I have a google storage bucket with Audit Logs enabled. Every one\two days I getting logs about PERMISSION DENIED. The log is specifying what kind of access the requestor is asking for. But, not give me enough information to answer the question - who is requesting?
This is the log message:
{
"insertId": "rr6wsd...",
"logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"authorizationInfo": [
{
"permission": "storage.buckets.get",
"resource": "projects//buckets/BUCKET_NAME",
"resourceAttributes": {}
}
],
"methodName": "storage.buckets.get",
"requestMetadata": {
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
"destinationAttributes": {},
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
},
"resourceName": "projects//buckets/BUCKET_NAME",
"serviceName": "storage.googleapis.com",
"status": {
"code": 7,
"message": "PERMISSION_DENIED"
}
},
"receiveTimestamp": "2021-01-20T03:43:38.488787956Z",
"resource": {
"labels": {
"bucket_name": "BUCKET_NAME",
"location": "us-central1",
"project_id": "PROJECT_ID"
},
"type": "gcs_bucket"
},
"severity": "ERROR",
"timestamp": "2021-01-20T03:43:38.399417759Z"
}
As you can see, the only information who talking about "who is trying to access" is
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
But what that means? mean nothing to me.
How I can understand who is trying to access this permission?
The callerSuppliedUserAgent can be anything the client application puts in their request headers - Ignore it as this header can be faked. Only legitimate applications put anything meaningful in the header.
This is an unauthenticated request. There is no identity to record. Most likely a troll scanning the Internet looking for open buckets.
Notice that the auth key is empty. No authorization was provided in the request.
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}
Related
I am testing the Single Product Message API endpoint in Whatsapp-Business Cloud.
It is working for some of the products in the catalogue, but for some other products in the same catalogue giving error as 'product not found for product_retailer_id, XX, in catalog_id, XXXXXXXXX'
I can't see any Issue / Policy violations for those products.
This is the Sample Request Payload
{
"messaging_product": "whatsapp",
"recipient_type": "individual",
"to": "XXXX",
"type": "interactive",
"interactive": {
"type": "product",
"body": {
"text": "Hello 111111"
},
"footer": {
"text": "Hello1 1111111"
},
"action": {
"catalog_id": "XXXX",
"product_retailer_id": "XX"
}
}
}
can you please help me to resolve this issue
I had the same issue. My catalog_id and product_retailer_id is valid, but somehow still do not work. Then I submit a ticket to FB direct support, and after a couple of seconds suddenly it works. I haven't gotten any response from direct support yet. Maybe after registering the catalog and connecting the catalog to a WhatsApp number, we need to wait for some time.
Here is my json payload
{
"messaging_product": "whatsapp",
"recipient_type": "individual",
"to": "6289XXX055XXX",
"type": "interactive",
"interactive": {
"type": "product",
"body": {
"text": "Indomie"
},
"footer": {
"text": "Indomie rasa soto"
},
"action": {
"catalog_id": "553992496785XXX",
"product_retailer_id": "indomie-soto"
}
}
}
I logged to vault with a root token.
I try to
$ vault token lookup
but I keep getting
Error looking up token: Error making API request.
URL: GET https://106.120.137.192:8200/v1/auth/token/lookup-self
Code: 403. Errors:
* permission denied
I have vault logs on Trace level, but there is no related event.
I enabled audit logs to see what's going on but they give me no hint.
