I'm new to loopback. I have created ACL for Deny permission for all users($everyone).But I could access all API through swagger.Can anyone explain this?
Following is My ACL. Thanks.
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
]
Possible reason:
To enable access control, you must call enableAuth(). For example, in a boot script server/boot/authentication.js:
module.exports = function enableAuthentication(server) {
server.enableAuth();
};
Also check your server/model-config.json file to see if your ACL, RoleMapping and Role models are linked correctly to your datasource.
Your ACL is correct, so a problem is somewhere else. In case my answer doesn't help you, you might want to clone loopback-example-access-control repository, try if it works for you and eventually try to figure out, how it differs from your solution.
You can also try to debug it by specyfing a DEBUG environment variable with value loopback:security:* for the console to log the lookups and checks the server makes as requests come in.
Try removing the accessType like this:
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
Otherwise, the best thing to do is to clone the LoopBack-sandbox and reproduce the issue in that repository and post an issue on GitHub.
Try changing the accessType field value to EXECUTE from *.
It also depending on your base model, as it might get overwritten by the base model's ACL.
For example, if your model is a User base model, the "create" method will still work even if you put DENY to $everyone, unless you specify "property": ["create"].
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY",
"property": [
"create"
]
}
]
Reference (List of User base ACLs): https://github.com/strongloop/loopback/blob/master/common/models/user.json
Related
EDIT:
Confirmed by SMILE support to be a bug. Is currently being worked on and will presumably be fixed in a future update.
I am trying to test a $validate operation on an update for an existing resource as described here but I keep getting an error message saying that the resource doesn't have an Id, even though it does. Am I missing a separate ID field or something?
Endpoint is ...fhir/Patient/21b4d29b-223c-473e-8f29-9c36e838dc60/$validate
{
"resourceType": "Parameters",
"parameter": [
{
"name": "mode",
"valueString": "update"
},
{
"name": "resource",
"resource":
{
"resourceType": "Patient",
"id": "21b4d29b-223c-473e-8f29-9c36e838dc60"
}
}
]
}
The error message I get is
{
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "processing",
"diagnostics": "HAPI-0998: Resource has no ID - ID must be populated for a FHIR update"
}
]
}
Let me know if any other info would be helpful, thanks!
Note I'm using Smile CDR 6.0.4 if that matters.
You have to put the resource (Patient) into the body of the POST message. If you are validating against a different profile other than the base specification then you need to provide the canonical URL for that profile.
Confirmed by SMILE support to be a bug. Is currently being worked on and will presumably be fixed in a future update.
I'm attempting to understand how the Condition Element in Resource Policies for AWS API-Gateway triggers.
I've tried using SourceIP to block all traffic by allowing only 128.0.0.0/1 and 0.0.0.0/1 but I was able to hit my API from the same IP both times. I've also tried blocking my API with CurrentTime. But nothing I add to my condition seems to stop my ability to call my API. What am I misunderstanding?
My current attempt to block my API from all calls is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountID>:root"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<AccountID>:<API>/*/*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2019-12-15T12:00:00Z"
}
}
}
]
}
From my understanding, by stating "DateGreaterThan" "CurrentTime" to December 2019 when it is currently September 2019, this API should not be callable for another three months.
Can someone show me where I'm going off track?
Thank you in advance!
PS: I have correct authorization in the body using AWS PublicKey/SecretKey. I'm just looking to block my call with the condition currently.
PPS: I forgot to mention that I've confirmed my API deployment is utilizing this Resource Policy as my API was rejecting calls before I added my AWS PublicKey/SecreyKey. (I enabled AWS_IAM Authorization)
As Joey Kilpatrick requested, here is my updated (still ineffectual) Resource Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountID>:user/Service_Account"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<AccountID>:<API>/*/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "0.0.0.0/1"
}
}
}
]
}
In this case, i'm hitting the API with a 147.x.x.x IP so I would expect this API to return a 403. I have also tested with the previously stated "CurrentTime" Condition.
I want to first note that restricting SourceIP to 128.0.0.0/1 and 0.0.0.0/1 denies no IP address because every IP is in one of those two CIDR blocks.
But this is not your biggest problem: you cannot restrict any permissions from your root user. This is by design. See why it is a bad idea to use root user here.
I've an AWS Api-Gateway resource that I tried configuring to add a message to AWS-SQS, however when I try sending a request to the api I get a response:
{
"Error": {
"Code": "MissingParameter",
"Message": "Version is missing.",
"Type": "Sender"
},
"RequestId": "the-multicharacter-request-id-blah-blah"
}
I have linked the two services in the integration taband the permissions policy is the below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I've tried adding in api-gateway permissions to the policy, adding a Version parameter in the header, starting the setup from scratch again.
Is there something I'm missing?
'Version' here specifies which version of 'SQS' service to use and should be specified as a query parameter and not the header e.g.:
?Version='2019-05-09'
'Version' specified in the policy refers to the version of the policy language.
This was a case of RTFM.
I ran into this due to a different root cause: make sure the "Action Type" is set to "Use path override" if you don't intent to use "action override"
I'm working on an S3 bucket policy. The idea is to explicitly deny access to all IAM users within the account, except for those explicitly granted.
I found a blog post that explains how to restrict access to a specific user. It works well. However, I want to extend the syntax to include a second IAM user that will be allowed access. This is, in effect, an OR condition.
But, I've very new to JSON, and I'm not sure how to go about that.
Here is the policy that works for restricting access to a single user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated id>:*",
"AIDA<obfuscated id>",
"111111111111"
]
}
}
}
]
}
Can anyone help me edit the above JSON to allow for an OR condition where I could specify an additional userid that would be allowed access?
AdvThanksance!
Ok, I figured this out.
First, I tried adding a second StringgNotLike clause to the Condition, but that didn't work.
After doing as bit more reading, I realized the Condition clause accepts multiple key/value pairs. In fact, the original policy I showed in my question already did that. I just needed to add more values to the array that was already there.
The policy that works, looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-private-bucket",
"arn:aws:s3:::my-private-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated-id-1>:*",
"AIDA<obfuscated-id-1>",
"AIDA<obfuscated-id-2>:*",
"AIDA<obfuscated-id-2>",
"111111111111"
]
}
}
}
]
}
When I realized that the key had already specified an array of values, I just added the second user id to the array, and it worked great.
I got big cloudformation json template, and trying to add VPC to it.
When I added VPC I got this error:
Template validation error: Invalid template parameter property 'VPC'
Here the where I use VPC in Resource:
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "String",
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"Tags": [
{"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "Env"}, "-VPC"]]}, "PropagateAtLaunch": true}
]
}
}
And I use "VpcId": {"Ref": "VPC"} in Loadbalancers, SecurityGroups PrivateSubnet, PublicSubnet in properties.
Here is VpcId in Parameters:
"VpcId" : {
"Type" : "String",
"Description" : "VpcId of your existing Virtual Private Cloud (VPC)."
}
I'm not doing something very special here, but still little bit confused about error output of create stack with cloudformation.
Who can told me, what I'm doing wrong here?
Here is whole template link (without important credentials).
Thanks!
Looks like you need to close the "Parameters" block before the "Resources" block so CFN tries to create a parameter called "Resources" with a property "VPC"
Based on the template it looks like everything should be working fine. Are you still getting the same issue?