I'm trying to have my Flutter app log to a specific google cloud project's log bucket instead of the developer console. I'm running into a Permission 'logging.logEntries.create' denied on resource (or it may not exist). when I run the code. How can I fix this? The dart code for posting the log is below.
final logEntry = {
"jsonPayload": {
"message": {
"test": "entry",
"test 2": "entry 2",
},
},
"logName": logName,
"resource": {
"type": "global",
"labels": {
"project_id": projectId,
},
}
};
final url = "https://logging.googleapis.com/v2/entries:write";
http.Response response = await http.post(
Uri.parse(url),
headers: {
HttpHeaders.contentTypeHeader: 'application/json',
"X-goog-api-key": apiKey,
},
body: json.encode(
{
"entries": [logEntry],
},
),
);
The API key I created has no API restrictions, but I did also try restricting it to only use the logging API, but it still has the same error.
You need to give the logging.logEntries.create permission to the Service Account used by your Flutter app.
From the IAM page in Google Cloud console, you will be able to give a role containing the above permission to your Service Account.
If you used a custom role, you can also add directly the logging.logEntries.create permission to this custom role.
As mentioned in the document:
The permission logging.logEntries.create is needed on each project,
organization, billing account, or folder that is receiving new log
entries, whether the resource is specified in logName or in an
individual log entry.
So, you need to give the logging.logEntries.create permission to the Service Account used by your Flutter app.
You can also refer the detailed article on Access control guide.
Related
Strapi Version: 4.1.5
Operating System: Debian GNU/Linux 9
Database: PostgreSQL 13
Node Version: v14.16.0
NPM Version: 6.14.11
Yarn Version: v1.22.5
Hi everyone, I can’t seem to find consistent information on how to use permissions with a custom plugin in Strapi. I want to make an endpoint available to my front-end (Next.JS) application, but only when the front-end application has authenticated as a user and using the JWT that is returned from authenticating with Strapi. I keep getting a 401 returned.
Here’s what I’m doing:
I used this page to set up authentication in Strapi. I have a user created in Strapi, and from the front-end, I can authenticate and it returns a JWT token. When I set up collection types to only be accessible with the “authenticated” role, I can access those collection types in the api using this JWT token. So all of that works. The problem is that I can’t get this to work with my custom plugin, and I’m not sure why. I still get a 401 error instead.
Here’s how I set up the permissions:
Based on this page, I initially tried to leverage the isAuthenticated permission that the Users & Permissions plugin provides:
{
method: "GET",
path: "/progress",
handler: "memberProgress.getProgress",
config: {
policies: ['plugins::users-permissions.isAuthenticated']
},
},
Unfortunately, this did not work. The server raised an error, saying that this could not be found. So back on the document linked above, I decided to take the approach of creating my own gloabl permission. I created src/policies/is-authenticated.js with the following contents:
module.exports = (policyContext, config, { strapi }) => {
if (policyContext.state.user) { // if a session is open
// go to next policy or reach the controller's action
return true;
}
return false; // If you return nothing, Strapi considers you didn't want to block the request and will let it pass
};
Then, I modified my plugin’s route as follows:
{
method: "GET",
path: "/progress",
handler: "memberProgress.getProgress",
config: {
policies: ['global::is-authenticated']
},
},
This is all based on that document I linked to. Unfortunately, this still does not work. It seems to find the permission (server doesn’t raise an error about it), but when I try to access my plugin’s endpoint with the JWT token, I just get a 401 error.
Here is how I’m trying to access the endpoint on the front-end:
// VERIFIED, auth works and I get the expected jwt
const strapiAuth = await strapiApiAuth();
if ( strapiAuth && strapiAuth.hasOwnProperty("jwt") ) {
try {
const response = await axios.get(
`${process.env.STRAPI_BACKEND_URL}/member-progress/progress?year=2022&name=&pageSize=10&page=1`,
{
headers: {
Accept: "application/json",
Authorization: `Bearer ${strapiAuth.jwt}`
},
timeout: 500,
}
);
console.log(response);
} catch (error) {
// This is where I land with the 401 error
console.log(error);
}
}
Strapi check if you have a valid jwt by default with "authenticated" role, but you must mark the permission to your custom endpoint in "Settings→User & Permission Plugin→Roles" of admin panel also.
