$ gem install bundler:2.2.21
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
bad response Unauthorized 401 (https://bart_simpson:REDACTED#rubygems.pkg.github.com/private_org/api/v1/dependencies?gems=bundler)
and
$ gem update --system
ERROR: While executing gem ... (Gem::RemoteFetcher::FetchError)
bad response Unauthorized 401 (https://bart_simpson:REDACTED#rubygems.pkg.github.com/private_org/specs.4.8.gz)
I've got a good personal token (good = full permissions, and not expired) set in two places:
$ cat ~/.bundle/config
---
BUNDLE_RUBYGEMS__PKG__GITHUB__COM: "bart_simpson:ghp_nJabIP9JjPe7KOwgDrkiJextJggm114MZh7f"
BUNDLE_HTTPS://RUBYGEMS__PKG__GITHUB__COM/PRIVATE_ORG/: "bart_simpson:ghp_nJabIP9JjPe7KOwgDrkiJextJggm114MZh7f"
and
$ cat ~/.gem/credentials
---
:github: Bearer ghp_nJabIP9JjPe7KOwgDrkiJextJggm114MZh7f
ah! After generating a new personal token and saving it in the two places mentioned in the Question, I forgot about a third place (which did the trick)...
$ cat ~/.gemrc
---
:backtrace: false
:bulk_threshold: 1000
:sources:
- https://rubygems.org/
- https://bart_simpson:ghp_nJabIP9JjPe7KOwgDrkiJextJggm114MZh7f#rubygems.pkg.github.com/private_org/
:update_sources: true
:verbose: true
Docs: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry#authenticating-with-a-personal-access-token
Related
I'm running a PoC with HCP Vault.
I created an admin token. I logged in from my computer. Developed a policy with reading permission to a simple KV secret. I generated a token from the policy.
With the same token in the CLI I manage to get the secret. I try to fetch the data from the REST API but I receive 403.
Note: When I run Vault in dev mode locally both methods work
❯ vault token create -policy=my-spring-boot-app-policy
Key Value
--- -----
token hvs.XXX
token_accessor AAA
token_duration 1h
token_renewable true
token_policies ["default" "my-spring-boot-app-policy"]
identity_policies []
policies ["default" "my-spring-boot-app-policy"]
❯ vault login hvs.XXX
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.XXX
token_accessor AAA
token_duration 59m44s
token_renewable true
token_policies ["default" "my-spring-boot-app-policy"]
identity_policies []
policies ["default" "my-spring-boot-app-policy"]
❯ curl --header "X-Vault-Token: hvs.XXX" --request GET https://vault-cluster-public-vault-XXX.YYY.z1.hashicorp.cloud:8200/v1/secret/data/my-spring-boot-app | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 60 100 60 0 0 125 0 --:--:-- --:--:-- --:--:-- 127
{
"errors": [
"1 error occurred:\n\t* permission denied\n\n"
]
}
CLI
❯ vault kv get secret/my-spring-boot-app
========= Secret Path =========
secret/data/my-spring-boot-app
======= Metadata =======
Key Value
--- -----
created_time 2022-09-15T14:03:22.327127967Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 5
======= Data =======
Key Value
--- -----
hello.world Bye from Vault
mykey Vault Key
To get a response from HCP Vault you need to add the header X-Vault-Namespace with the value admin.
For example:
❯ curl --header "X-Vault-Token: hvs.XXX" --header "X-Vault-Namespace: admin" --request GET https://vault-cluster-public-vault-AAA.BBB.z1.hashicorp.cloud:8200/v1/secret/data/my-spring-boot-app | jq
I found the reference in https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.namespaces
I'm trying to create a policy that allows for users to access a portion of the secret hierarchy based on their usernames. Rather than having a different policy for each user, I want to have one templated policy. I think this should work, but I keep getting permission denied errors. If I remove the templating and just hard-code the username in the policy path, secret retrieval works just fine, so it doesn't seem like it's any other part of the policy definition.
This is all with Vault 1.3.1, against a dev server, but the problem first came up on a non-dev server, with GCP/GCE authentication and database secrets, so it doesn't seem to be specific to any of those things, either.
Enable username/password authentication, and create a user that points to a new policy (to be defined later).
$ vault auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ vault write auth/userpass/users/duvall policies=default,p2 password=duvall
Success! Data written to: auth/userpass/users/duvall
Login as this user and take a look at the token metadata.
