I have recently started using vault and trying to integrate with one of my application to hold secrets. I have set up the LDAP authentication for my users to access vault and create/access secrets. BUT after login successfully, at the top right there is an option of copy token renew token revoke token.
Is it right for these users to access the root token? Is there a way to disable that feature?
I just want my users to access/create secrets that's it and nothing else.
If you're logged in with LDAP, then those options don't apply to the root token, they apply to the user-login-session token. All authentication with Vault uses tokens, not just the root one. Whenever someone logs in with LDAP, they will be issued a new token - that's the token that the menu refers to.
You can see this for yourself - assuming you already have a valid root token, log in with LDAP, then select Revoke token from that menu. Now try doing something with that root token (e.g., log in to the web UI or run a CLI command). You'll see that it still works - it has not been revoked.
Related
I am having an issue getting my OnPrem Azure DevOps 2019 Server to allow things to authenticate to it with Personal Access Tokens (PAT). No mater what I do, I get failed to authenticate using the supplied token.
How I am creating my token:
Log into my OnPrem devops site
Go to my user profile icon in the top right, click security click personal access tokens, click new token
In Create new personal access toekn for some reasobn the organization (colleciton) I want to use is not listed, I am seeing an old XML based collection but not my new Inheritance based collection, why doesn't the newer format collection show up? My user account is an admin account, you'd think it would be here?
If I create a PAT token for the old XML based collection and give it full access plus a 90 day expiration it creates it fine
Now I have a PAT token bases off the old XML based collection, but that still doesn't work, if I run the AZ CLI I get this
AZ DEVOPS LOGIN --organization https://tfs.mydomain.com/OldXmlCollection --verbose
Token: {paste in token}
Creating connection with personal access token.
Failed to authenticate using the supplied token.
Command ran in 6.385 seconds (init: 0.167, invoke 6.12)
I also have the same problem if I try to set up a build agent using a PAT token. Fails every time, but if I change to negotiate auth it works immediately.
On the IIS end the service is running on the authentication is set up to Anonymous Authentication: Enabled, ASPS.NET Impersonation: Disabled, Basic Authentication: Enabled, Digest and Forms: Disabled and Windows Authentication: Enabled
any ideas what I am doing wrong, what to look at?
PAT Token isn't working on 2019 OnPrem Azure DevOps
You could try to disable IIS Basic Authentication.
That because when IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.
Please check this document Enabling IIS Basic Authentication invalidates using Personal Access Tokens for some more details.
What it turned out to be is a missing ACL in the file system. The service account that is running TFS needs to have write permission to the machine keys folder at %ProgramData%\Microsoft\Crypto\RSA\MachineKeys
Why in the world is the installer not setting this permission? PAT will not work until this is set
I connected to github from vscode. From what I saw, it generated a OAuth2 token with vscode-auth.github.com
Now, I would like to know:
How I can disable this token from github.com (it doesn't show up in https://github.com/settings/developers)
How I can delete this token from my VSCode installation
How it works on remote sessions: it looks like magic but I would also need to clean the keys from my remote server
The applications which are authorized by OAuth are listed at https://github.com/settings/applications and under tab Authorized OAuth Apps and from there one can revoke the authorization.
I built a project that uses PAT (Personal Access Token) generated by a user to connect to Azure DevOps REST API and get some data about a project and its commits, etc..
It happened to me twice now that the request returns with:
Access Denied: The Personal Access Token used has expired
Even though the token is not expired yet, it's been created two days ago.
Is there any limitation on using this RestAPI which if I exceeded it'll expire my token automatically?
First, you need to check with the user if the PAT has expired, because Expiration can be customized.
If the PAT confirms that it has not expired, you can try to re-create a new PAT, select All accessible organizations and Full access scope , revoke the previous PAT, and see if the new PAT is available.
In this case with the similar issue, a contributor provided a solution : the user was able to fix it by signing out and back in. This seemed to refresh the auth token and unblocked them. You can also try it .
I have been confused for a long time about how the user of kubectl being authorized. I bootstrap a k8s cluster from scratch and use 'RBAC' as the authorization mode. The user kubectl used is authenticated by certificate first, then it should be authorized by RBAC when accessing the api-server. I did nothing about granting permissions to the user, however, it is allowed to access all the apis(creating pod or listing pods).
Kubernetes has no built in user management system. It expects you to implement that part on your own. In this sense, a common way to implement user auth is to create a certificate sign request and have it signed by the cluster certificate authority. By reading that newly generated certificate, the cluster will extract the username and the groups it belongs to. Then, after that, it will apply the RBAC policies you implemented. In this sense, if the user can access everything, then it can be one of the following:
You are still using the admin user account instead of the newly created user account.
The user account you created belongs to an admin group
You did not enable RBAC correctly
This guide should help you with an easy example of user auth in Kubernetes: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
I've created a new cluster with AAD for client auth using ARM by following the document linked to below. The cluster deployed and my app works fine but my browser is still asking me to select an X.509 certificate when I attempt to use the SF Explorer at: https://mycluster.northcentralus.cloudapp.azure.com:19080/Explorer
I thought when I hooked up Azure AD that the client cert would no longer be needed. Note that I do see that the SF Explorer displays my name in the upper right (with a logout option), indicating to me it's using AAD.
So, what's up with this? Any ideas?
https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-creation-via-arm/
That happens if there's an issue with AAD authentication - the cluster will fallback to certificate authentication.
If SF Explorer isn't re-directing to an AAD login page at all, then double-check that the web application reply URL in the AAD cluster application matches the SF Explorer URL.
If the re-direction is happening and AAD login was successful, then double-check that the AAD cluster application has the expected user roles and that your user has been assigned a role.