I have a Trino cluster configured to use LDAP and I want to use Superset to connect to it.
The Trino cluster uses HTTPS with a self signed certificate
I managed to configure Superset to use LDAP, that's not the problem.
I also managed to query Trino by having the following configuration:
sqlalchemy URI: trino://myuser:mypassword#trino_server:8443,
security extra config: {"connect_args": {"verify": false}}
Now here's the problem: Under the security tab there's a checkbox that says "Impersonate logged in user (Presto, Trino, Hive and GSheets)"
. I checked the box, and still the queries I execute run with the user "myuser" which is configured in the sqlalchemy URI, instead of the logged in user.
I'm using Superset version 1.3.2
Does anybody know how to solve this?
There are two components to get user impersonation working with Trino and Superset:
A version of Superset that supports user impersonation with Trino.
This was added officially in 1.3.0, and since you're on 1.3.2 that shouldn't be a problem.
A Trino client that supports user impersonation.
AFAIK the only Python client that currently works with Superset to connect to Trino is sqlalchemy-trino. I couldn't find any specific changes made for user impersonation until 0.4.0, but I have gotten this working with the older 0.3.0 version.
There may be some other possibilities that could prevent user impersonation from working, but less likely:
Make sure that all containers have a working version of sqlalchemy-trino installed. This depends on how you add Python requirements, but I believe I've seen cases where Superset containers don't have the same dependencies, i.e. the superset_app container has the correct module, but not the superset_worker container.
Make sure that the HTTP headers in the requests going to Trino are not being modified. User impersonation works by authenticating with basic authentication but impersonating the user added in a HTTP header called 'X-Trino-User'. If the HTTP header is removed or changed, then the user impersonation won't work as expected.
just wanted to let you know that I managed to solve this issue.
The problem was that I put this configuration - {"connect_args": {"verify": false}} in the "SECURE EXTRA" section under the "Security" tab, instead of in the "ENGINE PARAMETERS" section under the "Other" tab.
Related
I am running a Java app with DataStax Java driver version 3.3.0 and I am trying to change Cassandra user and password at runtime. According to this issue by calling setUser and setPassword in this object it should reuse it for future calls to the DB, so I did in my code something like
PlainTextAuthProvider authProvider = (PlainTextAuthProvider) cluster.getConfiguration().getProtocolOptions().getAuthProvider();
authProvider.setUsername(user);
authProvider.setPassword(pwd);
But even after this change I find that it still use the user/pass I set on startup.
This docu indicates that in versions > 4.x you can force a config reload at runtime.
So my question is, Is there a way to force all new calls to Cassandra start using the new User and Pass provided via PlainTextAuthProvider in version 3.x ?
Extra: I am doing this to try to rotate Vault passwords when they expire and update the driver accordingly. Something like what is described in this post for relational DB accessed by Spring Boot but on Cassandra
The question was also asked on https://community.datastax.com/questions/11846/ and I'm reposting my response here:
I'm not familiar with this API but I think the credentials are used just for new connections initiated after the credentials are set. I suspect it doesn't apply to existing connections which continue to use the old credentials.
I'm going to reach out to the Driver devs here at DataStax and will either get them to respond directly or I will update my answer. Cheers!
I am trying to record an internal website for which i need to enter credentials that is not same as the windows credential. Later on the same test needs to be run for more than one user. i know how to use the csv file to pass the parameters - username and password.
For Windows Authentication i have added Authorization manager.
From Fiddler i checked it was NTLM authentication(though i am not sure yet) and i did enter the values for NTLM authentication in Authorization Manager.
Now when i try and record the internal website - i cannot even go to homepage after the windows credentials, it keeps on spinning.
When i check the Authorization Manager, i find an extra line added for kerberos Authentication as shown in Picture:
My query here is:
1)why is it recording it as kerberos
2)where is it saving the username and password
3)why is it not loading the website- always keeps spinning and i have to stop it
4)I have tried Kerberos settings and then record, but its not working either , could it be i am using the wrong values in the kerb5.conf file , how do i debug.
Kind of stuck at the moment.
Thanks for help!
If you're uncertain what authentication is being used under the hood - just ask around, application developers or network administrators should be aware of the external authentication scheme. You can also try using a 3rd-party tool like Kerberos Authentication Tester
I don't think you can record and replay Windows authentication so it makes sense to start recording some time after the login screen as long as you can login using JMeter
Looking into JMeter source
// if HEADER_AUTHORIZATION contains "Basic"
// then set Mechanism.BASIC_DIGEST, otherwise Mechanism.KERBEROS
In case of Kerberos credentials are saved directly in the HTTP Authorization Manager in form of ${AUTH_LOGIN} and ${AUTH_PASSWORD}, real credentials are not stored anywhere
Most probably your application doesn't receive valid authentication context therefore it cannot proceed
Add sun.security.krb5.debug=true line to system.properties file (lives in "bin" folder of your JMeter installation), JMeter restart will be required to pick the property up.
