Is there an oc command (or other method) to list all service accounts that have been granted the privileged scc?
If I suspect oc adm policy add-scc-to-user privileged -z SA_NAME has been run against a number of service accounts, how can I check? I know the call to undo this using oc adm policy remove-scc-from-user ..., but haven't found a command to list which accounts have been given an scc.
Seems I eventually stumbled on the answer to my own question.
Inspecting an scc shows the list of users that have the scc.
oc edit scc privileged
...
kind: SecurityContextConstraints
metadata:
...
name: privileged
...
users:
- system:admin
- system:serviceaccount: SA_NAME1
- system:serviceaccount: SA_NAME2
- ...
What happens when adding privileged to an account (user or sa), it appears the opposite is really what happens, the user/sa is added to the scc.
Related
Is there a way to disable impersonation in Kubernetes for all admin/non Admin users?
kubectl get pod --as user1
The above command should not provide answer due to security concerns.
Thank you in advance.
Unless all your users are already admins they should not be able to impersonate users. As cluster-admin you can do "anything" and pre-installed roles/rb should not be edited under normal circumstances.
The necessary Role to enable impersonation is:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: impersonator
rules:
- apiGroups: [""]
resources: ["users", "groups", "serviceaccounts"]
verbs: ["impersonate"]
As long as normal users don't have those permissions, they should not be allowed to perform --as.
I am trying to configure my Airflow (version 2.10) LDAP authentication with RBAC.
UI access is restricted by the AD groups (multiple groups for Python Developer, ML Developer, etc.)
Members belonging to a particular group only should be able to view the DAGs created by fellow group members while the other group members shouldn't be.
Able to provide access to users via AD groups but all the users are able to see all the DAGs created. I want to restrict this access based on the defined set of owners, (this can be achieved by switching off the LDAP and creating users directly in Airflow, but I want it with AD groups.)
added fiter_by_owner=True in airflow.cfg file, seems nothing is effected.
Any thoughts on this.
EDIT1:
From FAB,
we can configure roles & then map it to AD groups as below:
FAB_ROLES = {
"ReadOnly_Altered": [
[".*", "can_list"],
[".*", "can_show"],
[".*", "menu_access"],
[".*", "can_get"],
[".*", "can_info"]
]
}
FAB_ROLES_MAPPING = {
1: "ReadOnly_Altered"
}
And to use this, I assume we need to have the endpoints created from the application end similar to can_list, can_show .
In the case of Airflow, I am unable to find the end-points that provides access based on owner (or based on tags). I believe if we have them, I can map it to roles & then to AD groups accordingly.
With newer versions of Airlfow you can map LDAP groups to Airflow Groups.
Owner is an old and currently defunct feature which is deprecated.
You can see some examples about FAB configuration (Flask Application Builder implements all authentication features):
https://flask-appbuilder.readthedocs.io/en/latest/security.html
See the part which starts with:
You can give FlaskAppBuilder roles based on LDAP roles (note, this requires AUTH_LDAP_SEARCH to be set):
From the docs:
# a mapping from LDAP DN to a list of FAB roles
AUTH_ROLES_MAPPING = {
"cn=fab_users,ou=groups,dc=example,dc=com": ["User"],
"cn=fab_admins,ou=groups,dc=example,dc=com": ["Admin"],
}
# the LDAP user attribute which has their role DNs
AUTH_LDAP_GROUP_FIELD = "memberOf"
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
See here about roles (including custom roles) https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html
I'm writing a cloud function in Nodejs (10), and trying to access a secret like so:
const [secret] = await new SecretManagerServiceClient().accessSecretVersion({
name: `projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest`
})
I created the secret in the web console and the name used in code matches that of the existing secret. On the page for the cloud function details, it states that the service account is PROJECT_ID#appspot.gserviceaccount,com, so I added the secretmanager.secretAccessor role to it. However, I'm still getting the same error every time:
Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest' (or it may not exist).
It makes no difference if I specify a concrete version or just use latest.
HTTP cloud function code:
const { SecretManagerServiceClient } = require('#google-cloud/secret-manager');
const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/shadowsocks-218808/secrets/workflow/versions/latest';
exports.testSecretManager = async (req, res) => {
const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
const payload = version.payload.data.toString();
console.debug(`Payload: ${payload}`);
res.sendStatus(200);
};
Deploy:
gcloud functions deploy testSecretManager --runtime nodejs10 --trigger-http --allow-unauthenticated
Deploying function (may take a while - up to 2 minutes)...done.
