Creating a non-admin user in Rundeck - rundeck

I am having trouble creating a non-admin user.
I have been able to create users and add the desired roles for them in the realm.properties file.
My problem is that every user I create is given the admin role, in addition to the other roles I specify.
My user creation process goes like this:
useradd myuser
passwd myuser
edit realm.properties to add the line myuser:mypassword,user,group2,group3
I have also added a user first in the realm.properties before adding the user to the system to see if it made a difference. It did not.
I know I fundamentally don't understand how Rundeck is authenticating users, but the fact that everything works, except that the user always has the role of admin in addition to the other desired roles, is driving me nuts.
EDIT:
Adding description of other attempt at user creation
Create operationsuser2 user in realm.properties
Restart rundeck (or the machine running rundeck)
Fail to log in as user operationsuser2
Adding my realm.properties
#
# This sets the default user accounts for the Rundeck app
#
admin:admin,user,admin,architect,deploy,build
otheradmin:adminPass,user,admin,architect,deploy,build
operationsuser1:myPass1,user,operations
operationsuser2:myPass2,user,operations
Adding the Access Policy that I have been trying to test this whole time lol
description: Operations manager project access
context:
application: 'rundeck'
by:
group: operations
for:
project:
- equals:
name: 'myProject'
allow: [read]
---
description: Operations manager project specific rules
context:
project: 'myProject'
by:
group: operations
for:
job:
- equals:
uuid: 096852ba-099e-42c1-9373-11621f17398d
allow: [read, run]
node:
- allow: 'read'
adhoc:
- allow: [read, run]
I think I have found out why all the users are admins. After clearing up some miscommunication with my coworker who originally set up Rundeck, he told me that he set up PAM, which led me to investigate the jaas config below.
We are using the JettyPamLoginModule.
➜ ~ sudo cat /etc/rundeck/jaas-loginmodule.conf
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="admin"
storePass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
I now understand why every Unix system user I created would allow me to log into Rundeck, and also be an admin.
I, however, still do not understand why I cannot log in with a user I created in realm.properties.
I thought that the JettyRolePropertyFileLoginModule would allow us to create users in the realm.properties file, and then log into Rundeck with them.

Add the ReloadablePropertyFileLoginModule module inside the RDpropertyfilelogin.
Following this, the JettyRolePropertyFileLoginModule isn't for authentication purposes.
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule does not
authenticate and only uses authorization roles from a property file.
Can be combined with previous modules.
So, to get it to work follow this config and restart the Rundeck service:
The jaas-loginmodule.conf file:
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule optional
debug="true"
service="sshd"
supplementalRoles="user,readonly"
storePass="true";
org.rundeck.jaas.jetty.ReloadablePropertyFileLoginModule optional
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties"
storePass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
The realm.properties file.
admin:admin,admin
bob: -,admin
The bob user (PAM) entry it's just to define the admin role for him.
Now, with the JettyRolePropertyFileLoginModule module you can add any user on the realm.properties file without restarting Rundeck keeping the PAM auth users too.
Tested on Rundeck 4.3.1 (Debian 9).

Related

Securing NodeRED dashboard from unwanted access

I'm trying to create some kind of user authentication to prevent unwanted access to my NodeRED's User Interface. I've searched online and found 2 solutions, that for some reason didn't worked out. Here they are:
Tried to add the httpNodeAuth{user:"user", pass:"password"} key to the bluemix-settings.js but after that my dashboard kept prompting me to type username and password, even after I typed the password defined at pass:"password" field.
Added the user defined Environtment Variables NODE_RED_USERNAME : username and NODE_RED_PASSWORD : password . But nothing has changed.
Those solutions were sugested here: How could I prohibit anonymous access to my NodeRed UI Dashboard on IBM Cloud(Bluemix)?
Thanks for the help, guys!
Here is a little bit of the 'bluemix-settings.js'
autoInstallModules: true,
// Move the admin UI
httpAdminRoot: '/red',
// Serve up the welcome page
httpStatic: path.join(__dirname,"public"),
//GUI password authentication (ALEX)
httpNodeAuth: {user:"admin",pass:"$2y$12$W2VkVHvBTwRyGCEV0oDw7OkajzG3mdV3vKRDkbXMgIjDHw0mcotLC"},
functionGlobalContext: { },
// Configure the logging output
logging: {
As described in the Node-RED docs here, you need to add a section as follows to the settings.js (or in the case of Bluemix/IBM Cloud the bluemix-settings.js file.
...
httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
...
The pass files is a bcrypt hash of the password. There are 2 ways listed in the docs about how to generate the hash in the correct way.
if you have a local copy of Node-RED installed you can use the following command:
node-red admin hash-pw
As long as you have a local NodeJS install you can use the following:
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here
You may need to install bcryptjs first with npm install bcryptjs first.