More information:
Windows Authentication with Apache JMeter
JAAS and Java GSS-API Tutorials
I have an Elasticsearch installation (V7.3.2). Is it possible to secure this retrospectively? This link states that a password can only be set "during the initial configuration of the Elasticsearch". Basically, I require consumers of the restful API to provide a password (?) going forward.
The elastic bootstrap password is used to init the internal/reserved users used by the components or features of the elastic stack (kibana, logstash, beats, monitoring, ...).
If you want to secure the API, you need to create users/roles for your scenario on top.
Please use TLS in your cluster when handling with passwords and don't expose the cluster directly for security reasons.
Here are all informations regarding a secure cluster including some tutorials: https://www.elastic.co/guide/en/elasticsearch/reference/7.3/secure-cluster.html
EDIT: Added links as requested. Feel free to raise a new question here at SO if you're facing serious problems!
Here you can find a complete guide to install and secure ElasticSearch.
Basically the bootstrap password is used initially to setup the built-in ElasticSearch users (like "elastic", "kibana"). Once this is done, you won't be able access ElasticSearch anonymously but only with one of the built in users, e.g. "elastic".
Then you can use "elastic" user to create additional users (with their own password) and roles (e.g. to asses specific indexes only in read-only mode).
As #ibexit wrote it's highly recommended to secure your cluster and don't expose it directly (use a proxy server, secured with SSL).
I configured my Jenkins server to only use HTTPS and enabled security.
As well I don't like anybody who's not logged on to see the Dashboard (even if it would be empty). Here for I disabled the 'read' access for 'anonymous'.
So far all this works exactly to my likings :)
But wanting to add some build notification functionality to remote clients by e.g. using something like 'CCtray' I run into trouble. The access to the https://<SERVER>/cc.xml now only works for logged in users.
Where I would have liked to be able to get those notifications for 'anonymous'.
Probably combining these wishes is kind of contradictory - I suppose?
Maybe someone has a better idea which could match my likings?
Possibly any other notification tool which can be used???
For the Mercurial hook triggering the sw-builds I can use a construction like
curl --cacert <CERTIFICATE> https://<USER>:<PASSWORD>#<SERVER>/job/MyPROJECT/build?delay=0sec
But a similar approach for the URL in CCtray doesn't seem to work.
I've just started using the cctray Jenkins transport extension. Early days, but it seems to work as advertised and is connecting to our secure server perfectly happily.
Currently, the only significant limitation seems to be that if your password expires there's no way to re-enter your credentials.
For Jenkins servers without anonymous access, you can use Catlight build notification tool. You can provide access token or username/password to authenticate to your server.
I you have a self-signed ssl certificate, make sure that you add it to trusted by OS. That way, most applications will recognize it and connect to server without warnings.
Adding to #MrBlueSky 's answer, you can avoid the password expiration hassle; simply use a Jenkins-issued API Token instead of your password.
Log into Jenkins
Click your username (in the upper right corner)
Click Configure (in the left navbar)
Click Show API Token
Use this token in place of your password when setting up the Jenkins Transport settings
I've just compiled QTweetLib on my linux host. I've compiled and run pinauthstatusupdate example without any changes. But when I try to get request_token I've get:
Failed to validate oauth signature and token
I synced time on my host:
using sudo ntpdate pool.ntp.org
But no changes...
The I changed consumer keys with keys which Twitter creates for my application. But I got same problem.
I checked the base string using http://quonos.nl/oauthTester/ and it says my base string is OK.
Here is raw header which QTweetLib creates:
OAuth
oauth_consumer_key="YImPrR11sLxv0ZjjKAskA",oauth_signature_method="HMAC-SHA1",oauth_signature="WQnBaTgyuU6HkPT7DqTkNK1MT5c%3D",oauth_timestamp="1325542113",oauth_nonce="J5oUsjoOE34e1iTE",oauth_version="1.0"
So what's the problem?
According to QTweetLib's readme it supports only xAuth. Is your Twitter application xAuth enabled? If not you need to request it to be enabled for your application by sending email to api#twitter.com and stating some valid reasons why you can't just use OAuth.
Have you looked at KQOAuth (http://www.d-pointer.com/solutions/kqoauth/)? It supports 'normal' OAuth by utilizing the web browser of the environment and a temporary local web server. I think I read somewhere that it might get integrated to Qt5 in some form and thus it would probably be a safer bet than QTweetLib.