Hi everyone I am facing some issues on solaris 11.4 implementing RBAC. I created user and role and giving profiles for the roles, but I can execute the command. I drop my RBAC Configuration below.
$useradd -m test
$passwd test
$roleadd -c "User Administrator role,User Management role local" \-m -K profiles="User Security,User Management" sec1
$passwd sec1
$usermode -R +sec1 test
I login by my new test user and my role sec1 successfully. I can create user, give password, delete user and password. The role can not add new role.
sec1#:~$ usermod -R +sec1 test
/usr/lib/passmgmt: Permission denied. Cannot set roles to sec1, requires sec1 role.
UX: usermod: ERROR: Permission denied.
UX: usermod: ERROR: Cannot update system - login cannot be modified.
How can I use usermod and rolemod for the user? If any one can help me? To which solaris profiles can have access to role related to the user?
Seems that it is some bug in usermod command while it is running from role (not user). I was succeed to delegate this privilege via user-to-user (without role)
As root user give privilege to test user directly:
/usr/sbin/usermod -K profiles="User Security,User Management" test
Also create an other user for testing
useradd -m testuseradm
Then login as test and use this privilege:
pfexec /usr/sbin/usermod -K profiles="User Security,User Management" testuseradm
Optionally you could add -K auth_profiles="User Security,User Management" to ask testuseradm to enter his password again.
The main difference of user and role - the role could not login directly. So you may create some shared user account and introduce it as role to your colleges as workaround.
Related
I have a local test installation of keycloak 12 and unfortunately I've lost the admin password, any idea on how to reset it or reset the keycloak configuration without losing the realms ?
I already used add-user cli command to add a user but even with that one I can't access
The Keycloak's admin user is created only during the first initialization of the container image. Once it's created, the environment variable KEYCLOAK_PASSWORD has no effect. When restarting the pod you can see in the initialization logs:
16:16:35,881 WARN [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0104: Not creating user admin. It already exists.
To create a new admin user you should delete the current one in the database. Or just change the admin username to admin_bkp if you prefer. After this, just restart the container and the admin user is created again.
Connect to the database
$ kubectl exec -it keycloak-database-bd94f668c-rvmbt -- bashbash-5.1$ psql $ keycloak -U postgre -W
Delete or update the current admin user:
psql (12.10)
Type "help" for help.
keycloak=# update user_entity set "username"='admin_bkp' where "username"='admin';
UPDATE 1
Delete the application pod
$ kubectl delete pod keycloak-database-bd94f668c-rvmbt
Now you should be able to log in using the admin user passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD
If you are using Keycloak Docker image, you can get admin crendential using docker inspect:
docker inspect <keycloak_container_id>
then search for Config > Env, you will find KEYCLOAK_USER and KEYCLOAK_PASSWORD.
For me, I had to find the user in the user_entity table. Then delete rows in related tables. After this, I restarted the pod, and the admin user login became the one passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD.
Find the user id
select * from user_entity
Delete rows
delete from credential where user_id = '<user-id>';
delete from user_role_mapping where user_id = '<user-id>';
delete from user_entity where id = '<user-id>';
Hello everyone i tried to activate tableau server but it said
tsm command not found
i tried to activate it with using command
tsm licenses activate -k myproductkey
Before i tried to run this command
sudo ./initialize-tsm --accepteula
and got this 'warning', i do't really get the 'warning' meaning of it maybe because my lack of english(?)
User 'root' has been selected as the user to add to the TSM authorized group, but
TSM does not allow root as a TSM-authorized user. You must either re-run this
script using 'sudo' while logged in as a normal user instead of root (most common
case), rerun this script with the '-a username' option to select a user other than
root to add to the group, or the '-g' flag to disable group addition completely
and add appropriate users to the group yourself. Canceling.
Why do i get this error and how to resolve it?
Use the -a flag to specify a user to be added to the tsmadmin and tableau groups instead of the user running this script. If you are installing with the root account, the you must specify the -a flag
I have lost the Sonarqube Server admin password, want to recover that, any support will be appreciated.
Environment docker images:
sonarqube:7.9.5-community
postgres:12.5-alpine
I have gone through the previously answered block but unfortunately nothing worked out.
Best
The Idea is same as mentioned # Sonarqube Security Docs under the title "Reinstating Admin Access".
My Solution:
I had to spin up fresh Docker container in order to get the default crypted_password value. If you already know/have the crypted password value then no need to spin up fresh containers, just follow the below steps by replacing the crypted_password accordingly.
Below crypted_password value belongs to admin.
exec to postgres docker container :
docker exec -it POSTGRES-CONTAINER-NAME bash
Inside Postgres Container, login with the Credentials and follow on screen instructions:
psql -U sonar -W
Confirm the Database and Users :
select * from users;
Output must show a Sonarqube Users Table.
