How to enable password based authentication for AWS Opensearch Domain? - python-3.x

I have elastic-search domain placed inside a VPC. I am able to connect to the domain from VPC with no issues. But for more security, I want authentication to be username:password based. I am using using elasticsearch-dsl to make the connection. Any idea how to setup a username and password based connection to the domain?
I tried updating the domain config, in order to set MasterUser and MasterPassword(Not sure if the right process).
aws es update-elasticsearch-domain-config --domain-name test-domain --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true
I get this error:
An error occurred (BaseException) when calling the UpdateElasticsearchDomainConfig operation: You don't have permissions to enable Advanced Security options.
Is this the right thing to do? If not, How can we enable password based authentication?

An error occurred (BaseException) when calling the UpdateElasticsearchDomainConfig operation: You don't have permissions to enable Advanced Security options.
The above error you are getting indicates you don't have the permissions to update the advanced security configuration.
You need to use the master user credentials when calling the update api.
Refer to the documentation here to get more info on master user:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html

Related

Do I need to disable 'authorization' to create new users for MongoDB?

I currently got a database that is actively being used on a droplet on Digital Ocean. I have authorization enabled on this mongo droplet.
I would like to create a new user for a new database, however I am getting authorization errors. In this blog on digital ocean it basically says that you are able to create new administrative users when authorization is disabled.
Is is 'safe' to simply disable authorization for a few seconds (even when the database is actively being used), create a new user for a new database en re-enable the authorization and restarting the daemon. Also, is this the 'correct' way?
Is is 'safe' to simply disable authorization for a few seconds
No, in the same way that it isn't safe to leave the house door open while you run to the store.
Connect as an administrative user and create additional users as needed.
When authorization is enabled and no user is created then you can connect without username/password, this is called Localhost Exception
However, once the first admin user is created, you cannot connect anymore without valid credentials.
So, when you get an authorization error then an admin user was created already and you have to use this one.

LDAP auth in presto

I was trying to setup LDAP auth in Presto and was able to configure "user-based" authentication but have some issue with configuring "group-based" auth.
I'm always receiving message that my user is not in LDAP group while ldapsearch utility shows that I'm in.
I did not found any parameter/option in config.properties to use to pass user/password for LDAP search (I suppose that functionality used to find in user is in AD group) while in our infrastructure anonymous searches are restricted. So it might be the case.
It would be nice if someone will tell me:
are there any parameter (maybe undocumented) to provide user/password
to query ldap?
any workaround to implement "group-based" search?
thanks

Is there any way to use IAM as a authentication "method" for PAM?

Specifically, running a chain of postfix, dovecot and nginx to provide a "nice" mail service to (not so many) users. All services share Pluggable authentication module (PAM) as a possible authentication method. Currently, the system's "passwd" database is being used to auth again via PAM.
AWS Identity and Access Management (IAM) is a hard requirement. Therefore, any other service (like duosecurity) is not an option. Before I start to code a PAM module, I'm asking for your experience - how would you do it? Thanks!
This might not be what you are looking for, but certainly qualifies as a way to use IAM as a authentication “method” for PAM:
Denis Mikhalkin's (denismo) aws-iam-ldap-bridge periodically populates the LDAP directory location with the users, groups and roles from AWS IAM, which will in turn allow to use libpam-ldap or libpam-ldapd and thereby implicitly authentication of the Linux users against AWS IAM using their AWS IAM Secret Keys as passwords.
Please note the following rather significant caveats:
At the moment, the plugin requires a custom version of ApacheDS so manual configuration is unlikely - see Configuring an existing ApacheDS LDAP server
The default configuration is INSECURE however you are free to alter it to your requirements - see Security notes
Personal Assessment
While a native IAM PAM integration would be great (and also enable advanced use cases like AWS Multi-Factor Authentication (MFA)), I like the pragmatic approach to just facilitate the widely used LDAP integration instead - still I would definitely prefer a solution that ideally works with any compliant LDAP server, or at least with a stock ApacheDS distribution, in order to ease installation, maintainability and security assessments.

IRCD configuration: authentication using a database table

I set up an RCS server (hybrid ircd). I would like to secure it with authentication. But my user credentials are stored in a database table.
1- I cannot find anywhere documentation on how to configure the "auth" section of httpd.conf.
2- From what I understand I could use an authentication service (identd) but I don't understand how this works, how to set it up, and how to configure this to use a database table for credentials.
Please give me a hand with this.
By using InspIRCd instead, I can use this SQL authentication module:
http://wiki.inspircd.org/Modules/1.2/sqlauth
Problem solved!

configuring kerberose-sso-negotiate in multiple domains

I have mycorp.com, ch1.mycorp.com, mycorp2.com domains (it is all windows)
I am configuring sso-kerberose-negotiate authentication
My server running in mainaaa3.mycorp2.com, I have created spn "http:/mainaaa3.mycorp2.com" for it, and I have set trusts between domains,
but if users from mycorp.com, ch1.mycorp.com domains that browser do not send negotiate-ticket, and then I have created spn in each domains for "http:/mainaaa3.mycorp2.com", and now I have error:
Mechanism level: Integrity check on decrypted field failed (31)
what am I doing wrong?
The SPN shouldn't have a semi colon in it, you should have "http/mainaaa3.mycorp2.com". That may not be your only problem, however.
You should ask this question on Server Fault instead, as it is not directly related to programming.

Resources