MarkLogic CORB - What're permissions to run corb

What're permissions allow developers to run corb for selecting/updating nodes in MarkLogic.
roles: hadoop-user-read
hadoop-user-write
The exact permissions will depend upon your environment.
At a minimum you will need to be able to login to the XDBC server and eval code and/or invoke modules, read URIs, and write documents.
I'd start by giving the user the rest-evaluator role, which will give them rest-reader and rest-writer roles, plus the following execute permissions:
xdbc:eval
xdbc:eval-in
xdbc:invoke
xdbc:invoke-in

How do I access the current host's roles in Capistrano?

I would like to access the current host/remote machines roles in a yml template file when deploying with capistrano.
What I've tried
I've tried experimenting to see if there's a host variable available but that doesn't seem to have any effect.
$CAPISTRANO:HOST$ seems to be for older versions of capistrano.
How could I do something like this pseudocode in a templated yaml file?
production:
app_name: <%= TODO: IF HOST A/b/c -- App 1. If host Z -- app 2 %>
From what I understand, I have handled a similar problem programatically.
As you may know for each environment there is a .rb file in the config/deploy/ directory.
In our problem, we had a YAML file that had host and role information, viz. below:
A:
- web
- db
- mongo
B:
- web
- app
To apply this role specific to each host, we iterated over this YAML file (ruby has easy to follow instructions on that) and added a line of code. Here is the psuedocode:
for host in HOST_LIST_YAML do
for role in ROLE_LIST do
role :role, %w{USER#host}
end
end
Here, all the role mappings are applied to the hosts. Similarly, you can write this code on your environment.rb file.

'User is missing the Overall/Read permission' error with Jenkins GitHub OAuth Plugin

