On Payara v5.184
Is it possible to create a non-admin user in Payara that can manage apps? i.e. a non-admin user foo would be able to run just the below commands:
asadmin undeploy <app>
asadmin deploy <app>
asadmin list-applications
What would be the commands to create foo user and enable the above on this user?
This is currently not possible but there is a request for this feature:
https://github.com/payara/Payara/issues/1600
A possible workaround would be to wrap your adminconsole calls into a bash-script and create a user with the corresponding permission.
Related
TL;DR
How can I delegate my user permissions to a service principal in Azure Ad when the usual interactive way (e.g. web app with consent screen popup) is not feasible? This is because I cannot configure the MSI in the Azure Portal properly to work that way.
More detail
I want to grant an application permission to access the Graph API on behalf of a user. Usually, this is a well-documented scenario in which you create an app registration, acquire delegated user permissions by asking permission for the needed scopes, and then use these permissions in the app.
The app that needs Graph access is a background service that is to work on its own without user intervention/activity. For this use case, the common approach is to use application permissions. In my case this is not feasible, because application permissions require admin-consent and are all-or-nothing kind of permissions. There is no way this will be granted for me. Rightfully so, because its overkill.
But on the other hand that's really a pity. A pity, because I've found an example on how to assign Graph API application permissions directly to a Managed Service Identity rather than to a self-registered app. And my service (as an Azure Functions app) already has a MSI assigned to it. So this would be the perfect fit, b then again, there is no way I'll get those application permissions.
So what is the workaround? We have this one user principal which has all the required permissions we need for our background service. What I want to do is to delegate this user's permissions to the Function App/MSI. In order to do this, I used this SPA-template by the MSAL team to have something that will prompt me the permissions popup.
This however failed because the implicit oauth flow was not enabled. To remedy this, you usually need to update the app manifest in the portal. However, since this is a MANAGED service identity, and not a self-registered one, the MSI is not listed in the portal under app registrations. So I cannot set this property to true.
Doing the same via Azure CLI also failed because apparently the MSI is not identified as an app.
az ad app update --oauth2-allow-implicit-flow true --id <appId_of_MSI>
This yields the following error:
ResourceNotFoundError: Resource '<appId_of_MSI>' does not exist or one of its queried reference-property objects are not present.
It shows fine when doing this
az ad sp show --id <appId_of_MSI>
So in summary: I cannot complete the process of delegating that user's permissions interactively. Is there any other way? Maybe via CLI?
The fallback the solution is to create a separate unmanaged/self-registered app identity. But I want to really avoid this because then I would need to manage and rotate client (app) credentials again, which the MSI took care of for me.
Why o why can't I just assign fine-scoped application permissions 😒
Any help on this is greatly appreciated. Cheers.
In my experience Managed Identities don't support the scenario you are suggesting.
They do not have an app registration and in that way cannot authenticate users interactively.
I would go with your fallback solution; a normal app registration and use that to access Graph API on behalf of the user.
This is what we do in our projects at least.
App permissions -> Managed Identity if possible. Delegated permissions -> normal app registration + secret/certificate in Key Vault, retrieved with Managed Identity.
I have an Episerver Application. But I am unable to access any page of it. As this is redirecting me to /util/login.aspx page all time and I do not have the Login credentials with me this time.
Is there any way to skip that authentication or fake login using any other technique.
thanks.
Unless if you have an SQL provider for authentication the username and password will come from the domain or local computer.
If you are running an epi site locally you typically configure it to use the login credentials (i.e. windows role and membership) from your local computer.
Read more at https://world.episerver.com/documentation/developer-guides/CMS/security/Authentication-and-authorization/
Does the "Everyone" user group have Read permission for the pages?
If you're running the site locally, you can skip authentication altogether by modifying the applicable <location /> element(s) in web.config, allowing you into admin mode to validate permissions.
I am able to connect to my instance using gcloud compute ssh instance-1 --zone us-east1-b.
Once I log-in, I see this: wendy#instance-1. And when I ls, I don't see my files.
If I ssh using the online webpage
I seethe following:
randy#instance-1. And when I ls, I do see my files.
Ok. Both are under the same google email account, and has the same Internal IP: 10.142.0.2
My question is, how do I log-in using gcloud command, into randy#instance-1?
You can also specify a user when using the gcloud compute ssh command:
gcloud compute ssh [USER#]INSTANCE
If you omit a user, the default one will be used, which is from the environment.
Open a command prompt / shell. The execute the following command to list the users that are configured for the CLI:
gcloud auth list
The account that is the current account has the asterisk in the left column. If that is the wrong account, or to just make sure, re-authenticate:
gcloud auth login.
Use the correct credentials to login to Google Accounts.
Now you will be able to gcloud compute ssh and be logged in with the correct user credentials.
I wrote an article on Google account configurations that goes deeper into how multiple credentials are managed by the CLI and SDK.
Understanding Gcloud Configurations
My understanding is that Google automatically creates and adds a user to the newly created VMs using your Gmail name & surname as username in the name_surname format. You can see this in google cloud console -> compute engine -> metadata -> ssh keys
Google manages the private key for this account so I'm not aware of any way of connecting to this account other than the cloud console.
However you can still access to your files after you login with gcloud command. Just do sudo su and you will become root user. Then you can copy files from /home/wendy to /home/randy.
you do have two option
Fisrt is to authenticate with the right user account by running the gcloud command
gcloud auth login
And use the "randy" user account in this case, then use the gcloud command normally to ssh.
gcloud compute ssh instance-1 --zone us-east1-b
Second option is to SSH directly with the appropriate username from this documentation by running the gcloud command below.
gcloud compute ssh [USER#]INSTANCE [--zone=ZONE]
One thing, you could easily recover or copy your files by switching to the root user (you need just to run the command line "sudo su -" or "sudo -i")
If you're already logged in, and maybe don't have the option to choose a username during login (e.g. when using the iOS app), you can also use
sudo su [username]
to switch the username from an existing session.
I'm facing some permission problems with the google cloud. Whenever I try to setup a new app engine, I receive the following message:
You don't have permission to create an App Engine application in this project.
According to our administrator, all available app engine roles are assigned to my account.
Any ideas?
Greetings,
Sebastian
You need this permission:
appengine.applications.create
If you try to create an appit within the console:
~ $ gcloud app create
you will get exactly the this permission role missing but incredibly this permission is not assigned by default to the administrator.
Thus, either create a new Role with this permission or just add this permissions to any role you already have
You probably have an IAM role on the project that doesn't include access to App Engine.
https://cloud.google.com/iam/docs/understanding-roles
You can ask the project owner what role you have on the project (unless you are a project Owner, Editor or Viewer, in which case you can see your role on the Permissions page).
I also got this error. It seems you need to be Project Owner to be able to create App Engine applications.
You need to have the App Engine API enabled.You need to have the app engine deployer or admin role. And you need to be the project Owner, not just the project editor.
See: https://cloud.google.com/appengine/docs/admin-api/access-control
apps.create appengine.applications.create on the requested Application resource. Requires Owner role permissions on GCP project.
Is it possible to deploy an app to google appengine without it asking everytime for email/password, with a schema like the used by ssh trusted connection (using stored secure keys)?
This is kind of what I was looking for:
https://developers.google.com/appengine/docs/python/tools/uploadinganapp#oauth
basically, you add this parameter to the command line:
appcfg.py --oauth2 update myapp/
and it redirects to a browser, you authenticate there and it stores a token so you don't need to login each time