$ vault login -method userpass username=duvall password=duvall
$ vault token lookup
Key Value
--- -----
accessor 9ga3alRqZ6E3aSCEBNFWJY1X
creation_time 1581468214
creation_ttl 768h
display_name userpass-duvall
entity_id 7513dc68-785b-d151-0efb-71315fc026dc
expire_time 2020-03-15T00:43:34.707416501Z
explicit_max_ttl 0s
id s.YZRQ3uclh2rg2H7gh3qH84P3
issue_time 2020-02-12T00:43:34.707423899Z
meta map[username:duvall]
num_uses 0
orphan true
path auth/userpass/login/duvall
policies [default p2]
renewable true
ttl 767h50m35s
type service
Create the aforementioned policy with a path templated based on the metadata key username.
$ export VAULT_TOKEN=root
$ echo 'path "secret/data/role-secrets/{{identity.entity.metadata.username}}/*" {capabilities = ["read"]}' | vault policy write p2 -
Success! Uploaded policy: p2
Create a secret that matches the path in the policy.
$ vault kv put secret/role-secrets/duvall/s1 foo=bar
Key Value
--- -----
created_time 2020-02-12T00:44:36.509412834Z
deletion_time n/a
destroyed false
version 1
As the user, reading the secret results in failure.
$ export VAULT_TOKEN=s.YZRQ3uclh2rg2H7gh3qH84P3
$ vault kv get secret/role-secrets/duvall/s1
Error making API request.
URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/role-secrets/duvall/s1
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/role-secrets/duvall/s1/"
Rewrite the policy to remove the templating.
$ export VAULT_TOKEN=root
$ echo 'path "secret/data/role-secrets/duvall/*" {capabilities = ["read"]}' | vault policy write p2 -
Success! Uploaded policy: p2
This time, reading the secret succeeds.
$ export VAULT_TOKEN=s.YZRQ3uclh2rg2H7gh3qH84P3
$ vault kv get secret/role-secrets/duvall/s1
====== Metadata ======
Key Value
--- -----
created_time 2020-02-12T00:44:36.509412834Z
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
foo bar
I'm not sure how relevant this is, but ... adding a metadata list capability to the policy changes the read error from a "preflight capability check" to a more normal "permission denied".
$ echo 'path "secret/metadata/*" {capabilities = ["list"]}\npath "secret/data/role-secrets/{{identity.entity.metadata.username}}/*" {capabilities = ["read"]}' | VAULT_TOKEN=root vault policy write p2 -
Success! Uploaded policy: p2
$ vault kv get secret/role-secrets/duvall/s1
Error reading secret/data/role-secrets/duvall/s1: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/role-secrets/duvall/s1
Code: 403. Errors:
* 1 error occurred:
* permission denied
You are missing a point that if you want to give access of secrets/database/rdb/ then you have to give read and list capabilities for path secrets, databse, rdb.
Now if you have multiple secrets stored in secrets/ path that you don't want to share then you have to give deny for that paths.
i have this error
--2018-02-14 13:45:42-- http://www.webmin.com/jcameron-key.asc
Resolving www.webmin.com (www.webmin.com)... 216.105.38.10
Connecting to www.webmin.com (www.webmin.com)|216.105.38.10|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Emplacement : https://sourceforge.net/error-404.html [next]
--2018-02-14 13:45:43-- https://sourceforge.net/error-404.html
Resolving sourceforge.net (sourceforge.net)... 216.105.38.10
Connecting to sourceforge.net (sourceforge.net)|216.105.38.10|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-02-14 16:45:44 ERROR 404: Not Found.
When i do this
root#server:/tmp$ wget http://www.webmin.com/jcameron-key.asc
Any solution please
404 not found means that the link you provided did not resolve to anything and thus it doesn’t exist anymore. It’s server side and thus you have no control.
I have the solution:
Install via shell command
If you like to install and update Webmin via APT, Do like this:
$~: sudo nano /etc/apt/sources.list
Add this at the bottom of the file, last line.
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
Install Webmin
:~$ sudo -i
:~$ wget https://www.techandme.se/wp-content/uploads/2015/01/jcameron-key.asc
:~$ apt-key add jcameron-key.asc
:~$ apt-get update && apt-get install webmin --force-yes -y && rm jcameron-key.asc
Login
https://your-ip-adress:10000
This happens due to maintenance of Webmin servers moving to the other location. It will be back in a bit.
Sorry about that.
I was trying to download tomcat using wget command and getting below error.
