Develop Reference

Google Cloud Pub/Sub C++ Client: Authentication Failure When Binary Has setuid (root) [CentOS7]

The application (bin) loads the (service account) credentials fine when it has "normal" permissions. This is the run script:
#!/bin/bash
export GOOGLE_APPLICATION_CREDENTIALS=/home/user/config/gcloud/key.json
./bin
However when bin permission are changed:
chown root:root bin
chmod u+s bin
I get this error:
E1003 10:02:07.563899584 60263 credentials_generic.cc:35] Could not get HOME environment variable.
E1003 10:02:10.563621247 60263 google_default_credentials.cc:461] Could not create google default credentials: UNKNOWN:creds_path unset {created_time:"2022-10-03T10:02:07.563943484+09:00"}
Any advice would be appreciated.
Thanks.

As far as I can tell, this is expected behavior for gRPC. gRPC uses secure_getenv() to get all environment variables. In your case, that means the gRPC ignores the GOOGLE_APPLICATION_CREDENTIALS set.
You may need to change your application to use explicit service account credentials. Something like:
auto is = std::ifstream(filename);
auto json_string =
std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
auto credentials =
google::cloud::MakeServiceAccountCredentials(json_string);
auto publisher = pubsub::Publisher(
pubsub::MakePublisherConnection(
pubsub::Topic(project_id, topic_id),
google::cloud::Options{}
.set<google::cloud::UnifiedCredentialsOption>(
credentials)));

Adding "libpam" to initramfs recipe removes password from "extrausers" config

I am setting root password for my linux using the following in local.conf file:
INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p '\$6\$...'"
This works correctly, as expected.
But now, I found that in linux 5.10, to authenticate a user, I cannot check /etc/shadow, instead I need to use the libpam module. So, I did the following to add libpam to my linux image:
In my intramfs recipe I added libpam to PACKAGE_INSTALL.
Added pam in DISTRO_FEATURES_append
Now, when I flash this new image, the root user does not have any password. Adding libpam is somehow removing the password set using extrausers...
Is there a way to set the password in the image using libpam? Or is there something I am doing wrong when using extrausers and adding libpam to my image?

Since I couldn't get an answer here and on github issues of libpam I gave up trying to make libpam work for me.
I decided to use the /etc/shadow file. I removed extrausers and instead set the password manually into the shadow file using the following:
ROOTFS_POSTINSTALL_COMMAND += "set_root_password;"
set_root_password () {
sed -e "s/root::/root:\$6\$...:/" -i ${IMAGE_ROOTFS}/etc/shadow
}
Now I don't need to use libpam and can keep authenticating users to my redfish server using the shadow file.

How to create a new user in OpenShift?

I am trying to find out how to create a new user in OpenShift enterprise.
According to the documentation (on https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/projects_and_users.html):
Regular users are created automatically in the system upon first login...
This sounds illogical. How does a user login if they dont have a username and password?
Can someone please clarify this - I'm sure there must be some command for creating a new user, but it is not clear.
Thanks

The OpenShift master-config (/etc/openshift/master/master-config.yaml) describes the configuration about authentication. By default the master-config shows something like this for the authentication-part:
identityProviders:
- challenge: true
login: true
name: anypassword
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider
This means that every user with every password can authenticate. By performing oc get users as system:admin you'll see all the users.
This configuration is not recommended. You're able to configure another form of authentication (htpasswd, ldap, github, ...).
I'm using htpasswd. So than you have to create a file (with htpasswd) which will contain your username + encrypted password. After that you'll need to edit your master-config.yaml. You have to tell it to use HTPasswdPasswordIdentityProvider and link to your file.
You can find those steps here. Don't forget to restart your OpenShift master after performing those steps: sudo service openshift-master restart (origin-master for origin).
After creating users you can assign roles to users
Log in with the default admin (system:admin) and assign roles.

I am creating a script for simply adding a user if OpenShift using HTPasswdPasswordIdentityProvider
wget https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
mv jq-linux64 jq && chmod 755 jq
FILE=$(cat /etc/origin/master/master-config.yaml | python -c 'import sys, yaml, json; y=yaml.load(sys.stdin.read()); print json.dumps(y,indent=4, sort_keys=True)' | ./jq '.oauthConfig.identityProviders[0].provider.file')
FILE=$(sed -e 's/^"//' -e 's/"$//' <<<"$FILE")
htpasswd $FILE user1

Expecting an auth URL via either error thrown openstack

ubuntu#ubuntu-14-lts:~$ export OS_USERNAME=admin
ubuntu#ubuntu-14-lts:~$ export OS_TENANT_NAME=admin
ubuntu#ubuntu-14-lts:~$ export OS_PASSWORD=admin
ubuntu#ubuntu-14-lts:~$ export OS_AUTH_URL=http://localhost:35357/v2.0/
Executed the command to create the Admin tenant
ubuntu#ubuntu-14-lts:~$ sudo keystone tenant-create --name admin --description "Admin Tenant"
got the below error
Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]
modified the url
ubuntu#ubuntu-14-lts:~$ export OS_AUTH_URL="http://localhost:35357/v2.0/"
re-run the same command and same error thrown
ubuntu#ubuntu-14-lts:~$ sudo keystone tenant-create --name admin --description "Admin Tenant"
Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]
Is there any Issues in running the command ?

The issue is probably with sudo - sudo may not maintain environment variables. Depends on configuration.
Why do you need sudo anyway? The keystone command does not require it. Either drop sudo, or add
--os-auth-url http://localhost:35357/v2.0/
to your command. You can also do
sudo -e keystone ...

You have failed to create a new user or tenant because you have no access to keystone... just like you need to login to mysql to create new tables and all, the same is here. The following steps will help you through:
# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
# keystone --os-username=ADMIN_USERNAME --os-password=ADMIN_PASSWORD --os-auth-url=http://controller:35357/v2.0 token-get
# source admin_creds //this is the file where you have saved the admin credentials
# keystone token-get
# source creds // this is the other file where you have backed up your admin credentials
now you can run your keystone commands normally. Please put a tick mark if it helped you! lol

How to debug django-piston application?

My piston application works correctly when I run it locally with python manage.py runserver command but returns
urllib2.HTTPError: HTTP Error 403:
FORBIDDEN
under apache. How can I debug django-piston application?

I usually debug Piston apps by:
Setting my handlers to use Basic Authentication, even if I'm normally using something else.
Use curl to make requests
Use pdb (or ipdb) to set a breakpoint in my handler if desired.
You can conditionally change to BasicAuthentication like this:
auth = {'authentication': WhateverYouAreUsingForAuthentication(realm="YourSite")}
if getattr(settings, "API_DEBUG", None):
from piston.authentication import HttpBasicAuthentication
auth = {'authentication': HttpBasicAuthentication(realm="Spling")}
some_handler = Resource(SomeHandler, **auth)
To pass a username and password using curl, use the -u option:
curl -u username:password http://localhost:8000/api/some/endpoint/
So in your local settings module, just set API_DEBUG=True whenever you want to use basic auth.