I am trying to apply security in Kylo, such as the feed and category created by one user if it is not visible to other users.
Is it possible in Kylo HDP Sandbox?
If yes, what changes do I need to make?
Yes, you can do this via Kylo's entity-level access control mechanism. Below is an illustration to enable entity access for categories in Kylo sandbox.
Step 1: Enable entity access control
Update kylo-services/conf/application.properties
security.entity.access.controlled=true
security.auth.file.users=file:///opt/kylo/users.properties
security.auth.file.groups=file:///opt/kylo/groups.properties
Step 2: Define users
Create a file called users.properties, populate it and give proper permissions. The structure of each entry is username=password.
$ vi /opt/kylo/users.properties
#entries in file
dladmin=thinkbig
analyst=analyst
designer=designer
operator=operator
$ chown kylo:users /opt/kylo/users.properties
$ chmod 600 /opt/kylo/users.properties
Step 3: Define groups
Create a file called groups.properties, populate it and give proper permissions. The structure of each entry is user=group memberships.
$ vi /opt/kylo/groups.properties
#entries in file
dladmin=admin,user
analyst=analyst,user
designer=designer,user
operator=operations,user
$ chown kylo:users /opt/kylo/groups.properties
$ chmod 600 /opt/kylo/groups.properties
Step 4: Restart Kylo
$ /opt/kylo/stop-kylo-apps.sh
$ /opt/kylo/start-kylo-apps.sh
Step 5: Log in as dladmin user (password: thinkbig)
Create a category (say sample_category). Do not give any entity level permissions.
Step 6: Log in as operator user (password: operator)
Look at the list of categories. sample_category is not visible since no permissions were given by the dladmin user.
Step 7: Log back in as dladmin user and give permissions
Give Editor role to Operations group. The operator user is a member of Operations group.
Step 8: Log back in as operator user
Look at the list of categories. sample_category is now visible
Related
I execute "C:\Program Files\QlikView\qv.exe" /R "D:\QlikViewAdm\qlik_file.qvw" to launch the loader. It works when there is no section access. However, when I run a file with section access QV asks me for login and password. I can link the access to Windows user credentials, but it only works on my terminal.
Is there a way to point QV to a local file with credentials?
You can do it by using NTNAME in the section Access like so:
Section Access;
LOAD * INLINE [
ACCESS, USERID, PASSWORD,NTNAME
ADMIN, ADMIN, ADMIN , *
ADMIN, , , yourWindowsUserID
];
you can get yourWindowsUserID by using the OsUser() function (in QlikView).
hope this will help
First thing to notice is that the user churning is following the exponential function like the nuclear decay. Hence, t-test is useless (it assumes normal distribution).
Second, it is time to look at counts of users with 0,1,2.. events.
Third, just use Wilcoxon test if you compare the same cohort of users before and after. Otherwise, use Mann–Whitney U test. It is less stable than the tests on normally distributed values. However, it does the job whenever you cannot promise normality.
Spoiler: yes, it worked out. Cohort 1 and 2 were nearly indistinguishable, but cohort 3 and 1 yielded a difference at p < 0.001.
Scenario 1:
I have 2 users, each has a different primary group.
For user1, the primary group is group1 with GID 501.
For user2, the primary group is group2 with GID 502.
I edited /etc/passwd so that user1 now has GID 600.
However, I forgot to create a new group with GID 600 (and I did not edit /etc/group either).
What's surprising me is that even though I never created a group with GID 600 (and thus there's no such group in /etc/group)- everything works as if such a group exists:
Examples:
1) After user1 creates a new file- test.txt, User2 can't r/w that file.
2) When running ls -l I can see that test.txt belongs to GID 600.
What am I missing? Why does it work even though there's inconsistency between /etc/passwd and /etc/group?
Scenario 2:
Say I have a group with GID 1000.
When running useradd -c "name" test2 -g 1000, and then groups test2, I can see that test2's primary group is 1000.
However, in /etc/group all I see is test_group:x:1000:, meaning test2 isn't a member of test_group.
Moreover, after running useradd -c "name" test3, I do have test3:x:8093: in /etc/group.
Can you explain why it's happening?
Thanks.
Non programming question, expect downvotes... you should ask on superuser or unix.se
That said, there is no mapping of UID numbers to GID numbers that require them to have the same values. Think about what happens when you add a few users, then create a group or two for them to share, then add a few more users. The "next available" GID/UID pair don't match in value, but that doesn't matter.
When you are looking at a user's primary group, they aren't listed in the groups file as being a member because their primary group info is in the passwd file.
Remember to find files/directories that have no owning user or group if you manually change a UID number or GID number, and fix as appropriate.
