I have a Kubernetes cluster with kube-prometheus-stack (which includes Grafana) deployed via Helm. I am trying to set up single sign on (SSO) to Grafana using AzureAD. I've found the Grafana configuration pages (https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana and https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-security/configure-authentication/azuread/) and I think I have an initial idea of what I need to add to my Helm chart's values.yaml file.
There are some details, however, that I am not sure about. If I had access to the "schema" for this configuration, that might help me figure this out. Unfortunately, I have been unable to find anything that defines this. There are examples, but I cannot find anything that describes what the fields mean. Also, keep in mind that everything I have found shows examples for the grafana.ini file. I need to "translate" this to YAML for the values.yaml file used by the Helm chart.
Here is an example:
...
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = false
I have translated this into the following YAML:
auth.azuread:
name: Azure AD
enabled: true
allow_sign_up: true
client_id: APPLICATION_ID
client_secret: CLIENT_SECRET
scopes: openid email profile
auth_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains:
allowed_groups:
role_attribute_strict: false
I suspect that scopes expects a list based on its plurality, but how can I be sure? Also, what are the valid values? Apparently openid, email and profile are valid, but what do these values represent and are there others? On a similar note, what do allowed_domains and allowed_groups expect?
I've tried to find a reference for the Grafana configuration data structure and definition, but have not had any luck. Does anyone have an idea where (if) this can be found?
Related
I successfully installed and ran a couple of circuits on a backend the other day (essex).
Everything was ok, results came up, but the next day, once I wanted more QC, I could not manage to get a provider.
I have looked into my account (active), looked into the package (up-to-date), and a new file in the project. I also already disabled and enabled the account without problems, but I keep having this error.
Code
from qiskit import IBMQ
IBMQ.active_account()
IBMQ.providers()
provider = IBMQ.get_provider(hub='ibm-q', group='open', project='main')
and I get:
>~/my_environment_name/lib/python3.7/site-packages/qiskit/providers/ibmq/ibmqfactory.py in get_provider(self, hub, group, project)
425 raise IBMQProviderError('No provider matches the specified criteria: '
426 'hub = {}, group = {}, project = {}'
--> 427 .format(hub, group, project))
428 if len(providers) > 1:
429 raise IBMQProviderError('More than one provider matches the specified criteria.'
IBMQProviderError: 'No provider matches the specified criteria: hub = ibm-q, group = open, project = main'
I would like to know where I am wrong, I look forward to keep learning thru the backends efficiently.
Thank you in advance
This means that there is no provider that matches all the criteria you specified, so in that hub, group and project. This could be because your account hasn't loaded correctly, so check to see if anything is returned from IBMQ.providers(). If there isn't anything load your account using IBMQ.load_account(). The other issue could be that there are genuinely no backends that meet those criteria, so try running IBMQ.get_provider() instead.
Try to use API token to enable your IBMQ account.
from qiskit import IBMQ
provider = IBMQ.enable_account("your-api-key") # We load our account
provider.backends() # We retrieve the backends to check their status
for b in provider.backends():
print(b.status().to_dict())
Create IBM Quantum account if you don't have one, then use the API token that available in the dashboard as enable_account() method argument to resolve this issue.
For More: https://quantum-computing.ibm.com/lab/docs/iql/manage/account/ibmq
https://quantum-computing.ibm.com/
https://www.ibm.com/account/reg/us-en/signup?formid=urx-19776&target=https%3A%2F%2Flogin.ibm.com%2Foidc%2Fendpoint%2Fdefault%2Fauthorize%3FqsId%3D70b061b4-7c64-4545-a504-a8871f2d414f%26client_id%3DN2UwMWNkYmMtZjc3YS00
I am using MSAL to validate a user against Microsoft Azure AD and am getting a valid token back.
The MSAL library is handing me back a User object which contains a property called userIdentifier.
This is a string, not a GUID.
The documentation says to use a field called oid to uniquely identify users across the Microsoft Identity platform. I have this property available under User.idToken.oid.
This value is a GUID as the documentation says.
My question is, what is this User.userIdentifier and should I be using this? I need to know what to store on the database side to tie this local user to an Azure AD user.
For clarity's sake it is advised to use the accountIdentifier property as it will always be populated, even in the edge cases where oid might not be available:
const accountIdentifier: string = idToken.objectId || idToken.subject;
More info on GitHub.
Looking at the source code (https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core/src/Account.ts), there is no userIdentifier, but there is an accountIdentifier.
Could be yours is an older version, in which case this might not be correct for that.
// create accountIdentifier
const accountIdentifier: string = idToken.objectId || idToken.subject;
It is either the oid or sub claim, whichever has a value.
If you want the oid, you should get it from the idTokenClaims property on Account.
I am using the python3.7.2 module simple-salesforce==0.74.2 and I am having trouble trying to establish a connection to my salesforce sandbox. I can login to the salesforce production with the same credentials just fine like so:
from simple_salesforce import Salesforce
sf = Salesforce(username='user#domain.com', password='pswd', security_token='mytoken')
Okay cool. Now I attempt to login to my sandbox with the following:
sf = Salesforce(username='user#domain.com.sandbox_name', password='pswd', security_token='mytoken', sandbox=True)
And I get the error:
simple_salesforce.exceptions.SalesforceAuthenticationFailed:
INVALID_LOGIN: Invalid username, password, security token; or user
locked out.