I am trying to create GitHub service connection using azure Devops rest api -
In postman I put following Json Body-
{
"name": "release-1",
"type": "github",
"url": "https://github.com",
"authorization": {
"scheme": "PersonalAccessToken",
"parameters": {
"accessToken": "<Github_Personal_Access_Token>"
}
}
}
This Creates service connection but It gives error when I open service connection in UI and try to verify but if I edit and replace with same Github token In UI then it works. seems like its not taking token I am providing in Json body -
I also see information here on this ongoing issue - https://ljvmiranda921.github.io/notebook/2019/12/28/workaround-azure-github-pat/
I want to automate GitHub service connection creation.
How to create GitHub service connection using Azure Devops rest api ?
How to create GitHub service connection using Azure Devops rest api ?
Are you creating this GitHub service connection?
If so, you should use EndPoints-Create API and your Json Body can follow this format:
{
"authorization": {
"scheme": "Token",
"parameters": {"AccessToken": "YourGitHubPAT"}
},
"data": {},
"description": "",
"name": "YourServiceConnectionName",
"serviceEndpointProjectReferences": [{
"description": "",
"name": "YourServiceConnectionName",
"projectReference": {
"id": "YourProjectID",
"name": "YourProjectName"
}
}],
"type": "github",
"url": "https://github.com",
"isShared": false
}
We should enter the value of YourGitHubPAT, YourServiceConnectionName(twice in two points), YourProjectID and YourProjectName with your own values to make the body work. We can get YourProjectID via Projects-List API.
After running that in PostMan, I can verify it successfully without issues. I guess your issue may have something to do with your parameters. Use
"authorization": {
"scheme": "Token",
"parameters": {"AccessToken": "<Github_Personal_Access_Token>"}
},
Instead of
"authorization": {
"scheme": "PersonalAccessToken",
"parameters": {"accessToken": "<Github_Personal_Access_Token>"}
Update about how to enable grant access to all pipelines:
Dislike other elements like Token, Name and Description, Grant Access Permissions to all pipelines option is managed by another API.
API to enable this option:
https://dev.azure.com/{YourOrganizationName}/{YourProjectName}/_apis/pipelines/pipelinePermissions/endpoint/{YourEndPointID}?api-version=5.1-preview.1
Body:
{
"resource": {
"id": "YourEndPointID",
"type": "endpoint",
"name": ""
},
"pipelines": [],
"allPipelines": {
"authorized": true,
"authorizedBy": null,
"authorizedOn": null
}
}
Note: We need to enter EnterPointID in URL and Body. (Twice!)
In PostMan, you should use PATCH method and application/json type. The YourEndPointID is ServiceConnectionID, you can get this value from EndPoints-Create API's response.
So normally to create a service connection with "Grant Access to All..." enabled, we should run Endpoints-Create first and then run the second API to enable this option.
(And this is the same behavior in Web Portal. When we click Verify and Save button in web browser, it actually also calls these two APIs to complete the process.)
I developed a side-by-side app using Java + SAP Cloud SDK (Neo). The app adds records to a custom business object.
The app was working fine when I concluded development in February. Now, I need to do some additional improvements, but I can add records anymore.
I am getting the error SCBO_AUTHORIZATION/000 - You are not authorized to create XXXXXXX instance.
I assigned CBO to a business role, the custom communication scenario along with communication arrangement is in place. I tested already the service (metadata) and the user is not locked.
Here´s the error sent back from the backend:
2020 05 27 19:36:55#+00#ERROR#com.sap.cloud.extensibility.services.CockpitServiceImp##PHENRIQUE#https-jsse-nio-8041-exec-8#na#fzrl99axqb#csccapplication2#web#fzrl99axqb#na#na#na#na#Error building up cockpit. com.sap.cloud.sdk.s4hana.datamodel.odata.helper.ODataVdmErrorResultHandler$ErpODataException: The endpoint responded with HTTP error code 400.
You're not authorized to create CSCCOCKPIT instance.
