How can I select the "Only allow administrators to create users" value via CloudFormation on the AWS::Cognito::UserPool resource, or through some other method?
You can set this via AllowAdminCreateUserOnly. Once that is set under General settings - Policies - Only allow administrators to create users should be checked.
CognitoPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: TestPool
AdminCreateUserConfig:
AllowAdminCreateUserOnly: True
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
Related
I am using helm charts. During the deploy process, I override values as below:
auth.generic_oauth: # for SSO
groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
enabled: true
name: Keycloak
allow_sign_up: false
client_id: grafana
client_secret: CLIENT_SECRET
scopes: openid,email,profile,groups
team_ids:
allowed_organizations:
auth_url: AUTH_URL
token_url: TOKEN_URL
api_url: API_URL
tls_skip_verify_insecure: true
In the Keycloke, I create a client, a client scope, a group mapper in the client scope, a group and assign GrafanaAdmins group to a user.
What I want to achieve is to be able to login to Grafana with a user defined in Keycloak that is also assigned the GrafanaAdmins group.
What I have is this error:
t=2021-12-27T13:32:18+0000 lvl=warn msg="Not allowing oauth_generic_oauth login, user not found in internal user database and allow signup = false"
t=2021-12-27T13:32:18+0000 lvl=eror msg="invalid username or password" logger=context userId=0 orgId=0 uname=
I don't want to sign up new users nor I want to use additional database. It should use Keycloak.
Grafana documentation is not very descriptive and it is hard to get around it.
You have a few problems:
Grafana documentation is clear:
Groups mapping: Available in Grafana Enterprise v8.1 and later versions.
You are using Grafana 7.1.5 and I guess also free OSS Grafana (not a paid enterprise version, where license is required), so group mapping (config groups_attribute_path) is not possible in your case.
You are mixing also Grafana role mapping (role_attribute_path) with Grafana group mapping (groups_attribute_path) Please note role != group. So I guess you wanted:
role_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
instead of:
groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
Grafana creates internal users, based on the OIDC response, so you want to sign up new users in auth.generic_oauth section:
allow_sign_up: true
I bet your scopes config has wrong syntax and it should be:
scopes: openid email profile groups
Generally, you are using groups in the Keycloak to map roles in the Grafana. It is possible, but better logic will be to use roles in the Keycloak to map roles in the Grafana. Keycloak/Grafana have concept roles/groups and it is up to you how will you use them for your users. I would start with basic roles concept first.
I would like to create a all users policy in Keycloak:
How can I specify that this policy is for all users?
Using '*' didn't work.
How can I specify that this policy is for all users? Using '*' didn't
work.
Having a policy for all users is kind of unusual I would say.
Nonetheless, You can try to create a default Realm role, so all users will get that role, and then create a policy-based on that role.
Is it possible to configure in keycloak realm (but not in a master realm) to give users access to admin api.
I want to be able as a keycloak user to configure other user roles/scopes etc.
It will be done from fronted service so it cannot be done using service account.
Is it possible to configure in keycloak realm (but not in a master
realm) to give users access to admin api.
Yes, for that you need to:
(Old Keycloak UI)
Go to the target Realm;
Go to users and click on the user to add the roles;
Switch to the tab Role Mappings
On the Client Roles dropdown menu select realm-management
and assign the roles accordingly.
(New Keycloak UI)
Go to the target Realm;
Go to users and click on the user to add the roles;
Click on Assign role
In Search by role name type the desired role
Select the role and assign it
...subj.
I mean 'Service Principal' = security identity used by user-created apps, services, and automation tools to access specific Azure resources. = 'User identity' (login and password or certificate) with a specific role, and tightly controlled permissions to access resources.
Thanks!
Is it possible to assign a 'Queue Build' permission to a service principal?
Azure devops provided the most common built-in security groups—Readers, Contributors, and Project Administrators.
We could check and set the Default permissions for those groups:
If your service principal requires more granular permissions settings, we could go to the Permissions of the pipeline:
We could add the user to the one of default groups and set the permissions for that group. We could even custom the group for the service principal: Go to project settings-> Permissions-> Groups->New Group:
Hope this helps.
I am testing Keycloak authorization services in the admin console and I'm unable to understand why in the next example keycloak is authorizing a user (tested in the evaluate tab). this is my setup :
Created a realm test
Created a client democlient with Authorization Enabled on
Create the realm role Admin
Create the user adminuser and assign it to the Admin role
In the Authorization tab withing the client democlient:
In Settings -> Policy Enforcement Mode is set to Enforcing
Create 2 scopes: list and save
Create a resource Resource A with the 2 previous scopes
In Policies tab, create a new Role policy called Only admins where (of course) i only permit admins:
In Permissions tab, created a Scoped-based permission called permit only admins Resource A, list Scope:
And that's it. now i check in the evaluate tab this policy using the adminuser, role Admin, Resource A, Scope List:
success! everything is fine in the world!... except No.
checking again the policy with the adminuser, role Admin, Resource A, Scope save (a scope where I did not define any permission) Keycloak is again Authorizing this rule :/
i assumed that policy enforcement mode set to Enforcing will deny the access to scope save, from the documentation of keycloak:
The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
so... what i am doing wrong? how can i make that keycloak deny the access to the save scope? (obviously i can make a permission where i explicitly deny this scope. but i want that the default is deny as the documentation says)
Any ideas will be deeply appreciated.
I have found the Jira issue that reference this problem It's clearly a bug:
https://issues.redhat.com/browse/KEYCLOAK-9483
There is a patch that will come with the Keycloak version 9.0
https://issues.redhat.com/browse/KEYCLOAK-12438.
So we just need to wait for this release