately not providing a filter or any other subset, I really mean delete all of the objects I'm specifying".
Similarly, the following two commands should clean up both of your projects. (Although they will still exist.)
oc delete all --all -n erjcan-stage
oc delete all --all -n erjcan-dev
In ejabberd 18.01-2, installed in lxc container Ubuntu 18.04 Bionic LTS using apt, I'm trying to setup mod_http_upload.
In the section listen, I have
listen:
-
port: 5444
module: ejabberd_http
tls: true
request_handlers:
"/upload": mod_http_upload
In the configuration file, commented port was 5444, however, in the current documentation, it is 5443, so I am not sure which one is right.
In the modules section, I have
modules:
mod_http_upload:
host: "upload.ejabberd.forumanalogue.fr"
max_size: infinity
thumbnail: true
put_url: "https://ejabberd.forumanalogue.fr:5444/upload"
docroot: "/ejabberd/upload"
When I start the service, I can see an odd message in the logs
2019-11-11 21:02:35.287 [warning] <0.367.0>#ejabberd_pkix:handle_call:255 No certificate found matching 'upload.ejabberd.forumanalogue.fr': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
It is strange because I have a signed wildcard certificate.
certfiles:
- "/etc/letsencrypt/live/forumanalogue.fr/*.pem"
I can see the service with my client (Gajim) but when I try to send a file to another local account, I receive an error Access denied by service policy, see the complete log:
<iq xml:lang='en' to='foo#forumanalogue.fr/gajim.HCLJ4BZI' from='upload.ejabberd.forumanalogue.fr' type='error' id='1dd35274-90e9-4b3b-9608-0fab59afe34e'>
<request xmlns='urn:xmpp:http:upload'>
<filename>a.out</filename>
<size>27232</size>
<content-type>application/octet-stream</content-type>
</request>
<error code='403' type='auth'>
<forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text>
</error>
</iq>
I had to enable debug logging in order to see something. It is quite verbose, but I think that the relevant part, which is non redundant with the client message, is
2019-11-11 20:53:08.329 [debug] <0.501.0>#mod_http_upload:process_slot_request:544 Denying HTTP upload slot request from foo#forumanalogue.fr/gajim.HCLJ4BZI
Thank you for your help.
I tried with ejabberd 18.01, a configuration similar to yours, and it works for me.
Looking at the source code, that "process_slot_request:544 " error means that the account attempting to use the upload feature is not allowed by the "local" Access rule in the vhost it sended it to. Probably it's a remote account. Remote to that upload service. In other words, the service upload.whatever can only be used by accounts like user12#whatever.
In your case, you are attempting to use upload.ejabberd.forumanalogue.fr from account foo#forumanalogue.fr, which is not local to that upload service.
Several ideas, I hope one of them suits your specific setup:
A) don't mess with vhosts. If it's forumanalogue.fr, keep it that everywhere
B) use #HOST# in host and put_url options
C) Or if you really want to mess with hosts, then add Access rights so accounts in that vhost are considered "local" to the upload service.
I am building an OpenShift client that is using OpenShift's REST API to perform various operations on the cluster. I would like to have this client create a persistent volume. The default developer user cannot create persistent volumes but the administrator can. I am trying to find the best way to create a persistent volume in a default OpenShift origin deployment without requiring user input and using only the REST APIs, without any oc usage.
I see two possible solutions:
Create the persistent volume as the user admin. However, I cannot figure out how to use the APIs as an admin since this user account has no token. I have tried to examine oc logs but cannot reverse engineer how it can authenticate as an admin.
Add the permission to create persistent volumes to the user developer. I would like to avoid this but if it comes to that I am willing to take this solution into consideration. Anybody knows what kind of permission the developer user needs to be able to create a persistent volume?
How to create a persistent volume using only the OpenShift API?
You can create a user or service account for persistent volume manipulation.
The roles that would need are cluster roles, and there's already one existing role called "system:persistent-volume-provisioner"
$ oc get clusterrole/system:persistent-volume-provisioner -o yaml --as system:admin
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
annotations:
authorization.openshift.io/system-only: "true"
openshift.io/reconcile-protect: "false"
creationTimestamp: 2018-03-16T13:18:45Z
name: system:persistent-volume-provisioner
resourceVersion: "134"
selfLink: /apis/authorization.openshift.io/v1/clusterroles/system%3Apersistent-volume-provisioner
uid: 8e253e28-291c-11e8-b0f7-36c91e93ae8e
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims
verbs:
- get
- list
- update
- watch
- apiGroups:
- storage.k8s.io
attributeRestrictions: null
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- list
- patch
- update
- watch
If this cluster role has more than what you need, just create one with less permissions.
I am trying to deploy a global forwarding rule. My yaml file is below
resources:
- name: rule
type: compute.v1.forwardingRule
properties:
portRange: 80-80
IPProtocol: TCP
target: projects/{{ env["project"] }}/global/targetHttpProxies/myproxy
IPAddress: xx.xx.xx.xx
When i run the command :
gcloud deployment-manager deployments create grule --config test.yaml
It is giving error saying resource properties region is required. It is asking for region, but i am trying to create a global forwarding rule for which I need not give region.
Maybe it should be compute.v1.globalForwardingRule?
I am trying to deploy the people in the news sample application and this is the error, Could not find launch configuration manifest nor the top-level project manifest. Please restore it or provide a project manifest.
I am following this one http://peopleinnews.mybluemix.net/deployinfo.html
When I get to number 8 the path has a ' . ' (period) on my UI and I can not remove it to type peopleInNews/
peopleinthenews/manifest.yml (below)
applications:
- services:
- ttn-cloudantNoSQLDB
- re-service
disk_quota: 1024M
host: peopleinnews
name: People In News
command: node app.js
path: .
domain: mybluemix.net
instances: 1
memory: 512M
then I tried changing path manually (below)
applications:
- services:
- ttn-cloudantNoSQLDB
- re-service
disk_quota: 1024M
host: peopleinnews
name: People In News
command: node app.js
path: peopleinnews/
domain: mybluemix.net
instances: 1
memory: 512M
Can anyone tell me more of what this error with the project manifest is?
The manifest.yml file is formatted incorrectly. For the values you've provided, this is how it should be formatted
applications:
- name: People In News
disk_quota: 1024M
host: peopleinnews
command: node app.js
path: peopleinnews/
domain: mybluemix.net
instances: 1
memory: 512M
services:
- ttn-cloudantNoSQLDB
- re-service
Specifically, services is property at the same level as the other properties, and the service names should be properties nested under the services property.
YAML can be a confusing syntax to author; when in doubt, use the awesome CF Manifest Generator at http://cfmanigen.mybluemix.net/ to build your manifest online.
The deployment instruction for the 'People In The News' sample application has been updated in http://peopleinnews.mybluemix.net/deployinfo.html#DeployJazzHub. The important change is in the 'Command' field within the launch configuration panel. Once the correct location of the 'app.js' is specified, the deployment should then go smoothly.