Also, when it comes to UID numbers and GID numbers there is 0 (root) and everything else - no special meaning to them. By consensus, "system user" type accounts are low, and most distributions start creating "normal" users with a UID/GID of 1000
I would like to get the security group of the user in a Maximo automation script so I can compare it. I need to know if the user in in MaxAdmin or UserUser group to execute the reste of my script. My scripts are in Python
how could I get that Info?
There are some implicit variables available to you in an automation script (check the IBM Automation Script guide), one of which is the current user's username. There is also the :&USERNAME& special bind variable that gets replaced with the current username. You can use one of those as part of the query to fetch a GroupUser MBO and then check the count of it afterward.
I'm going off of memory here so the exact names and syntax probably differ, but something like:
groupUserSet = MXServer.getMXServer().getMboSet("GROUPUSER", MXServer.getMXServer().getSystemUserInfo())
groupUserSet.setWhere("userid = :&USERNAME& and groupname in ('MAXADMIN', 'USERUSER')")
# Not really needed.
groupUserSet.reset()
if groupUserSet.count() > 0:
# The current user is in one of the relevant groups.
else:
# The current user is not in one of the relevant groups.
groupUserSet.close()
It's worth noting that the kinds of things tied to logic like this usually don't need an automation script. Usually conditional expressions, normal security permissions or reports can do what you need here instead. Even when an automation script like this is needed, you still should not do it based on group alone, but based on whether the user has a certain permission or not.
EDIT
To do this with permissions, you would add a new sigoption to the app with an id along the lines of "CANCOMPPERM" (with a more verbose description) and grant it to those two groups. Make sure everyone in those groups logs out at the same time (so nobody in those two groups are logged into the system at a given point) or else the permission cache will not update. Your code would then look something like this:
permissionsSet = MXServer.getMXServer().getMboSet("APPLICATIONAUTH", MXServer.getMXServer().getSystemUserInfo())
permissionsSet.setWhere("optionname = 'CANCOMPPERM' and groupname in (select groupname from groupuser where userid = :&USERNAME& )")
# Not really needed.
permissionsSet.reset()
if permissionsSet.count() > 0:
# The current user has the necessary permission.
else:
# The current user does not have the necessary permission.
permissionsSet.close()
I think there are even some helper methods in Maximo's code base that you can call to do the above for you and just return a true/false on if the permission is granted or not.
i am using "getent" command to fetch user information in my linux file system.
I have a user with the username "10798" and another user with the username "user" and user ID "10798",i am using getent command to fetch the user info of user with the name "10798"
but the command is not giving any output
I think the command "getent" will only look for the user id number if you give all numeric value as input to the command
here is the scenario
# cat /etc/passwd
10798:x:10799:10799::/home/10798:/bin/bash
user:x:10798:10798::/home/user:/bin/bash
# getent passwd 10798
user:x:10798:10798::/home/user:/bin/bash
how to get the user with the username 10798 using the getent command
passwd When no key is provided, use setpwent(3), getpwent(3),
and endpwent(3) to enumerate the passwd database. When
one or more key arguments are provided, pass each
numeric key to getpwuid(3) and each nonnumeric key to
getpwnam(3) and display the result.
I got this from the linux man page is there a way to redirect numeric keys to getpwnam
ls already performs that lookup. You can perform a user information lookup from the command line with getent passwd.
If ls shows a user ID instead of a user name, it's because there's no user by that name. Filesystems store user IDs, not user names. If you mount a filesystem from another system, or if a file belongs to a now-deleted user, or if you passed a numerical user ID to chown, you can have a file that belongs to a user ID that doesn't have a name.
On a shared host, you may have access to some files that are shared between several virtual machines, each with their user database. This is a bit weird (why share files but not the users that own them?), but it's technically possible.
I have some questions about getent group.
Where does getent group A get the information on group A?
Does it only get it from /etc/group?
Is it possible that I can find a user (belonging to group A) by getent group A while I can not find the user from group A in /etc/group? If yes, how could this happen?
The third one is actually the problem I met.
Example:
1st. [root#*** test]# getent group A | grep A
2nd. [root#*** test]# cat $INSTALLROOT/etc/group | grep A
I can find a user a from the first command while I cannot find the user a from the second command.
Where does "getent group A" get the information on group A?
It is configured in /etc/nsswitch.conf. man getent tells this.
Does it only get from /etc/group?
It depends on your config files. On my machine it does not get this information only from /etc/group since it is configured in this way:
group: files ldap
is it possible that i can find a user (belong group A) by "getent group A" while can NOT find the user from group A in /etc/group?
Yes it is possible if there are at least two sources of data for groups.
By the way, take a look at how getent group work - run it under strace.
strace -s 256 -o getent.strace.txt -v getent group
And see what system calls it does. In my case it first reade from /etc/group and loads an ldap module and starts reading from socket