availableMemoryMb: 256
entryPoint: testSecretManager
httpsTrigger:
url: https://us-central1-shadowsocks-218808.cloudfunctions.net/testSecretManager
ingressSettings: ALLOW_ALL
labels:
deployment-tool: cli-gcloud
name: projects/shadowsocks-218808/locations/us-central1/functions/testSecretManager
runtime: nodejs10
serviceAccountEmail: shadowsocks-218808#appspot.gserviceaccount.com
sourceUploadUrl: https://storage.googleapis.com/gcf-upload-us-central1-43476143-b555-4cb2-8f6f-1b2d1952a2d7/42c4cda4-98a8-4994-a3be-d2203b9e646a.zip?GoogleAccessId=service-16536262744#gcf-admin-robot.iam.gserviceaccount.com&Expires=1596513795&Signature=kbLw5teN8EoYmj4fEweKKiIaakxcrhlUg2GGHV4jWJjvmeEfXePpRNOn9yz2zLn%2Fba0UqM9qdJMXujs5afBk%2BVBmywPEiptAZe2qgmldpr%2BsYejFu0woNgsPHVqtJ0NoWDo6W2dq4CuNNwO%2BaQ89mnhahUUQTInkJ55Y3wCIe9smk%2BqWtcvta3zICiToA7RQvPKY5MS6NViyj5mLxuJtDlTY9IKPL%2BqG6JAaQJSFYKYVgLyb6JfirXk8Q7%2FMvnHPpXPlhvsBLQksbF6jDPeefp2HyW4%2FSIQYprfpwKV3hlEIQyRQllz5J9yF83%2FxDPh%2BQPc5QmswKP5XAvYaszJPEw%3D%3D
status: ACTIVE
timeout: 60s
updateTime: '2020-08-04T03:34:32.665Z'
versionId: '2'
Test:
gcloud functions call testSecretManager --data '{}'
Got error same as you:
error: |-
Error: function terminated. Recommended action: inspect logs for termination reason. Details:
7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/shadowsocks-218808/secrets/workflow/versions/latest' (or it may not exist).
solution:
You can find the serviceAccountEmail: shadowsocks-218808#appspot.gserviceaccount.com from the deployment information details of cloud function.
go to IAM & Admin web UI, click ADD ANOTHER ROLE button, add Secret Manager Secret Accessor role to this service account.
Test again:
> gcloud functions call testSecretManager --data '{}'
executionId: 1tsatxl6fndw
result: OK
Read the logs for testSecretManager cloud function:
gcloud functions logs read testSecretManager
You will see the logs for the secret payload string.
I had the same issue and to solve it, I just had to:
Find the Service Account under General of my Google Cloud Function.
It looked like <project-name>#appspot.gserviceaccount.com
In IAM Admin, Add Secret Manager Secret Accessor Role to this Service Account.
After this, everything worked!
I have had similar issues working with secretmanager and the python google-cloud-secretmanager library (2.4). Specifically, after creating a secret and giving my service account the secretmanager.secretAccessor role on this secret (and nothing else, following the principle of least privilege), I was getting the following error when trying to access it:
details = "Permission 'secretmanager.versions.access' denied for resource 'projects/projectid/secrets/keyname/versions/latest' (or it may not exist)."
I could only make it work by also adding the secretmanager.viewer role at the project level, which as far as I can tell is not described in the documentation.
I had similar problem using terraform under gitlab.
I must add two authorizations to the service account which runs the pipeline:
resource "google_project_iam_policy" "gitlab" {
project = "secret_owner_project_id"
policy_data = data.google_iam_policy.iam.policy_data
}
data "google_iam_policy" "iam" {
binding {
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:project_accessing_secret#XYZ.iam.gserviceaccount.com",
]
}
binding {
role = "roles/viewer"
members = [
"serviceAccount:project_accessing_secret#XYZ.iam.gserviceaccount.com",
]
}
}
A bit late, but maybe this answer could be useful for future users. I encountered the same behavior only with Python. I tried lots of things but only thing that worked was creating new service account with zero roles(if I granted it secretmanager.secretAccessor role immediately, I got the same error). Then when empty service account is created, in IAM tab I press +Add, copy my empty service account adress and ONLY then I add secretmanager.secretAccessor role to it. Then I use this account as the account that will execute particular function. You of course may need to add other roles depending on what your function is intended to accomplish.
OAuth scope plays an important role here and please make sure the scope is defined correctly.
To use Secret Manager with workloads running on Compute Engine or GKE, the underlying instance or node must have the cloud-platform OAuth scope. If you receive an error with the following message, it means the instance or node was not provisioned with the correct OAuth scopes.
