How can I automate applying permissions for a JCR node? - jackrabbit

For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?

This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.

I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement

If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.

Related

Why can I see an AD container from ADExplorer and not from other browsers?

Ok, so I need a really Active Directory expert for this one.
I am encoutering a problem where I view different things from different LDAP Browsers.
I want to view the deleted objects container.
When I access Active Directory through ADExplorer I can see this container. When I access the same Active Directory, with the same user from JXplorer I cannot see the deleted objects container.
Also from Softera LDAP Browser happens the same as JXPlorer
Do you have any idea why this is happening?
Do you have maybe any other LDAP Browser you can reccomend?
Thanks
The ability to enumerate the deleted objects container in Active Directory will depend on the software in use (as you found out). To be able to view the deleted objects container (and any deleted objects in general), the software needs to use the LDAP control called LDAP_SERVER_SHOW_DELETED_OID. From the MSDN page:
LDAP_SERVER_SHOW_DELETED_OID control code
The LDAP_SERVER_SHOW_DELETED_OID control is used with an extended LDAP
search function to specify that the search results include any deleted
objects that match the search filter.
Unless the software lets you use a custom LDAP control when connecting to AD (or has builtin support for viewing deleted objects in AD), then it wont be able to see them at all.

how to prevent the clients from debugging the code in javascript using developer tool

We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.

TeamCity LDAP Synchronization not working for VCS properties

I have configured TeamCity (8.1.4) for LDAP logins and it works as advertised including synchronization of displayname and email. But I have a problem with synchronization of VCS properties.
New users are being created (when they first log in) without their display name or email address being populated. This is remedied when the sync happens, so I know the sync works for those properties.
I need the "Default for all of VCS roots" property filled out properly as well though. This is required so that people can be matched to their check-ins (it's not happening at the moment) so they can be emailed when they break the tests.
The "Default for all of VCS roots" property is simply being populated as username, but I need it to be DOMAIN\username.
My settings:
java.naming.provider.url=ldap://my.domaincontroller.com:389/DC=mydomain,DC=local
java.naming.security.principal=monkey
java.naming.security.credentials=bubbles
teamcity.users.base=OU=group2,OU=Users
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=.*
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=false
teamcity.options.deleteUsers=false
teamcity.options.syncTimeout = 3600000
teamcity.groups.property.member=member
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
teamcity.users.property.plugin\:vcs\:anyVcs:anyVcsRoot=mydomain\\$sAMAccountName$
You can play around with the settings for LDAP to achieve this but we ran into some issues when we set this up on our projects. We had more than one type of VCS repo and when we started to move to Git, our repository just did not store usernames in DOMAIN//username syntax.
A better way would be to update the user tables in teamcity database to set the default userid for all TFS based roots to DOMAIn/username. This is the syntax
insert into user_property
values(<user_id>,'plugin:vcs:jetbrains.**tfs**:anyVcsRoot','DOMAIN//username')

SSRS Revert to parent security

I have 50+ report parts which have specific AD Groups assigned to them as Browser.
This is so only certain people have access to the data.
To accomplish this, on the security settings I changed it by clicking 'Edit Item Security'
This resulted in SSRS not inheriting the security anymore (i.e If I put an individuals AD name for the project folder they would be given access to everything)
So all my report parts have individual groups as it stands, the problems is I now need to give 1 individual access to everything.
With the current set up this would mean adding them 1 by 1 to all the report parts however there is a button called 'Revert to parent security'.
My question is, if i click this will it remove all the individual group security settings I have applied or will it allow me to add 1 person to all whilst leaving all the others the same?
According to Books Online ( http://msdn.microsoft.com/en-us/library/ms180265.aspx )
Revert to Parent Security will remove all the individual group security settings
Click to reset the security settings to that of the immediate parent
folder. If inheritance is unbroken throughout the report server folder
hierarchy, the security settings of the top-level folder, Home, are
used.
In your scenario, it seems that you have to add user individually to every secured item. You could do it programmatically using Reporting Services scripting host (see http://msftrsprodsamples.codeplex.com/wikipage?title=SS2008%21Script%20Samples%20%28Reporting%20Services%29 for some sample scripts) or Powershell ( see Using Powershell to set user permissions in Reporting Services for a sample)

ALDB authentication request

So I have a setup where clearcase and clearquest are integrated.
I.E. if I check in a file in clearcase clearquest will popup asking for a change request number.
Here's the deal, I don't have to "login" every time I start a new clearexplorer.
I have some other tools I have been writing that I would like to take advantage of that capability but I don't know where to start. Basically I want my tool to check the same place clearcase checks to see that I'm a valid user and create my object based on those credentials.
From the looks of things the ALDB server might have something to do with it but I don't know how to interact with it.
Anyone have any ideas on it?
UPDATE:
I guess What I mean is I don't have to login to Clearquest every time I open a new clearcase and check in files. That's what I'm really looking for. using the existing clearquest "authentication" object (If that's what its even called)
Update 2:
Based on Information I found here:
http://publib.boulder.ibm.com/infocenter/cqhelp/v7r0m0/index.jsp?topic=/com.ibm.rational.clearquest.apiref.doc/c_perf_user_admin.htm
You can use this method to obtain the Session object associated with the current user. See the description of the Session object for more information on how to use this object.
I look at Session Object and it doesn't seem to mention about how to use this object as it states.
Update #3
This has been a long time, but it's come up again, I think what I'm really looking to do is build something that shares the Session object since logging in takes quite a while my plan is to login once using a background process, and then I can query that running process for the object when I try to login with a second program, if it works all goes well and continues, if it doesn't then it will require a manual login, (or could spawn the process that logs in, and waits for a response).
If/When I make this I'll post some details on steps I took.
It is true the albd service (Atria Location Broker Daemon) requires a Windows account to function. But not yours. See Updating the Windows ClearCase ALBD Password.
The last one, the ALBD service, requires a Windows user account with ClearCase privileges to function properly.
In the definition of this service, during ClearCase installation, the ClearCase administrator must specify the name of this privileged account, the password, the Windows domain, and the Windows group for this account.
Any ClearCase-related operation will based the user identification on the
credmap informations (if you are with Windows clients and Unix server)
credmap registryServer
or the creds.exe informations
The clearcase objects (like a new version created after a checkin) will get those credentials.

Resources