I can not properly configure access rights.
Once the rule does not seem to work. some directory - as it should be and some not.
I have a repository in two folders - one, two.
three users - admin, user, guest.
Rights needed are:
admin - read and write to the /
user, guest - read and write only in one folder
I wrote in svnserve.conf:
anon-access = none
auth-access = write
authz-db = /svn.acl
Added to the file /etc/apache2/conf.d/svn:
AuthzSVNAccessFile /etc/apache2/svn.acl
File svn.acl:
[/]
admin = rw
* =
[/one]
user,quest = rw
[/two]
admin = rw
* =
in the end user still sees the two directory !
what could be wrong?
Just as with UNIX directory permissions, users can see that a directory they don't have permission to access exists, but they cannot see the contents of that directory. No user should be able to see inside /two.
Related
I have 100+ private git repos in Bitbucket and want to allow access to read them for new private user. It is terrible to set this access to each separate repo. Is it possible to select several repos and allow access to them by one operation? May be it is possible to do this by loop and curl in bash using REST api of the Bitbucket?
Thanks for the answer in advance!
This code uses stashy - a python client for Bitbucket Server.
It may needs small modifications per the project's structure of your server.
#!/usr/bin/python
import stashy
import requests
from requests.auth import HTTPBasicAuth
# User to be granted access to
user = ""
bitbucket_url = "https://SERVER_URL"
bitbucket_username= "<bitbucket_username>"
bitbucket_passwd = "<pass>"
header = {'content-type': 'application/json'}
"""
Promote or demote a user's permission level.
Depending on context, you may use one of the following set of permissions:
project permissions:
* PROJECT_READ
* PROJECT_WRITE
* PROJECT_ADMIN
"""
permission = "PROJECT_READ"
stash = stashy.connect(bitbucket_url, bitbucket_username, bitbucket_passwd)
for project in stash.projects.list():
print("granting "+bitbucket_username+" access "+permission+" access to "+project["name"])
print(stash.projects[project["key"]].permissions.users.grant(user,permission))
https://gist.github.com/ibidani/9ae06c690fb32ee09aa6bb5480c18325
I want to change permission of created DL folder in liferay through java class: let us consider foldername id "temp"
You need to get the folder 'temp':
Folder tempFolder = dlAppLocalService.getFolder(groupId, parentFolderId, "temp");
and you have to set the permisssions for the 'tempFolder' resource.
For instance, if you want to set VIEW permission to GUEST role:
Role guestRole = roleLocalService.getRole(companyId, RoleConstants.GUEST);
resourcePermissionLocalService.setResourcePermissions(companyId, DLFolder.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL, String.valueOf(tempFolder.getFolderId()), guestRole.getRoleId(), new String[]{"VIEW"});
You can see the complete API here
https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/service/ResourcePermissionLocalServiceUtil.html
Best regards
You can use ResourcePermissionLocalServiceUtil service to give permission to your DlFolder as below :
ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,DLFolder.
class.getName(),ResourceConstants.SCOPE_INDIVIDUAL,""+
folder.getFolderId(), roleId, permissions);
Fins details on it from here!
Using sssd I have a RHEL6 client configured to login using ldaps. The login works, but if the user logged is assigned to more than 1 group at the ldap level, groups only returns 1 group? Could I be missing a configuration somewhere?
The group shown is the default group assigned to the user. In RHEL5 client, the group command display all the groups that are assigned to the user.
In general the things to check are:
1) Is the LDAP schema the one you want to use? (RFC2307 vs RFC2307bis). The former stores the plain username in the "memberuid" attribute, the latter (used by AD for instance) stores the full DN in the "member" attribute.
2) Are the search bases set correctly?
If you can paste the RHEL6 and RHEL5 config files for comparison, that would be great. Feel free to sanitize/remove info like bind DNs, passwords or URIs.
I was able to spend some time today and was able to fix the issue. RHEL 6 uses sssd. The configuration file /etc/sssd/sssd.conf had to be changed to have the following in the domain/default section
ldap_search_base = dc=domain,dc=something,dc=com
ldap_group_member = uniquemember
Is the missing changes in the default config.
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=domain,dc=something,dc=com
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://yourldap.server.com/
ldap_chpass_uri = ldaps://yourldap.server.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))
I need to keep some data/files inside the layouts folder. My SharePoint project is "MyProject"
Hence the directory structure includes
"C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\MyProject"
Now I need to programmatically create a new folder called "Data". But I get "Access Denied" error.
SPSecurity.RunWithElevatedPrivileges(delegate
{
String path = SPUtility.GetGenericSetupPath(String.Empty) + "TEMPLATE\\LAYOUTS\\MyProject\\Data";
bool IsExists = System.IO.Directory.Exists(path);
if (!IsExists)
System.IO.Directory.CreateDirectory(path);// Access denied!
});
Can anyone tell me why I am getting the access denied ? even though I have wrapped my code inside RunWithElevatedPrivileges?
I've tried you code and work well.
There should be something with Window Folder security settings. On my folder I have next users with read/write permissions:
Creator owner - special permissions
System - Full control
WSS_ADMIN_WPG - All but full control and special permissions
Current user (farm admin) - Full control
If nothing helps try to add everyone in read/write access temporary! just to check if it is really security issue!
Hope it helps,
Andrew
Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)