So I tried logging in with a different method:
sf = Salesforce(username='user#domain.com.sandbox_name', password='pswd', security_token='mytoken', domain='sandbox_name')
And this gave a different error:
requests.exceptions.ConnectionError:
HTTPSConnectionPool(host='sandbox_name.salesforce.com', port=443): Max
retries exceeded with url: /services/Soap/u/38.0 (Caused by
NewConnectionError(': Failed to establish a new connection: [Errno 8]
nodename nor servname provided, or not known'))
I am using a Developer sandbox, named sandbox_name, following salesforce's instructions. Can someone give some advice on what I am doing incorrectly?
Solved. Set domain='test' and generate a new token under your sandbox account
this didn't work for me, but what did was:
`sf = Salesforce(
username='my.email#test.com',
password='sadfd8d8d8',
security_token='d8d8asd8f8d8',
instance_url='https://my-dev-org-instance-dev-ed.my.salesforce.com')`
The advice here may be a bit deprecated. After a bit of tinkering, I was able to get the simple_salesforce library working with the Salesforce sandbox on a custom domain with the following code. Note the domain that I am passing to the api as well the sand_box name that needs to be appended to the username.
from simple_salesforce import Salesforce
USER = "user#domain.com.sandbox_name"
PASS = "pass"
SEC_TOKEN = "token"
DOMAIN = "<domain>--<sandbox_name>.<instance>.my"
sf = Salesforce(username=USER, password=PASS, security_token=SEC_TOKEN, domain=DOMAIN)
I'm facing a difficulty to understand how scopes work.
I found here a small text that describes the scopes of stackexchange api but i need more information on how they work (not specifically this one...). Can someone provide me a concept?
Thanks in advance
To authorize an app you need to call a URL for the OAuth2 authorization process. This URL is "living" in the API's provider documentation. For example Google has this url:
https://accounts.google.com/o/auth2/auth
Also you will need to specify a few query parameters with this link:
cliend_id
redirect_uri
scope: The data your application is requesting access to. This is typically specified as a list of space-delimited string, though Facebook uses comma-delimited strings. Valid values for the scope should be included in the API provider documentation. For Gougle Tasks, the scope is https://www.googleapis.com/auth/tasks. If an application also needed access to Google Docs, it would specify a scope value of https://www.googleapis.com/auth/tasks https://docs.google.com/feeds
response_type: code for the server-side web application flow, indivating that an authorization code will be returned to the application after the user approves the authorization request.
state: A unique value used by your application in order to prevent cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session)
// Generate random value for use as the 'state'. Mitigates
// risk of CSRF attacks when this value is verified against the
// value returned from the OAuth provider with the authorization
// code.
$_SESSION['state'] = rand(0,999999999);
$authorizationUrlBase = 'https://accounts.google.com/o/oauth2/auth';
$redirectUriPath = '/oauth2callback.php';
// For example only. A valid value for client_id needs to be obtained
// for your environment from the Google APIs Console at
// http://code.google.com/apis/console.
$queryParams = array(
'client_id' => '240195362.apps.googleusercontent.com',
'redirect_uri' => (isset($_SERVER['HTTPS'])?'https://':'http://') .
$_SERVER['HTTP_HOST'] . $redirectUriPath,
'scope' => 'https://www.googleapis.com/auth/tasks',
'response_type' => 'code',
'state' => $_SESSION['state'],
'approval_prompt' => 'force', // always request user consent
'access_type' => 'offline' // obtain a refresh token
);
$goToUrl = $authorizationUrlBase . '?' . http_build_query($queryParams);
// Output a webpage directing users to the $goToUrl after
// they click a "Let's Go" button
include 'access_request_template.php';
The set of query string parameters supported by the Google Authorization Server for web server applications are here:
https://developers.google.com/accounts/docs/OAuth2WebServer?hl=el#formingtheurl
I am using iOS 6 Social framework for accessing user's Facebook data. I am trying to get likes of the current user within my app using ACAccount and SLRequest. I have a valid Facebook account reference of type ACAccount named facebook, and I'm trying to get user's likes this way:
SLRequest *req = [SLRequest requestForServiceType:SLServiceTypeFacebook requestMethod:SLRequestMethodGET URL:url parameters:nil];
req.account = facebook;
[req performRequestWithHandler:^(NSData *responseData, NSHTTPURLResponse *urlResponse, NSError *error) {
//my handler code.
}
where url is #"https://graph.facebook.com/me/likes?fields=name"; In my handler, I'm getting this response:
{
error = {
code = 2500;
message = "An active access token must be used to query information about the current user.";
type = OAuthException;
};
}
Shouldn't access tokens be handled by the framework? I've found a similar post Querying Facebook user data through new iOS6 social framework but it doesn't make sense to hard-code an access token parameter into the URL, as logically the access token/login checking should be handled automatically by the framework. In all examples that I've seen around no one plays with an access token manually:
http://damir.me/posts/facebook-authentication-in-ios-6
iOS 6 Facebook posting procedure ends up with "remote_app_id does not match stored id" error
etc.
I am using the iOS6-only approach with the built in Social framework, and I'm not using the Facebook SDK. Am I missing something?
Thanks,
Can.
You need to keep a strong reference to the ACAccountStore that the account comes from. If the store gets deallocated, it looks like it causes this problem.
Try running on an actual device instead of a simulator. This worked for me.
Ensure that your bundle id is input into your Facebook app's configuration. You might have a different bundle id for your dev/debug build.