Full error message:
{
"error": {
"code": "SCBO_AUTHORIZATION/000",
"message": {
"lang": "en",
"value": "You\\u0027re not authorized to create CSCCOCKPIT instance."
},
"innererror": {
"application": {
"component_id": "BC-ESI-ESF-GW",
"service_namespace": "/SAP/",
"service_id": "YY1_CSCCOCKPIT_CDS",
"service_version": "0001"
},
"transactionid": "338BDCAE69170270E005EC3E361F2498",
"timestamp": "20200527193655.5607910",
"Error_Resolution": {
"SAP_Transaction": "For backend administrators: use ADT feed reader \\"SAP Gateway Error Log\\" or run transaction /IWFND/ERROR_LOG on SAP Gateway hub system and search for entries with the timestamp above for more details",
"SAP_Note": "See SAP Note 1797736 for error analysis (https://service.sap.com/sap/support/notes/1797736)"
},
"errordetails": [
{
"code": "SCBO_AUTHORIZATION/000",
"message": "You\\u0027re not authorized to create CSCCOCKPIT instance.",
"propertyref": "",
"severity": "error",
"transition": true,
"target": ""
}
]
}
}
}
Could someone give a clue on where could the issue be?
BR,
Pietro
The error happened because all the fields in the custom business object in S/4Hana Cloud were set as "read-only".
I'm looking for help of somebody who knows something about Jira add-ons.
I'm trying to implement Jira add-on with an ability to create issues on behalf of a user.
So, I completed all steps (as I think) leading me to my goal, but I faced a problem with impersonating. When I try to create an issue using Jira REST API, I receive the following error:
{
"error": "Add-on 'com.example.myapp' disallowed to impersonate the user because 'no valid active user exists'"
}
What was done:
Folowing the getting started tutorial I created the add-on descriptor:
{
"name": "Hello World",
"description": "Atlassian Connect app",
"key": "com.example.myapp",
"baseUrl": "https://url.ngrok.io",
"vendor": {
"name": "Example, Inc.",
"url": "http://example.com"
},
"authentication": {
"type": "jwt"
},
"scopes": [
"act_as_user",
"read",
"write",
],
"lifecycle": {
"installed": "/api/created",
},
"apiVersion": 1
}
I also implemented webhook to handle 'installed' callback from add-on like described here. So, when a user installs the add-on the webhook will receive the following object:
{
'key': 'com.example.myapp',
'clientKey': '<client key>',
'oauthClientId': '<OAuth client ID>',
'publicKey': '<public key>',
'sharedSecret': '<shared secret>',
'serverVersion': '100095',
'pluginsVersion': '1.250.0',
'baseUrl': 'https://<user's domain>.atlassian.net',
'productType': 'jira',
'description': 'Description',
'eventType': 'installed'
}
Using this data I generated JWT signed with the shared secret like described in the tutorial. So, my JWT payload includes the following claims:
{
'iss': 'urn:atlassian:connect:clientid:<OAuth client ID>',
'sub': 'urn:atlassian:connect:useraccountid:<client key>',
'tnt': 'https://<user's domain>.atlassian.net',
'iss': '<created at>',
'exp': '<created at + 1 minute>'
}
The next step I performed is access token generation using auth.atlassian.io/oauth2/token endpoint and the following parameters:
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<my JWT>&scope=ACT_AS_USER READ WRITE
The result of all these actions is an access token witch I can use to perform REST API requests. But the error described above returned every time I try to create Jira issue performing POST [user's domain].atlassian.net/rest/api/2/issue/ with Authorization: Bearer [access_token] header.
What I've noticed is that account ID in installed callback object (clientKey) has 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' (uuid) format. But when I open my account in Jira (account in witch the add-on is installed) I see that the account ID in URL has 'YYYYYY:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' format. I prepended the subject in my JWT payload with YYYYYY part:
'sub': 'urn:atlassian:connect:useraccountid:'YYYYYY:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
and generated a new access token using this JWT. I've used new access token to create an issue and it was successfully created, the reporter of the issue is a user installed my add-on, just like I wished.
Finally, the question is: where can I find that YYYYYY part for my add-on? How to get it automatically? What I've missed following the tutorials? Any help will be appreciated.
