I'm currently trying to find the best process for managing admin privileges throughout my PostgreSQL databases. What I am trying to do is assign permissions that are sufficient enough for in an admin role group where I can GRANT a user (another admin) to inherit the permissions of the role group; however, I'm not sure if this can be done or how to do this. The admin role group's privileges should be the following:
Able to add users
Able to view users and permissions in a database
Able to reset a user's password, dropping a user, or resetting a user's name
Able to show grants of a particular user
Able to add specific permissions for a user to a schema and table. (So have permissions to the database and tables)
For auditing purposes, should I even go with this approach of creating a role group or add a user (admin) with no role group? I remember reading that the role group would show as who did any changes rather than the specific user. Would appreciate clarification on this.
Thanks for reading my post.
Related
I am currently trying to set up keycloak for a production scenario in which I have different contexts, each with users and admins. The admin should only be able to impersonate users from his context.
Giving an admin permission in the form of permissions to impersonate all users is not a problem. but how can I solve the above task? Can one of keycloak built in concepts (groups, roles, realms, scopes etc.) help me?
You have to enable --features=admin-fine-grained-authz and then.
Put your users into a group.
Create another user and grant this user "query-groups" and
"impersonation" roles (from the "realm-management" or "master-realm"
client, depending on the realm).
Go to your group, enable permissions, open "view" permission, and add a
user policy to allow the user to view a group, then repeat for "view-members" permission.
FInd more details here
and here
The MongoDB documentation indicates that a user can be created with any database as its authentication database. Is there any reason I would choose to create my user in the 'admin' database, unless I intended to grant it cluster level privileges?
Should I avoid creating users in the 'admin' database unless the above criteria applies?
Where the user is stored does not influence what privileges are granted to the user.
If you prefer to have all users defined in the same place, it makes sense to keep them in the admin database.
If your users have access to one database each and you prefer to have users defined in the database that they have access to, it could make sense to define them in the database they have access to.
In either case which databases the users have access to, and what operations they are allowed to perform, can be defined per user.
If you store users in admin database, but the client is connecting to another database, the authSource must be explicitly specified when connecting.
I created a group in keycloak and i added users to the group. I want to add one user as the group admin of the group by adding ADMIN role to one user and other users should remain with USER role.
One user can belongs to multiple groups. As an example User_A can be in Group_A, Group_B and Group_C. And also User_A is the admin of Group_A and in Group_B and Group_C, he is a normal user.
Is there any way to achieve this requirement in keycloak?
Please let me know is there any solution.
You could have a sub-group admin with default ADMIN role below Group_A , and put User A in that sub-group.
Or why don't you just assign individual ADMIN role to User_A ?
As I understand groups function in keycloak, it is essentially a way of assigning automatic attributes/roles to user (and...to group them). But roles assigned via groups function are exactly the same as individual roles I think.
I am using yii2 basic and have implemented RBAC using permissions, roles.
I have Employee table and I have assigned Employee model to user application component.
Now the scenario is when admin creates employee he has to assign a role to that employee using auth_assignment CRUD.
Unless and until role has been assigned, the employee should not be able to login. Login page should be displayed to him with error message. (Similar to the scenario when incorrect username or password is entered by user.)
How to accomplish this?
I'm developing a small database for a library but I'm completely ignorant when it comes to roles and privileges.
I've spent quite some time googling but I still don't truly get the mechanisms.
My aim is to create 3 basic roles:
User with no login (not really an user, just someone who wants to see the books the library has in store, but he can't do any action besides just watching)
User with login (He can preorder books and do other actions)
Admin (He can add new books, authors, genres and can give the admin privileges to other users)
At first I thought I could create these 3 roles specifying the various privileges each one has and then, on the related website, every time someone would connect he would have been considered an "User with no login" until the login which would've determinated whether he is an Admin or not; reading the PostgreSQL documentation I understood it's nothing like this, or perhaps I got it wrong.
I really have no clue what to do, any help would be appreciated.
What you want to do is reasonable. Your webapp should log in with its connection pool as a user (say mywebapp) that is marked NOINHERIT and has no rights except to SET ROLE to three other roles. Each of those roles describes one of the categories of users you mention above. You'll also need to GRANT the rights to access any tables used to look up and authenticate users to the mywebapp user.
When servicing a request, if it's acting on behalf of an anonymous user it does SET ROLE anonymous_web_user; or whatever.
If it's acting as a named user, it does SET ROLE authenticated_user;. You'd GRANT the right to read the table you use for authenticating users to the mywebapp role so it can authenticate them in whatever way your app does so.
If it's acting as an admin, it does SET ROLE admin;. Or, if there aren't many admins and they need different rights, you can make them PostgreSQL users, and SET ROLE the_admin_user_name;. Again, your app would pre-authenticate them, and SET ROLE if it was satisfied with the user's authentication.
When a connection is returned to the pool it is vital that the pool run the query DISCARD ALL; to clear the connection's role setting.
So, for example, you might:
CREATE ROLE mywebapp WITH LOGIN NOINHERIT;
CREATE ROLE anonymous_web_user;
CREATE ROLE authenticated_user;
CREATE ROLE admin_user;
-- 'mywebapp' can become anyone, but by default doesn't
-- get the rights of any of them since it's marked NOINHERIT
GRANT admin_user TO mywebapp;
GRANT anonymous_web_user TO mywebapp;
GRANT authenticated_user TO mywebapp;
-- All admins are authenticated users, since authenticated_user
-- is INHERITable
GRANT authenticated_user TO admin_user;
-- All authenticated users have the rights of anon users too
GRANT anonymous_web_user TO authenticated_user;
-- The app must be able to look up users
GRANT SELECT ON some_users_table TO mywebapp;
-- but only admins can change them
GRANT ALL ON some_users_table TO admin_user;
...
See Role membership.