Request had insufficient authentication scopes
The required OAuth scope to use Secret Manager is:
https://www.googleapis.com/auth/cloud-platform
Example gcloud command to create dataproc with scope
gcloud dataproc clusters create xyz-pqr --region asia-south1 --subnet projects/xyz-pqr/regions/asia-south1/subnetworks/abc-serverless-vpc --zone asia-south1-b --master-machine-type n1-standard-4 --master-boot-disk-size 100 --num-workers 2 --worker-machine-type n1-standard-4 --worker-boot-disk-size 100 --image-version 2.0-debian10 --project xyz-development -scopes https://www.googleapis.com/auth/cloud-platform
Am trying to configure the latest ariflow 1.10.10 with the new RBAC UI, wanted it to be single sign on.
tried the DB/LDAP options but this required user id/password to login.
trying to set up REMOTE_USER but not able to find good documentation or examples on how get it working.
enabled the below setting the airflow_webserver.cnfg file
AUTH_TYPE= AUTH_REMOTE_USER
and enabled kerberos in core section on airflow.cnfg file, when restarted the webserver it gives the below error
{decorators.py:113} WARNING - Access is Denied for: can_index on: Airflow
need help to resolve this .
When I first tried to access the UI without logging in (i.e. as a Public user), I got the {decorators.py:113} WARNING - Access is Denied for: can_index on: Airflow. Adding can_index to Public role should allow the UI to load so you can then log in. I'm unfamiliar with using a REMOTE_USER, but I imagine adding similar permissions to a role and assigning it to the REMOTE_USER would help.
I'm using azure active directory to control access to my web app using group membership. I have 2 groups (user & admin). In my app I've setup application permissions for Microsoft graph to read users profiles and read all groups.
I'm then using the graph api in my app to get a list of all groups available. This works ok in my local dev environment and when I deploy to the app up in azure, the process work ok there too. The problem arises when I upload and test in my 2 'slots' in the app service environment. I have two that im using, a dev version and a QA version. As soon as I try to access the graph api from either of those I get this error
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
I was getting this when I initially started developing, but setting up and granting app permissions solved it. So why am I getting this in my other 2 'apps' ? I need these to test (me as the developer and our testing team in QA)
Are there any other steps I need to take for my dev & qa slots to work in the same way ?
** this is how I access the graph api, it works ok in my main app, but not in the slots
GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
Group group = await graphClient.Groups[admin].Request().GetAsync();
**Update
The issue is with the apps running in my slots. Both my Dev & QA slots dont have any group information in the ClaimsIdentity object after a user logs in. Ive checked this by logging the info in the Claimsidentity object, when I run it locally and in the main app up in Azure, the group info is present, when I run it in the azure qa & dev environments, the groups arent present in the Claimsidentity object. Why would this be ? Do the slots inherit the active directory settings or should they be setup separately ? Im pretty new to azure and the security model so any help would be greatly appreciated.
I have redirect urls setup in azure and also in my web.config, I use different transforms for each environment using the appropriate redirect for each environment.
Im using OpenID
**update 2
When I created the slots, I based them (copied) on my main app. Should each slot have its own ClientID and secret in its web.config file ? Also do I need to register each slot as an application in active directory ? At the moment just my main app is registered
Here are the claims from each of my app, you can see the qa app has no groups
my QA slot in azure
Claim type - ver
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - onprem_sid
Claim type - nonce
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - ipaddr
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - c_hash
Claim type - aio
Claim type - exp
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud
authentication type ; Cookies
My Main App in Azure
Claim type - ver
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - nonce
Claim type - name
Claim type - ipaddr
Claim type - http://schemas.microsoft.com/identity/claims/identityprovider
Claim type - groups
Claim type - groups
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Claim type - c_hash
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - exp
Claim type - aio
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud
authentication type ; Cookies
** OK, I've tried adding the QA app to azure active directory as a registered app, I've got a clientID and a secret, I've given it the same permissions for azure active directory and Microsoft graph as my main app. I've included the clientid & secret in my web.config transform, so basically its setup in the same way as my main app and STILL no group info in the Claimsidentity. How on earth is this meant to work ?
***Another update
permissions granted
windows azure active directory
- delegated permissions : read all groups, read all users full profiles
Microsoft Graph
- application permissions : read all users full profiles, read all groups
- delegated permissions : read all groups, read all users full profiles, sign in and read user profile
Just as a test, I've also granted every permission for active directory and Microsoft graph and it made no difference.
This is becoming a serious problem for me now, I cant see that theres anything else I can do, it works perfectly well in my main app, but not in the 'slots' is there a major flaw/bug with Azure ?, or am I doing something fundamentally wrong here ?
Can anyone help me out ?
To read groups via Microsoft Graph, the Group.Read.All,Group.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All is required.
What's the permission you have granted to the app which have this issue? Also please check the scp claims in the token to ensure that the correct permission already be grant. You can decode the access token from this link
More detail about permissions about Microsoft Graph REST, please refer the link below:
Microsoft Graph permissions reference