OpenLDAP Access Control Issue - linux

I need guidance in below situation -
I am migrating RHDS to openLDAP. I managed to convert the DIT and their attributes and Schemas. However, I am stuck at Access control.
In RHDS, currently, the access control is as below -
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target = ldap:///uid=*,ou=household,dc=example,dc=com) (targetattr="*") (version 3.0; acl "Household Itms Consumer subtree read - aci"; allow (read, compare, search) (userdn = "ldap:///*,ou=applications,dc=example,dc=com") ;);
Could some please guide me in creating the OLC LDIF format?

Access control is not part of the LDAPv3 standard and thus attribute aci is specific to RHDS and similar implementations.
You have to define new ACLs for your OpenLDAP setup.
I'd recommend to read the following docs:
OpenLDAP Admin Guide -- Access control
slapd.access(5)
FAQ-O-MATIC: Access Control
FAQ-O-MATIC: Sets in Access Control

Related

Apache Pulsar Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic

We've been trying to add JWT auth on our 2.8.1 Apache Pulsar cluster and it seems to be working properly, except for permissions. So basically, the state we are right now is that:
Without token, client gets a 401
With a token, it can access but has a trouble producing or consuming, so we added this :
./bin/pulsar-admin --admin-url https://pulsar-xxx-broker.pulsar-xx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token namespaces grant-permission "xxx-dev-FR/lol" --role pulsar-token- --actions produce,consume
And it was better, permissions seems to be pretty straightforward on namespaces and only consume,produce are allowed seeing the code. But then we hit that error:
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic [persistent://xxx-dev-FR/ns-common-0.8.0/workflow-tag-new: com.xxx.xxx.commons.engine.workflow.xxxEngine] on policy [PARTITION]
So apparently we need some more permissions, so we looked into adding an admin role when creating the tenant and this is what we've done but unfortunately, it's not better.
Pulsar permissions schema
Do I miss something here?
Thanks a lot.
Kin
#Kin, from your example it seems you granting permission on one namespace xxx-dev-FR/lol but then trying to use a topic in a different namespace xxx-dev-FR/ns-common-0.8.0.
Yes it's true, but this was just an example sorry. I did launch the query grant permission command on the right namespace afterwards.
I feel like the grant-permission command is missing some permissions as only those two are available:
consume
produce
But apparently it doesn't work for changing a topic or namespace policy. Is there a way to make this work without being full admin?
edit : just in case it's not clear in my first post, while creating the tenants in pulsar-manager, we used the equivalent of this command:
./bin/pulsar-admin tenants create test --admin-roles <my_app_role>
You can validate below params are configured in broker.conf for all brokers, these are used when broker connects to other brokers
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
(for below configs, subject of token and superUser should match)
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={token}
superUserRoles={super-user}
Configure one from below, based on the key(symmetric or asymmetric) you have used to generate the token, this will be used to decode the token
tokenSecretKey=
tokenPublicKey=
I managed to fix the issue which was not working because of the Token subject not being the same as the role input in the tenant admin permissions. For instance in CLI it meant:
pulsarctl token create -a HS256 --secret-key-file SECRETKEY --subject xxx-admin 2> pulsar-token-xxx-admin
kubectl exec -it pulsar-xxxx-broker-0 -- bash
./bin/pulsar-admin --tls-allow-insecure --admin-url https://pulsar-xxx-broker.pulsar-xxxx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token tenants create <my_tenant> --admin-roles xxx-admin
We also had to add the following in the broker's configuration:
"topicLevelPoliciesEnabled": "true"
"systemTopicEnabled": "true"
Bye and thanks for your help.

export liferay user group to OpenLDAP

I configured liferay-portal-6.2-ce-ga4 with OpenLDAP. Users are imported into OpenLDAP from liferay. But User group of liferay are not exported into OpenLDAP. Here is my portal-ext.properties:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.server.name=ldapadmin
ldap.auth.enabled=true
ldap.import.enabled=true
ldap.export.enabled=true
ldap.import.on.startup=true
ldap.export.on.startup=true
ldap.export.method.0=group
ldap.export.method.0=user
ldap.password.policy.enabled=true
ldap.base.provider.url.0=ldap://localhost:389
ldap.base.dn.0=dc=test,dc=com
ldap.security.principal.0=cn=admin,dc=test,dc=com
ldap.security.credentials.0=secret
ldap.auth.search.filter.0=(mail=#email_address#)
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.user.mappings.0=userId=uid\nscreenName=cn\nemailAddress=mail\npassword=userPassword\nfirstName=givenName\nlastName=sn
ldap.import.group.search.filter.0=(objectClass=posixGroup)
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=memberUid
ldap.users.dn.0=ou=people,dc=test,dc=com
ldap.groups.dn.0=ou=groups,dc=test,dc=com
ldap.user.default.object.classes.0=inetOrgPerson, top
ldap.group.default.object.classes.0=posixGroup, top, groupOfUniqueNames,organizationalUnit
I have checked by clicking on 'Test LDAP Groups' button I can see around 5 groups which are created in OpenLDAP using OpenLDAP GUI but can't see any group which i create in liferay. Its not exporting User Groups its only exporting users. Please give some solution for this.
I think the keys you use on your portal-ext.properties file are wrong.
In the documentation we can read:
#
# Settings for exporting users from the portal to LDAP. This allows a user
# to modify his first name, last name, etc. in the portal and have that
# change pushed to the LDAP server. This setting is not used unless the
# property "ldap.auth.enabled" is set to true.
#
ldap.export.enabled=false
#
# Set this to true if groups and their associations should be exported from
# the portal to LDAP. This setting is not used unless the property
# "ldap.auth.enabled" is set to true.
#
ldap.export.group.enabled=true
So you should use:
ldap.export.enabled=true
ldap.export.group.enabled=true