Then Update the password to default i.e. admin :
update users set crypted_password = '$2a$12$2NA1PhmvfPVwdwq5WeQj.Opb0z4OGYP8s2yPMRRum18bGV5nJK86W', salt=null where login = 'admin';
try login to Sonarqube server with default credentials,
ID : admin
Password : admin
To learn more about # Sonarqube Security Docs.
I am using admin-cli to add some pre-configurations to a keycloak 3.4.3 docker container.
One of the things that i want to do is add a certain realm role to the list of Default Realm Roles, so that this role is applied automatically when a new user is registered (using the web user registration form).
I couldn’t find anything about this in the documentation.
Any ideas on how this could be achieved using admin-cli commands?
Thanks.
I faced the same question today. Here is my solution:
echo Creating realm TEST
kcadm.sh create realms -s realm=test -s enabled=true
echo Creating Test_Default role
kcadm.sh create roles -r test -s name=test_default
echo Adding Test_Default role to the TEST realm default roles
kcadm.sh update realms/test -f - << EOF
{ "realm": "test", "enabled": true, "defaultRoles" : [ "offline_access", "uma_authorization", "test_default" ] }
EOF
As of Keycloak 18.0.0 changing the Realm Default Roles using kcadm.sh doesn't work via updating the realm's JSON, but does via composite rules.
When we create a realm (e.g. named realm-test1), Keycloak automatically creates a corresponding composite rule default-roles-realm-test1 and populates it with built-in roles offline_access and uma_authorization:
Here is how we add our own role to (and remove a role from) Realm Default Roles.
$ docker exec -ti keycloak_keycloak_1 bash
bash-4.4$ /opt/keycloak/bin/kcadm.sh create realms -s realm=realm-test1 -s enabled=true
Created new realm with id 'realm-test1'
bash-4.4$ /opt/keycloak/bin/kcadm.sh create roles -r realm-test1 -s name=role-test1
Created new role with id 'role-test1'
bash-4.4$ /opt/keycloak/bin/kcadm.sh add-roles --rname default-roles-realm-test1 --rolename role-test1 -r realm-test1
bash-4.4$ /opt/keycloak/bin/kcadm.sh remove-roles --rname default-roles-realm-test1 --rolename offline_access -r realm-test1
Hitting F5 in the browser we see that it works:
Documentation
https://www.keycloak.org/docs/latest/server_admin/#adding-realm-roles-to-a-composite-role
We use Mattermost using the 'Production Docker' setup as described in Mattermost documentation. For authentication, we federate using GitHub:Enterprise.
To setup our Mattermost team, I imported the whole Slack history. This lead to the problem that everyone who did not yet log into Mattermost via GitHub:Enterprise was not able to login. Mattermost helpfully returned the error message
"An existing user is already attached to your gitlab account"
How can I fix this issue without having to setup a new Mattermost instance and force everyone to login once before importing the Slack data?
Prerequisites
In order for this to work, you need
GitHub:Enterprise Administrator permissions
On the Mattermost machine, either root permissions or an account that is allowed to control docker, and, if psql is not installed, a way to install the psql command-line tool.
Steps
ssh into the Mattermost vm/machine (where the mattermost docker containers are running).
Change to an account with docker permissions (root; or the account you setup during Mattermost installation; or ... )
Use docker ps and note the hash of the container mattermostdocker_db. We will assume it starts with 5c23.
Run docker inspect 5c23 | grep IPAddress. Note the IP address of the container. We will assume it is 172.17.0.2.
Ensure that the psql commandline tool is installed on the machine where mattermost/docker is running.
On debian: apt-get install postgresql-client
Connect to the mattermost db of postgresql running inside the docker container:
psql -h 172.17.0.2 -p 5432 -d mattermost -U postgres -W
The (default?) password seems to be postgres.
Verify that a user account with the correct email exists. Assume the email of the account that has the problem is 'john#example.com`
mattermost-# select email, authdata from users where email = 'john#example.com';
Connect to GitHub:Enterprise and open the admin console. We will assume the local github enterprise instance is at https://github.example.com.
Click on the rocket symbol, or
https://github.example.com/stafftools
Click on all users and find the user that cannot login. We assume the github username is john, which would correspond to https://github.example.com/john
Visit the stafftools user security page for that user.
https://github.example.com/stafftools/users/john/security
Click on the 'Search logs' link under the 'Audit logs' header. This will open a page with a query field. On this page, you will find the internal github user number for that user. Note this number. We will assume the number is 37.
Back in the psql console, update the user entry with the correct number:
update users set authservice = 'gitlab', authdata = '37' where email = 'john#example.com' ;
Exit the psql console with \q:
mattermost-# \q
Done. The user can now log into Mattermost with GitHub:Enterprise user authentication.
Notes
Don't forget to complete each statement in psql with a ;
It's gitlab, not github, even if you use GitHub:Enterprise
Tested with Mattermost 3.0, GitHub:Enterprise 2.6.2