Error- sudheer#sudheer:~$ wget https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.11/bin/apache-tomcat-9.0.11.tar.gz -P /tmp --2018-12-02 00:49:10-- https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.11/bin/apache-tomcat-9.0.11.tar.gz Resolving www-eu.apache.org (www-eu.apache.org)... 2a01:4f9:2a:185f::2, 95.216.24.32 Connecting to www-eu.apache.org (www-eu.apache.org)|2a01:4f9:2a:185f::2|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2018-12-02 00:49:12 ERROR 404: Not Found.
Solution-
check the url "https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.11/bin/apache-tomcat-9.0.11.tar.gz" is correct or not
I found this url doesn't exist so I corrected it and its working fine. Correct url should be
"https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.13/bin/apache-tomcat-9.0.13-deployer.tar.gz"
Output:-
sudheer#sudheer:~$ wget https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.13/bin/apache-tomcat-9.0.13-deployer.tar.gz -P /tmp --2018-12-02 00:53:18-- https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.13/bin/apache-tomcat-9.0.13-deployer.tar.gz Resolving www-eu.apache.org (www-eu.apache.org)... 2a01:4f9:2a:185f::2, 95.216.24.32 Connecting to www-eu.apache.org (www-eu.apache.org)|2a01:4f9:2a:185f::2|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2636635 (2.5M) [application/x-gzip] Saving to: ‘/tmp/apache-tomcat-9.0.13-deployer.tar.gz’
apache-tomcat-9.0.13-deployer.tar.gz 100%[=======================================================================>] 2.51M 370KB/s in 7.0s
2018-12-02 00:53:27 (370 KB/s) - ‘/tmp/apache-tomcat-9.0.13-deployer.tar.gz’ saved [2636635/2636635]
I am trying to get a CSV file from Redmine in a shell script. WGET is complaining about an unacceptable. Any ideas what the magical incantation is, or how to find it?
$ wget --no-check-certificate --accept csv https://username:password#company.com/redmine/issues.csv?utf8=%E2%9C%93&columns=all&description=1
Resolving company.com (company.com)... 192.168.1.45
Connecting to company.com (company.com)|192.168.1.45|:443... connected.
WARNING: The certificate of ‘company.com’ is not trusted.
WARNING: The certificate of ‘company.com’ hasn't got a known issuer.
HTTP request sent, awaiting response... 406 Not Acceptable
2017-04-04 10:14:20 ERROR 406: Not Acceptable.
You can try to replace --accept csv with --accept "*.csv". See the wget manual: https://www.gnu.org/software/wget/manual/wget.html#Recursive-Accept_002fReject-Options
Is there a way to update the metadata of an object in Google Storage when using an OAuth2 authentification token with read/write (but not full) access to the bucket?
My naive attempts (HTTP PUT with x-goog-copy-source set to the same object, and
x-goog-metadata-directive: REPLACE) fail with an AccessDenied error. gsutil seems to have the same problem:
$ gsutil config -r -w
[...]
$ echo hello > foo.txt
$ gsutil -h "x-goog-meta-foo: bar" cp foo.txt gs://nikratio-test/
Copying file://foo.txt [Content-Type=text/plain]...
Uploading gs://nikratio-test/foo.txt: 0 B/6 B
$ gsutil stat gs://nikratio-test/foo.txt
gs://nikratio-test/foo.txt:
Creation time: Sun, 09 Nov 2014 22:34:22 GMT
Content-Language: en
Content-Length: 6
Content-Type: text/plain
Metadata:
foo: bar
Hash (crc32c): NT3Yvg==
Hash (md5): sZRqySSS0jR8YjW00mERhA==
ETag: CID8ka7K7sECEAE=
Generation: 1415572462272000
Metageneration: 1
$ gsutil setmeta -h "x-goog-meta-foo: com" gs://nikratio-test/foo.txt
Setting metadata on gs://nikratio-test/foo.txt...
AccessDeniedException: 403 Forbidden
I presume this is because the setmeta operation would also allow me to change the ACL of the object.
However, it seems to me that if I'm able to delete the object and re-upload it with different metadata using the same authorization, then there really ought to be a way to just change the metadata as well.
Setting metadata works with OAuth2. I suggest running this gsutil command and comparing the protocol output it generates with what you're doing:
gsutil -o GSUtil:prefer_api=xml -d setmeta -h x-goog-meta-data-00:gAJ9cQBYBQAAAGFwcGxlcQFYCAAAAHBvdGF0b2VzcQJzLg gs://your-bucket/your-object