Thank you!
Question:
After adding a new BIM 360 Docs project using the API, how do I activate it for Document Management using the APIs? Following online tutorial does not yield expected results.
Background:
I was trying to follow a tutorial to create a BIM 360 Docs project and activate it for Document Management, as it's listed here. Project creation itself is a breeze, however the step required to activate a service does not work as outlined.
Here are my individual steps:
Create BIM 360 Project with HTTP POST https://{{ForgeURL}}/hq/v1/accounts/{{AccountId}}/projects
Created project information is returned in the response, including new project id and status, which is pending.
Attempt to add project admin and activate a service as outlined here
i. Add Project Admin - Method 1 - Documentation here lists endpoint capable of adding a project admin to a specific BIM 360 project and service type.
HTTP POST https://{{ForgeURL}}/hq/v1/accounts/{{AccountId}}/projects/{{BIM360ProjectId}}/users
{
"role":"project_admin",
"service_type":"doc_manager",
"company_id":"{{BIM360CompanyId}}",
"email":"user#email.com"
}
Response: HTTP 404 Not Found
{
"code": 1004,
"message": "this project doesn't exist."
}
ii. Add Project Admin - Method 2 - Documentation here lists endpoint capable of adding users (project admin and project user) to a project.
HTTP POST https://{{ForgeURL}}/hq/v2/accounts/{{AccountId}}/projects/{{BIM360ProjectId}}/users/import
[
{
"email": "user#email.com",
"services": {
"document_management": {
"access_level": "admin"
},
"project_administration": {
"access_level": "admin"
}
},
"company_id": "{{BIM360CompanyId}}",
"industry_roles": []
}
]
Response: HTTP 200 OK, but... it's a failure
{
"failure": 1,
"success": 0,
"success_items": [],
"failure_items": [
{
"email": "user#email.com",
"services": {
"document_management": {
"access_level": "admin"
},
"project_administration": {
"access_level": "admin"
}
},
"company_id": "716a5472-a69c-4c07-aa0c-9e54e98ff28f",
"industry_roles": [],
"errors": [
{
"message": "Services [\"document_management\"] are not active or pending in project",
"code": 2000
}
],
"project_id": "1b6f2179-8f2f-4fa7-907b-901aee7224be",
"account_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
One can see that it complains about Services [\"document_management\"] are not active or pending in project. project_administration had to be included, otherwise it would have also complained about service project_administration required if any access_level is set as admin.
However, I can see the project using BIM 360 Docs web app Account Admin though as Inactive.
Attempt to activate a project using HTTP PATCH https://{{ForgeURL}}/hq/v1/accounts/{{AccountId}}/projects/{{BIM360ProjectId}} returns
{
"code": 1001,
"message": "You cannot change the status of a project that has no project admin."
}
iii. Add Project Admin - Method 3 - Documentation here lists endpoint capable of updating a user’s profile for a project, including the user’s access level for the project (admin or user).
HTTP PATCH https://{{ForgeURL}}/hq/v2/accounts/{{AccountId}}/projects/{{BIM360ProjectId}}/users/{{BIM360UserId}}
{
"services": {
"document_management": {
"access_level": "user"
}
},
"company_id": "{{BIM360CompanyId}}"
}
Response: HTTP 200 OK, but it's a failure
{
"account_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"project_id": "1b6f2179-8f2f-4fa7-907b-901aee7224be",
"error": [
{
"message": "User does not exist in project",
"code": 2000
},
{
"message": "Services [\"document_management\"] are not active or pending in project",
"code": 2000
}
]
}
Long story short, I am unable to add project admin using any of the methods available.
What's more, when I add a Project Administrator there using Project Admin \ Services \ Document Management section the project status turns into Active and I am suddenly able to activate a service as outlined here.
The endpoint documentation has incorrect information pointing to payload containing
"service_types": "field"
creating a BIM 360 project with the project information that is accessible and available for all BIM 360 services, which is not what happens. One has to explicitly specify service type, e.g.
"service_types": "doc_manager"
or according to this documentation
If nothing specified, the project will be created for all the enabled
services in the account.
This allows to add a project admin using a Method 1 outlined in my question.