[
{
"time": "2021-10-21T15:34:17.647568529Z",
"type": "request",
"auth": {
"token_type": "default"
},
"request": {
"id": "1d5d7f5f-94ca-e281-c0b2-5ffbceccb0dc",t
"operation": "read",
"mount_type": "token",
"client_token": "hmac-sha256:75f6fc0b19c105af0f2c27fd180742eef282c38d346fc732771bfaa2d1ce2ea6",
"namespace": {
"id": "root"
},
"path": "auth/token/lookup-self",
"remote_address": "172.18.0.1"
},
"error": "permission denied"
},
{
"time": "2021-10-21T15:34:17.647692649Z",
"type": "response",
"auth": {
"token_type": "default"
},
"request": {
"id": "1d5d7f5f-94ca-e281-c0b2-5ffbceccb0dc",
"operation": "read",
"mount_type": "token",
"client_token": "hmac-sha256:75f6fc0b19c105af0f2c27fd180742eef282c38d346fc732771bfaa2d1ce2ea6",
"namespace": {
"id": "root"
},
"path": "auth/token/lookup-self",
"remote_address": "172.18.0.1"
},
"response": {
"mount_type": "token",
"data": {
"error": "hmac-sha256:9493ed1bac12e9a7fae0e03c488dd1d5f46bcc33ea36ee2c1e5ca92acd683c81"
}
},
"error": "1 error occurred:\n\t* permission denied\n\n"
}
]
What else can I do?
I am running Vault 1.7.0
Ok. I found the problem does not happen when I am running same command on localhost, i.e., against local instance of Vault.
I am getting this from Facebook webhook. I am trying to get the sender's name and profile picture.
<pre>
{
"object": "page",
"entry": [
{
"id": "172916740162087",
"time": 1609667491,
"changes": [
{
"value": {
"from": {
"id": "2529118547136023",
"name": "Md Abid Hasan Nayem"
},
"post": {
"status_type": "added_photos",
"is_published": true,
"updated_time": "2021-01-03T09:51:29+0000",
"permalink_url": "https://www.facebook.com/CodeWareLTD/posts/851154192338335",
"promotion_status": "inactive",
"id": "172916740162087_851154192338335"
},
"message": "Happy new year",
"post_id": "172916740162087_851154192338335",
"comment_id": "851154192338335_853191445467943",
"created_time": 1609667489,
"item": "comment",
"parent_id": "172916740162087_851154192338335",
"verb": "add"
},
"field": "feed"
}
]
}
]
}
</pre>
When I am sending request with the user id /{USER_ID}?access_token=token then it's returning this error.
Whereas I have all the required permissions approved.
<pre>
{
"error": {
"message": "(#3) Application does not have the capability to make this API call.",
"type": "OAuthException",
"code": 3,
"fbtrace_id": "ABtpgYvcMuaA_jQcW8Fdi3M"
}
}
</pre>
I opened a bug report, but they told me it's ok as per the current Facebook system design. But
still, I'm unable to get the user's first name, last name, and profile picture.
Bug Report Link: https://developers.facebook.com/support/bugs/887826828623849/.
Please, help me to get the exact API to get the sender's name & profile picture.
my currently successfully reviewed permissions are:
email,
pages_manage_metadata,
pages_read_engagement,
pages_show_list,
pages_messaging,
pages_read_user_content,
public_profile,
pages_manage_engagement,
pages_manage_posts
I am building an action with the new Actions Builder and everything is going pretty smoothly. I just setup account linking and can successfully link my account, however, once I do link my account there is no token included in the subsequent requests for me to use, even though the account linking status is in the request as "LINKED". Can anyone shed any light on why I am not seeing a token?
For reference, here is a version of one of my requests.