Symfony 2 - Sonata Admin Role based security

With Sonata, I'm trying to use the role based security.
I want to give a group, rights for listing, editing & creating users, so I created a role with
ROLE_MANAGE_USERS:
- ROLE_SONATA_USER_ADMIN_USER_EDIT
- ROLE_SONATA_USER_ADMIN_USER_LIST
- ROLE_SONATA_USER_ADMIN_USER_CREATE
This works fine, but according to the doc, I'm understanding that a user granted with
ROLE_SONATA_USER_STAFF
Should already inherit rights for [EDIT, LIST, CREATE], but that does not seem to be the case
I also tried with
ROLE_SONATA_USER_ADMIN_USER_STAFF
Is there something I misunderstood ?
I guess that's not the case. First of all, the name of the main roles for edit depends on the services names. For example, if the service of the admin is sonata.user.admin, then the roles will be, for example:
ROLE_SONATA_USER_ADMIN_LIST
ROLE_SONATA_USER_ADMIN_VIEW
As you can see, the prefix is always ROLE (symfony 2 requirement), followed by the service name (but having the dots exchanged with underscores, and all capital letters), and ended with the prefix for the specific permission:
LIST: view the list of objects
VIEW: view the detail of one object
CREATE: create a new object
EDIT: update an existing object
DELETE: delete an existing object
EXPORT: (for the native Sonata export links)
As I can understand, there is no ROLE_SONATA_USER_STAFF predefined for edit, list and create. However, you can define it in the hierarchy, in the security.yml file:
security:
role_hierarchy:
# Setting up
ROLE_SONATA_USER_STAFF:
- ROLE_SONATA_USER_ADMIN_EDIT
- ROLE_SONATA_USER_ADMIN_LIST
- ROLE_SONATA_USER_ADMIN_CREATE
# using the staff role to create new roles
ROLE_MANAGE_USERS: [ROLE_SONATA_USER_STAFF]

How to add a new LDAP'ed user to subversion

Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)

Grails + Securing Application

Im working on a legacy grails application.
I have a couple of tables like this
User ( id, name,enterprise_id)
Enterprise (id, name)
Asset (id,description, enterprise_id)
I want to validate that when a certain user wants to access an asset, it has the right enterprise_id (i.e That the user belongs to the same enterprise as the asset).
For example, consider
John, a user from Microsoft, and Charles (from Oracle), only Charles should be able to access the Java Virtual Machine.
Enterprise
id,name
--------
1 Oracle
2 Microsoft
Asset
id,description,enterprise_id
----------------------------
1 Java VM 1
2 .NET 2
User
id name enterprise_id
----------------------
1 John 2
2 Charles 1
I've been reading on spring security, but it doesn't look that it can help me. All I see is user authentication, passwords, roles, etc (Of course, I could be wrong). These things are alredy secured and working ok. For the moment i'm considering filters, but can't make them work and rolling my own security(see this question), which doesn't seem right.
Any thoughts? Is Spring Security the way to go? Shiro?
Thanks in advance
You could implement this with spring-security-acl (which depends on spring-security-core)
Otherwise you could implement a 2 phase approach (Authentication + Authorization) with a set of Object-level authorization filters.
I'm using the Hibernate Filter plugin for this. There is also the MultiTenant plugin and its companion the Falcone plugin.
What these do is basically adding constraints to all DB queries, to do just what I think you are aiming for. A typical solution for you (with Hibernate Filter) would be to add this to the Asset domain (change filter name for each new domain)...
static hibernateFilters = {
assetEnterpriseFilter(condition: ':enterpriseId=enterprise_id', types: 'integer', default: true)
}
...and extract the HibernateFilterFilters from the plugin to override like this (setting the session variable as a parameter)...
class HibernateFilterFilters {
def filters = {
all(controller:'*', action:'*') {
before = {
def hibernateSession = grailsApplication.mainContext.sessionFactory.currentSession
DefaultHibernateFiltersHolder.defaultFilters.each {name ->
hibernateSession.enableFilter(name).setParameter('enterpriseId', session?.enterpriseId ? session.enterpriseId.toInteger() : new Integer(0))
}
}
after = {
}
afterView = {
}
}
}
}
...and make sure not to use enterprise_id = 0 in the DB.
Apache Shiro has access control built-in, and there is a grails plugin for it as well.
Authentication is the act of proving that someone is who they say they are - i.e. logging in to an application. Authorization is the process of controlling access to certain data or application features (controlling 'who' can do 'what').
Shiro has both of these concepts built in to its API and does them quite well - you can even control access to individual instances (for example, 'view' the 'user' with id 12345, etc). I highly recommend looking at the Grails plugin for Shiro as well as Shiro's distribution - it includes a few sample web applications (with and without Spring), and you can see how to use its access control - either with servlet filters for URL-based resource control or via annotations to protect individual methods.
HTH,
Les

Resources