I have the following block in my yml config file:
access-control:
provider: rbac
role-mapping:
role:
"guest":
include:
user:
"buddy"
When I build my project, the entries below are added to the generated standalone-full.xml
<system-properties>
<property name="swarm.management.access-control.role-
mapping.role.guest.include.user" value="buddy"/>
<property name="swarm.management.access-control.provider"
value="rbac"/>
</system-properties>
The problem is that I expected the following node to be generated:
<access-control provider="rbac">
<role-mapping>
<role name="guest">
<include>
<user name="buddy"/>
</include>
</role>
</role-mapping>
</access-control>
Any ideas?
Looks like you are trying to configure role-based access control to the management interface. This is not for the application itself. Is that what you really want? I wouldn't expect mgmt RBAC to be used with WildFly Swarm.
If that's what you really want, here's the JBoss EAP documentation that explains all the concepts: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/how_to_configure_server_security/#role_based_access_control
To translate it to the WildFly Swarm YAML, based on http://docs.wildfly-swarm.io/2018.5.0/#_management, I believe what you need is something like this (note that I didn't try it :-) ):
swarm:
management:
security-realms:
ManagementRealm:
in-memory-authentication:
users:
albert: # creating a user in the mgmt realm
password: einstein
authorization-access:
provider: rbac
role-mappings:
Operator: # one of the pre-defined roles, can't create new ones
includes:
user-albert: # by convention, should always be user-xxx or group-xxx
name: albert
type: user
But I'll repeat, I don't think you actually want this. If you could describe your usecase, I might be able to help better.
Related
I'm able to successfully run my flink job which saves to S3 using ./bin/flink run ....
For this to work, I had to copy the flink-s3-fs-presto jar to my $FLINK_HOME/lib folder and I also had to configure my S3 connection details in my flink-conf.yaml:
You need to configure both s3.access-key and s3.secret-key in Flink’s
flink-conf.yaml:
s3.access-key: your-access-key
s3.secret-key: your-secret-key
Source: flink aws docs
I also had to set a property s3.endpoint because I'm using S3 from IBM Cloud.
This all works fine when I run using ./bin/flink run.
However, when I try to run my job from my IDE (IntelliJ), I get the following error:
org.apache.flink.runtime.client.JobExecutionException: Cannot initialize task 'DataSink (TextOutputFormat (s3://xxxx/folder) - UTF-8)': Unable to load credentials from service endpoint
I've set an environment variable in the IDE run job, FLINK_CONF_DIR to point to my flink-conf.yaml and I can see that my configuration properties are picked up:
11:04:39,487 INFO org.apache.flink.configuration.GlobalConfiguration - Loading configuration property: s3.access-key, ****
11:04:39,487 INFO org.apache.flink.configuration.GlobalConfiguration - Loading configuration property: s3.secret-key, ****
11:04:39,487 INFO org.apache.flink.configuration.GlobalConfiguration - Loading configuration property: s3.endpoint, s3-api.us-geo.objectstorage.softlayer.net
However, I'm getting an error that suggests these properties are not getting passed to the presto library when I run from my IDE:
Caused by: org.apache.flink.fs.s3presto.shaded.com.amazonaws.SdkClientException: Unable to load credentials from service endpoint
Also, to validate this theory, if I step through the code when running from the IDE, I can see that my endpoint property is not applied:
... and drilling into the Hadoop configuration, I can see that the flink configuration is an empty map:
Digging a bit deeper, I can see that the org.apache.flink.core.fs.FileSystem#getUnguardedFileSystem() is creating a new empty Configuration:
// this "default" initialization makes sure that the FileSystem class works
// even when not configured with an explicit Flink configuration, like on
// JobManager or TaskManager setup
if (FS_FACTORIES.isEmpty()) {
initialize(new Configuration());
}
How can I configure the s3.access-key, s3.secret-key and s3.endpoint properties when running from an IDE?
Simply call
FileSystem.initialize(GlobalConfiguration.loadConfiguration(System.getenv("FLINK_CONF_DIR")));
before
env.execute()
will solve the issue.
Remember you still have to put your secret key and access key in flink-conf.yaml.
create core-site.xml
<configuration>
<property>
<name>fs.s3.impl</name>
<value>org.apache.hadoop.fs.s3a.S3AFileSystem</value>
</property>
<property>
<name>fs.s3a.access.key</name>
<value>xxxx</value>
</property>
<property>
<name>fs.s3a.secret.key</name>
<value>xxxxx</value>
</property>
</configuration>
and add
Map par = new HashMap();par.put("fs.hdfs.hadoopconf", "path to core-site.xml";
ParameterTool pt = ParameterTool.fromMap(par);
env.getConfig().setGlobalJobParameters(pt);
I have a command line script (actually a git post-checkout hook) that reloads my Solr application by doing a cURL to:
http://localhost:8080/manager/html/reload?path=/solr
Since I upgraded to Ubuntu 13.04, it now fails, where it used to work before the upgrade.
The cause of the problem is that my newer version of Tomcat (6.0.35), has some new CSRF protection and it now returns 403 Access Denied.
How can I solve the issue and bypass the CSRF protection?
More info:
My /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager"/>
<user username="tomcat" password="secret" roles="manager"/>
</tomcat-users>
The documentation for Configuring Manager Application access in tomcat mentions some new manager roles, however my error specifically mentions that the single "manager" role still exists for the moment (and I tried the other roles anyway without success).
