Apache Drill Authentication in Windows - apache-drill

I am new in Apache Drill.I am running drill in embedded mode with window 10 operating system.
My question is how to authenticate drill. I want if any one start drill, it will ask for user name and password to start drill.
I know that drill use PAM Authentication. But I don't know how to use PAM in window 8.1 operating system & where and how to store username & password.
Please Suggest me or if possible give me some example how to restrict user to access drill in window 8.1 operating system.
Is Windows security supported, and if not: what would be the recommended route for adding Windows security?

You should be able to use custom authentication and configure in override.conf example class is specified in documentation
https://drill.apache.org/docs/configuring-user-authentication/
If you are trying to give access to few folders on your machine. Remove dfs.root from storage plugin and give access to the folders you would like to share.

Related

Why doesn't my Gmail user/password work when deploying ASP.NET to Compute Engine inside Visual Studio?

I created a Compute Engine VM using the ASP.NET Cloud Launcher, and now I want to deploy to it from Visual Studio.
I've created a publish settings file using the Visual Studio extension then tried to deploy using the regular Visual Studio "Publish" command. The settings didn't contain a user name and password, so I used my Gmail/Google credentials - this is a Compute Engine instance that my account has access to, after all:
This failed with the following error:
Web deployment task failed. (Connected to the remote computer
("(redacted)") using the Web Management Service, but could not
authorize. Make sure that you are using the correct user name and
password, that the site you are connecting to exists, and that the
credentials represent a user who has permissions to access the site.
Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
If that's not the user name and password to use, what is?
The Compute Engine instance doesn't know about your Google user at all - it only knows about regular Windows accounts, and you don't have a Windows account on it. So, you need to create a Windows account on the instance, and then put that into the publish settings.
In the Google Cloud Explorer, select the instance and choose "Create or Reset Password":
You can then choose whatever username you like - I'd suggest "aspnet" for simplicity, for example. Note that this username is a normal Windows account on the machine - it's not specific to your Google user. If you're sharing this machine with others for development, you should agree on a set of account names, either securely sharing credentials for a single account, or creating a separate account per developer. You don't want to reset the password for an account a colleague is using!
This account can also be used to open a Terminal Server session with the Compute Engine instance.
Wait until the user has been created with a password, then copy the password:
You can now put that into your Publish Settings and let Visual Studio save the password - and keep a copy in a separate secure location, should you wish, of course.

Restriction to Web Console in Apache Drill

Is there any way to restrict user to stop accessing Web Console or to provide user name & password.
I am using Drill in embedded mode and in window 8.1 operating System.
For Example:-
Drill is running in server, but if someone know my ip address, they can easily access my web console.
So Is there any way to stop accessing my web console. ?
Use a firewall. You can also enable authentication and HTTPS for the Drill web console:
https://drill.apache.org/docs/configuring-user-authentication/
https://drill.apache.org/docs/configuring-web-console-and-rest-api-security/#https-support

IISExpress AppPool identity verification

I needed to run IISExpress under a specific identity. After going through this post how to run iisexpress app pool under a different identity I changed the processModel's username and password attributes in my \Documents\IISExpress\config\applicationhost.config file.
I would like to verify the change in my web application. Is there a way to verify?
Ultimately, what I'm after is that my security works properly using the PrincipalPermission attribute. I believe the Name property on this attribute matches the user under which IISExpress and my application are running.
Thanks in advance for your help.
IISExpress runs with current user identity and changing ProcessModel username/password won't help. Only way to run with particular identity is to launch iisexpress.exe with 'runas'.
I'm probably way too late to help, but have you tried changing your project to run with Local IIS instead of IIS Express?
Here's the way I do it (you could start in Visual Studio, but I find this more straighforward):
Launch IIS Manager with admin privilege (important that you have rights to muck with localhost)
Add a new Application Pool running with the Identity you need for your database (probably your windows account)
Create a new application on iis
point it to your project folder
assign it to the app pool you just created
In Visual Studio open your project's properties (select the project in solution explorer hit Alt-Enter or use context menu). In the Web Section, select Local IIS instead of IIS Express. No need to create virtual directory (you already did).
Now your app can open the database. As an added bonus, your project is always available to run. no need to start it from visual studio.

How to enable Windows Authentication for DNN

Sorry my question might be duplicate but i dint find any correct solution.So im posting this question again...
First i have deployed a DNN website with sql server authentication.Site was working fine.
Later we re installed the sql server 2008. So im trying to give windows authentication to connect the site.
In web config connectionstring:i have removed the username and password and gave Integrated security="true" .
In IIS :Site -> Authentication -> windows Authentication ->enabled and all others disabled.
once i browse the site is redirecting to DNN install Wizard
Need Help.
In SQL Server did you configure the Windows account that the application pool (in IIS) is using to have DBOwner access to the database?
Also make sure to change BOTH connection strings in the database.
Depending on what version of IIS you are on, that account might differ. Older versions likely would use "Network Service" while newer versions might also use "Network Service" or an application pool specific account like "iis apppool\dnndev"
You'll also want to make sure that you aren't trying to assign a DOMAIN account to the database, unless of course that is what IIS is configured to use (as opposed to a local account)

User rights needed for IIS 7.5 application pool user (domain user, not the AppPoolIdentity)

We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication - (Often not available by default on locked-down environments)
Log on as a batch job - (Often not available by default on locked-down environments)
Log on as a service - (I'm not sure this is needed)
Replace a process level token
If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.
Fun reading:
Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
SPN Checklist for Kerberos on IIS7/7.5
How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then
I added fooAppPoolUser to the local admin group (Administrators, I
know, was only to test), then it worked. Now I removed the user again,
restarted IIS and it still works.
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.