{
"requestJson": {
"handler": {
"name": "main"
},
"intent": {
"name": "actions.intent.MAIN",
"params": {},
"query": "Talk to my new app"
},
"scene": {
"name": "actions.scene.START_CONVERSATION",
"slotFillingStatus": "UNSPECIFIED",
"slots": {},
"next": {
"name": "ListPrompt"
}
},
"session": {
"id": "ABwppHE7M6NS8KdyjljEptrtZZ5GkE3qDdaiwjYbL9ehrA-t_c-ZsCrZ_WhN0ZTG5lXXXXXXhU6Im5vgeSwow",
"params": {},
"typeOverrides": [],
"languageCode": ""
},
"user": {
"locale": "en-US",
"params": {},
"accountLinkingStatus": "LINKED",
"verificationStatus": "VERIFIED",
"packageEntitlements": [],
"lastSeenTime": "2020-07-13T12:02:42Z"
},
"home": {
"params": {}
},
"device": {
"capabilities": [
"SPEECH",
"RICH_RESPONSE",
"LONG_FORM_AUDIO"
]
}
}
}
The Google docs for the Account Linking with the new Actions Builder have now been updated with additional information. The token is now provided within the headers of the incoming request. Details of how to find and decode this can be found at https://developers.google.com/assistant/identity/google-sign-in#handle_data_access_requests
I am trying to hit my custom resource definition endpoint in Kubernetes but cannot find an exact example for how Kubernetes exposes my custom resource definition in the Kubernetes API. If I hit the custom services API with this:
https://localhost:6443/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions
I get back this response
"items": [
{
"metadata": {
"name": "accounts.stable.ibm.com",
"selfLink": "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/accounts.stable.ibm.com",
"uid": "eda9d695-d3d4-11e9-900f-025000000001",
"resourceVersion": "167252",
"generation": 1,
"creationTimestamp": "2019-09-10T14:11:48Z",
"deletionTimestamp": "2019-09-12T22:26:20Z",
"finalizers": [
"customresourcecleanup.apiextensions.k8s.io"
]
},
"spec": {
"group": "stable.ibm.com",
"version": "v1",
"names": {
"plural": "accounts",
"singular": "account",
"shortNames": [
"acc"
],
"kind": "Account",
"listKind": "AccountList"
},
"scope": "Namespaced",
"versions": [
{
"name": "v1",
"served": true,
"storage": true
}
],
"conversion": {
"strategy": "None"
}
},
"status": {
"conditions": [
{
"type": "NamesAccepted",
"status": "True",
"lastTransitionTime": "2019-09-10T14:11:48Z",
"reason": "NoConflicts",
"message": "no conflicts found"
},
{
"type": "Established",
"status": "True",
"lastTransitionTime": null,
"reason": "InitialNamesAccepted",
"message": "the initial names have been accepted"
},
{
"type": "Terminating",
"status": "True",
"lastTransitionTime": "2019-09-12T22:26:20Z",
"reason": "InstanceDeletionCheck",
"message": "could not confirm zero CustomResources remaining: timed out waiting for the condition"
}
],
"acceptedNames": {
"plural": "accounts",
"singular": "account",
"shortNames": [
"acc"
],
"kind": "Account",
"listKind": "AccountList"
},
"storedVersions": [
"v1"
]
}
}
]
}
This leads me to believe I have correctly created the custom resource accounts. There are a number of examples that don't seem to be quite right and I cannot find my resource in the Kubernetes REST api. I can use with my custom resource from kubectl but I need to expose it with RESTful APIs.
https://localhost:6443/apis/stable.example.com/v1/namespaces/default/accounts
returns
404 page not found
Where as:
https://localhost:6443/apis/apiextensions.k8s.io/v1beta1/apis/stable.ibm.com/namespaces/default/accounts
returns
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "the server could not find the requested resource",
"reason": "NotFound",
"details": {},
"code": 404
}
I have looked at https://docs.okd.io/latest/admin_guide/custom_resource_definitions.html and https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
The exact URL would be appreciated.
This is a quite decent way retrieving K8s REST API resource executing kubectl get command on some top debugging levels, like #Suresh Vishnoi mentioned in the comment:
kubectl get <api-resource> -v=8
Apparently, eventually checked by #Amit Kumar Gupta, the correct URL accessing custom resource as per your CRD json output is the following:
https://<API_server>:port/apis/stable.ibm.com/v1/namespaces/default/accounts
Depending on the authentication method you may choose: X509 Client Certs, Static Token File, Bearer Token or HTTP API proxy in order to authenticate user requests against Kubernetes API.