(As I was writing the question, I found the answer.) Instead of cURLing to the HTML application, I needed to cURL to the "plain text interface".
i.e. instead of
http://localhost:8080/manager/html/reload?path=/solr
Use:
http://localhost:8080/manager/reload?path=/solr
It turns out:
The HTML interface is protected against CSRF but the text and JMX interfaces are not.
This fits with the new role called "manager-script". To ensure my app will work in the future I changed my /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="secret" roles="manager-gui,manager-script"/>
</tomcat-users>
we are two people and i want my friend can use my local host but it is giving error
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
needless to say
we are using python 2.7 and appcfg.py cmd to run app
In order to access your sites using local address, either use RemoteDeskTop, or remotedesktop shaing by chrome .
if your friend is in same network then he can browse your application using your LocalIp address.
http://192.168.10.20/YourApplication.aspx
If your Local Ip is not accessible in other computers of same network, then change your network to Home Network, and Add allow your IIS in Firewall.
I have two questions regarding Arquillian and Tomcat:
-My arquillian tests fail with the following error message:
org.jboss.jsfunit.example.hellojsf.HelloJSFTest Time elapsed: 0 sec
<<< ERROR! org.jboss.arquillian.container.spi.ConfigurationException:
Unable to connect to Tomcat manager. The server command
(/deploy?path=%2Ftest) failed with responseCode (401) and
responseMessage (Non-Autorisé). Please make sure that you provided
correct credentials to an user which is able to access Tomcat manager
application. These credentials can be specified in the Arquillian
container configuration as "user" and "pass" properties. The user must
have appripriate role specified in tomcat-users.xml file.
FYI my arquillian.xml file is as follows:
<arquillian xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://jboss.org/schema/arquillian
http://jboss.org/schema/arquillian/arquillian-1.0.xsd">
<engine>
<property name="deploymentExportPath">target/</property>
<property name="jmxPort">8099</property>
<property name="user">admin</property>
<property name="pass">admin75</property>
</engine>
<defaultProtocol type="Servlet 2.5" />
<container qualifier="tomcat-remote">
<configuration>
<property name="jmxPort">8099</property>
<property name="user">admin</property>
<property name="pass">admin75</property>
</configuration>
</container>
</arquillian>
I am trying to adapt the sample app for tomcat 6. Can anyone please help?
-When will Arquillian support tomcat 7?
Regards,
J.
tomcat-users.xml:
<tomcat-users>
<role rolename="manager"/>
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="admin" password="admin75" roles="manager,admin"/>
</tomcat-users>
This message
Unable to connect to Tomcat manager. The server command (/deploy?path=%2Ftest) failed with responseCode (401) and responseMessage (Non-Autorisé).
indicates that one of the following is true:
the tomcat-users.xml file used by your Tomcat installation does not have the admin user (that you've specified in arquillian.xml),
or the admin user is not mapped to the manager role in Tomcat 6, or the manager-script role in Tomcat 7.
When will Arquillian support tomcat 7?
Arquillian supports Tomcat 7, as an emebedded or a managed container. The documentation is not up to date (as of now), but the configuration parameters are more or less the same as the embedded and managed equivalents in Tomcat 6. The artifact Id to use for
a managed Tomcat 7 instance is org.jboss.arquillian.container:arquillian-tomcat-managed-7.
an embedded Tomcat 7 instance is org.jboss.arquillian.container:arquillian-tomcat-embedded-7.
As of today, 1.0.0.CR2 is the latest stable release. You can use 1.0.0.Final-SNAPSHOT, if you want to work against the development build.
Also, you can omit several redundant properties from your arquillian.xml file. A cleaner configuration would look like:
<arquillian xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://jboss.org/schema/arquillian
http://jboss.org/schema/arquillian/arquillian-1.0.xsd">
<engine>
<property name="deploymentExportPath">target/</property>
</engine>
<container qualifier="tomcat-remote">
<configuration>
<property name="jmxPort">8099</property>
<property name="user">admin</property>
<property name="pass">admin75</property>
</configuration>
</container>
</arquillian>
I asked this on server fault but really havent had much luck, hoping that someone here would be able to offer some advice...
I have a Tomcat 6 server running just fine. I have external access working. I wanted to know how to prevent someone from seeing specific webapps, for example, I dont want external access to the ROOT tomcat page. How would I go about preventing some webapps while leaving other webapps visible to external users ?
Here's what I've tried:
This denies everything even 127.0.0.1 requests
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/examples" docBase="" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context>
</Host>
This denies everything as well.
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/examples" docBase="" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
</Context>
</Host>
Basically I am trying to prevent access to the ROOT default tomcat page and the example apps....
Any ideas?
You can't use a wild card for the allow attribute...on the other hand you can use one for the deny attribute.
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
This is why I was getting a 403 with the above code.
Also another way I handled this was I created a jsp that redirected traffic to wherever I wanted.
take a look at the documentation.
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
What you have seems to be correct. it says "If this attribute is specified, the remote address MUST match for this request to be accepted."
One thing you might look at is to see whether 127.0.0.1 is really the correct IP. You might be actually using the actual IP of the box. try adding that IP address after the localhost one.
The value of the "allow" property must be defined using backslashes to escape the dots of the allowed IP address:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>
This could be an IPv6 issue. This is what my tomcat6/Catalina/myApp.xml looks like:
<!--<?xml version="1.0" encoding="UTF-8"?> -->
<Context path="/myApp" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1,0:0:0:0:0:0:0:1"/>
</Context>
This can be tested by the following which would yield 403 if you're denied access
wget --inet4-only http://localhost:8080/myApp