I'm using the github oauth plugin for our logins but for all of our users in the Organisation I get an error:
Access Denied
<user> is missing the Overall/Read permission
I have tried everything I can possibly think of to try to make this work and I'm probably going to fallback to making everyone an admin user, which i would prefer not to do.
Any advise would be appreciated.
This is how I resolved the authentication problem:
Edit config.xml file, e.g.
sudo vi /var/lib/jenkins/config.xml
Change useSecurity element's value to false, e.g.
<useSecurity>false</useSecurity>
Remove authorizationStrategy block
Restart Jenkins: /etc/init.d/jenkins restart.
Access Jenkins through URL as usual and reconfigure security again.
I had the same problem with "... is missing the Overall/Read permission" on Jenkins (1.651.2) with activated Credentials Plugin.
But it was my own failure: I only configured the user on project side (by credential plugin) but missed to configure the global security.
So I fixed it by selecting:
Jenkins -> Manage Jenkins -> Configure Global Security
And did setup missing global settings (or project matrix based one)
Have you followed this step, from the plugin page?
Control user authorization (i.e. who is allowed to see the jobs and build them) using the Github Commiter Authorization Strategy
Also, make sure you actually allow authenticated users to access Jenkins
Under Jenkins global configuration, under Authorization, add user/group called authenticated
Give that group Overall Read permission
The group should show up with a "group" icon (two users), as opposed to single user icon.
reset from <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> in config.xml and set the permission again.
Edit file /var/lib/jenkins/config.xml and add the following lines :
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Read:john.smith</permission>
</authorizationStrategy>
Restart Jenkins
What I did when I got this error is to edit config.xml as mentionned by other users and correctly re-add my username in LOWERCASE in "configureSecurity" Jenkins' page. I was using "KrustyHack" when adding permissions but it didn't work. I had to add "krustyhack" instead, and it worked.
I hope it helps.
I had the same problem here, but it affected only some users, not all of them. Anyway, you should check public organization membership : documentation of the plugin states that "You have to be a public member of the organization for the authorization to work correctly." (https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin).
Follow instructions from GitHub (https://help.github.com/articles/publicizing-or-hiding-organization-membership/) in order to make organization membership public, and this might fix your issue.
Also check the case user names in the authorizationStrategy element. I made my new user's name lower case and restarted the service and it the error went away.
Fix it by these 2 shell commands on the server (sudo permission is required):
sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart
This will remove useSecurity and authorizationStrategy lines from your config file.
See also: Disable security at Jenkins website
We hit this same error when a github organization administrator changed the organization's settings for "Third-party access" to "restrict third-party application access". Reverting to the previous settings within the github organization resolved the problem.
See github oauth-app-access-restrictions for details on how to configure that properly.
The assignment of roles to users is stored in config.xml file. Add the ID of the user directly to the role and then restart Jenkins.
In my case, I have a role named editor and a bunch of users assigned to the role.
<role name="editor" pattern=".*">
<permissions>
<...>
<permission>hudson.model.Item.Create</permission>
<permission>hudson.model.Item.Workspace</permission>
<permission>...</permission>
</permissions>
<assignedSIDs>
<sid>bob</sid>
<sid>alice</sid>
<sid>**newuser**</sid>
</assignedSIDs>
</role>
The matrix security is not terribly clear. I am a member of a specific group in our org that has admin privileges however I am also an authenticated user. I would think that the one group super-cedes the other however I have to have both in order to actually log into the system and be admin. It's screwed up IMO.
go to your-jenkins-host:port/role-strategy/assign-roles and configure roles for the user
I had the same problem before,
your OAuth application need your organization owner's approve,
then the OAuth Plugin can access the private data in it
I am using Crowd 2 plugin and I have the same problem.
I fixed it by downgrading OWASP Markup Formatter Plugin from varsion 1.2 to version 1.1 and then changing Markup Formatter in Configure Global Security value to Raw HTML, before it was Plain text.
I had exactly the same problem and adding the plugin Role Strategy Plugin fixed the problem.
All I had to do was install the plugin, create two groups - admin / developer and then add users to the groups.
A much much better solution than recreating the whole permissions matrix :)
I had a similar problem I was not able access Jenkin account and the system was locked.
I had only an error message. "Access Denied "
When I tried to reinstall Jenkins then it prompted to Repair option.
By clicking Repair option it fixed the problem.
Go to $JENKINS_HOME (linux, jenkins in windows), and find config.xml file.
Open this file in the editor. (take backup of .jenkins home)
Look for the <useSecurity>true</useSecurity> element in this file.
Replace "true" with "false"
Remove the elements authorizationStrategy and securityRealm
Start Jenkins
I found it in
C:\ProgramData\Jenkins\.jenkins
Jenkins Version: 2.319.2
Instead of removing all security (the top answer), Add admin access as root, to the user you want to give admin to. We had the same issue where all admins were no longer with the company. This is how I resolved the authentication problem: I logged into:
jenkins#<jenkins server>:/var/lib/jenkins/
Edit config.xml file, and add a config for
<permission>hudson.model.Hudson.Administer:<username></permission>
Then restart Jenkins:
root#<jenkins server>:/$ /etc/init.d/jenkins restart
Just use Jenkins > Configure Global Security bottom page matrix to provide permissions to the user (start w/ read)
I edited the /var/lib/jenkins/config.xml file and replaced the
<authorizationStrategy>...</authorizationStrategy>
with
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
It is the default settings after installation. Then restart the jenkins service.

jboss username and password for login

How can, we know the jboss username and password for login
Under your JBoss application server directory, look for a file named:
conf/login-config.xml
There will be a block called:
<application-policy name="jmx-console">
... which will tell where your file-based username=password combinations are stored. I believe the default path is:
conf/props/jmx-console-users.properties
By default credential in Jboss is Given below
login: admin
password: admin
But if you use EAP these credential are turn off by default and there is no active user (security reasons :)). If you want to turn on these user you have to edit file in your current profile: ./deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties. It should be enough to remove # sign form the line with the user.
If you want to create new user don't forget to set up correct groups in
web-console-roles.properties file.
You can easly find information where these information are store. Just open the ./conf/login-config.xml file and find the proper security domain definition. In case of Web Console application it will be web-console policy.
or
in JBoss application server directory you have to look for a file named which is given below:
conf/login-config.xml
Inside this file search for application and go to below tags
<application-policy name="jmx-console">
which will tell where your file-based username=password combinations are stored. I think that default path is:
conf/props/jmx-console-users.properties
User: jboss
Password: passw0rd
If you are referring to JBoss' console user/password.