I have a Security requirement to fetch all Admin Usernames from all HDInsight Clusters in our environment.
I am able to get the Cluster Admin Username using this Rest Api.
However, if the Cluster is configured with SSH username along with Cluster Admin, how t identify and fetch the user name.
Related
I have an AWS RDS Instance that has IAM DB authentication enabled, where people can connect to the database via IAM roles as per the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/. However, I want users to be able to connect to the RDS instance only via IAM roles, and not via the master username/password that was previously used? Is there a way to disable the master username/password, or enforce that people can only access the database via IAM roles?
Scenario: We have an Azure cloud environment that contains three (Prod,Test,Dev) PaaS database servers (PostgreSQL Flexible Servers). Each server exists in its own VNet. The SQL data tables found in each server contain sensitive information. Let's say we require an external user (eg. a contractor, consultant) to access the data tables in a secure way, with MFA enabled. What would be a secure & simple way of enabling this?
Some options I can think of:
Share database server credentials with external user (high risk of credentials being misplaced. No MFA option?):
Whitelist user IP address against Azure firewalls
Send PaaS server credentials to external user via email or SMS.
They connect using an SQL client on their machine.
External user to use VM via Bastion:
Add external user to Azure AD
Turn on MFA for user in AD
Create VM in Azure, with SQL client software installed (ie. pgAdmin for PostgreSQL)
Configure access to the 3 PaaS servers (Prod, test, dev) from the VM
Set up Bastion server with access to VM
Enable user to access VM via Bastion server
Second option incurrs extaa costs for the VM and Bastion of course. Are there any other methods I should consider?
I am converting a service to run on a Linux Container. Currently, the service runs in IIS in a Windows VM.
It runs as a Lan User that has permissions to the database. Thus the connection string uses Integrated Security.
But Containers cannot join a domain. So, as I understand it, that option is out.
I researched this for Windows Containers and found that it supports running as a Group Managed Service Account (gMSA) on the container host, and that calls made as "Network Service" are swapped to the gMSA. (Allowing use of a domain user via the container host.)
But I cannot seem to find a similar feature for Linux containers.
Do all processes run in Linux containers just put usernames and passwords in to their database connection strings?
Or is there a better way to convey identity in a Linux Container?
To give a few more details on my particular setup:
Running a Linux container
Running .NET Core 2.2
Running in Kubernetes (eventually)
Database is Microsoft SQL Server Running on Windows
Would help to know a bit more of your setup, but with the information at hand there are 3 options as I could see.
Option 1:
Manage the credentials with for docker secrets as per
https://docs.docker.com/engine/swarm/secrets/
docker container exec <CONTAINER_ID> \
bash -c 'mysqladmin --user=wordpress --password="$(< /run/secrets/old_mysql_password)" password "$(< /run/secrets/mysql_password)"'
Option 2:
Depending on what kind of DB you're using you could add the password to the configuration, for example in my.conf for mysql.
[client]
password = 123
Option 3:
Depending on your network stack, you could set the permissions in the database instead. Allowing the IP access to the database. But I would however recommend one of the other options.
So since it is a linux environment and I believe you want to use windows authentication you can use similar Ad authentication.
Check here
his tutorial explains how to configure SQL Server on Linux to support Active Directory (AD) authentication, also known as integrated authentication. For an overview, see Active Directory authentication for SQL Server on Linux.
This tutorial consists of the following tasks:
Join SQL Server host to AD domain
Create AD user for SQL Server and set SPN
Configure SQL Server service keytab
Secure the keytab file
Configure SQL Server to use the keytab file for Kerberos authentication
Create AD-based logins in Transact-SQL
Connect to SQL Server using AD Authentication
update I don't think windows domain integrated authentication can be used.I don't think there can be any integrated authentication then. try dsn so that your code does not have username password. https://www.easysoft.com/products/data_access/odbc-sql-server-driver/getting-started.html
When using a single arangodb instance, I've used the root user and a password to authenticate my pyArango connection in my application.
I tried to do the same thing with my cluster, but i couldn't.
Is there a better way?
Getting firewall errors, don't know y because all ports were open and m able to connect it from other clients as well. Even not able to ping my linux cluster from other machine.
Screenshot shows
... Login failed for user ''
Did you specify the credentails (Arguments: --username and --password)