I create 2 db, and one user per db, but user 2 can insert in db1?
use shop
db.createUser({user: "appdev",pwd:"appdev", roles:["readWrite"]})
db.auth("appdev","appdev")
show collections
db.products.insertOne({name: "A book for appdev"})
db.logout()
use shop2
db.createUser({user: "appdev2",pwd:"appdev2", roles:["readWrite"]})
db.auth("appdev2","appdev2")
show collections
db.products.insertOne({name: "A book for appdev2"})
Here, I still logged as appdev2 and can insert on db shop.
use shop
db.products.insertOne({name:"i-am-appdev2"})
{
"acknowledged" : true,
"insertedId" : ObjectId("5d8fdba878f7555a2060f1ec")
}
If your transcript is accurate, it looks like like either:
You haven't enabled access control by setting security.authorization to true in your mongod config or starting mongod with --auth.
You are logged in as a more privileged user (since you are able to run db.createUser() in the same session).
To investigate these possibilities in the mongo shell:
Make sure authorization is enabled via the output of db.serverCmdLineOpts(). If access control is enabled, the output of the parsed server configuration options should include a section like:
"security" : {
"authorization" : "enabled"
},
Check users & roles for the current session via db.runCommand({connectionStatus:1}). As noted in Authenticate a User:
Authenticating multiple times as different users does not drop the credentials of previously-authenticated users. This may lead to a connection having more permissions than intended by the user, and causes operations within a logical session to raise an error.
Access control is a separate option from configuring Role-Based Access Control (RBAC) to allow for scenarios like resetting admin access. Multiple concurrent logins provide additive permissions, but are mostly a legacy carryover from more simplistic versions of access control in earlier versions of MongoDB.
For more information on available security measures, see the Security Checklist in the MongoDB manual.
From the documentation I couldn't find anything related to privilege settings and configurations required for SQLServer Producer.
What should be the grants and privileges given to SQL user in order to have CodeFluent Entities to generate all the objets (table, procedures and so on)?
Thanks for your answer.
To generate the model, the SQL user needs to have the serveradmin server role (or above: sysadmin). This server role is needed to run the project_runtime.sql script (sp_addmessage).
The rest of the scripts are DELETE, ALTER, UPDATE, INSERT, SELECT. You can view the SQL roles here:
http://msdn.microsoft.com/en-us/library/ms189121.aspx
http://msdn.microsoft.com/en-us/library/ms189612.aspx
If you need to setup specific restrictions, you could run the project_runtime.sql manually (with a high server role), and let the user do the rest.
Also, you can configure the SQL Producer to not generate the sp_addmessage, because it's not mandatory to run the application. Set Add Runtime Messages=False
Regards,
I try to run some tasks with different users on 1 server.
The possible solution was to create additional roles like
role :root, %w{root#ip}
It works but if I run
cap stage deploy
it fails, as some default tasks are run on root role too , though I need this role for my tasks only.
It there a way to define a role so that default deploy task won't run on this role?
I know this question is old but I found it while Googling the problem so I'll answer for anyone else who finds this question.
To keep something out of release add no_release: true as an option. So in your example define the root role like this:
role :root, %w{root#ip}, no_release: true
I'm using the github oauth plugin for our logins but for all of our users in the Organisation I get an error:
Access Denied
<user> is missing the Overall/Read permission
I have tried everything I can possibly think of to try to make this work and I'm probably going to fallback to making everyone an admin user, which i would prefer not to do.
Any advise would be appreciated.
This is how I resolved the authentication problem:
Edit config.xml file, e.g.
sudo vi /var/lib/jenkins/config.xml
Change useSecurity element's value to false, e.g.
<useSecurity>false</useSecurity>
Remove authorizationStrategy block
Restart Jenkins: /etc/init.d/jenkins restart.
Access Jenkins through URL as usual and reconfigure security again.
I had the same problem with "... is missing the Overall/Read permission" on Jenkins (1.651.2) with activated Credentials Plugin.
But it was my own failure: I only configured the user on project side (by credential plugin) but missed to configure the global security.
So I fixed it by selecting:
Jenkins -> Manage Jenkins -> Configure Global Security
And did setup missing global settings (or project matrix based one)
Have you followed this step, from the plugin page?
Control user authorization (i.e. who is allowed to see the jobs and build them) using the Github Commiter Authorization Strategy
Also, make sure you actually allow authenticated users to access Jenkins
Under Jenkins global configuration, under Authorization, add user/group called authenticated
Give that group Overall Read permission
The group should show up with a "group" icon (two users), as opposed to single user icon.
reset from <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> in config.xml and set the permission again.
Edit file /var/lib/jenkins/config.xml and add the following lines :
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Read:john.smith</permission>
</authorizationStrategy>
Restart Jenkins
What I did when I got this error is to edit config.xml as mentionned by other users and correctly re-add my username in LOWERCASE in "configureSecurity" Jenkins' page. I was using "KrustyHack" when adding permissions but it didn't work. I had to add "krustyhack" instead, and it worked.
I hope it helps.
I had the same problem here, but it affected only some users, not all of them. Anyway, you should check public organization membership : documentation of the plugin states that "You have to be a public member of the organization for the authorization to work correctly." (https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin).
Follow instructions from GitHub (https://help.github.com/articles/publicizing-or-hiding-organization-membership/) in order to make organization membership public, and this might fix your issue.
Also check the case user names in the authorizationStrategy element. I made my new user's name lower case and restarted the service and it the error went away.
Fix it by these 2 shell commands on the server (sudo permission is required):
sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart
This will remove useSecurity and authorizationStrategy lines from your config file.
See also: Disable security at Jenkins website
We hit this same error when a github organization administrator changed the organization's settings for "Third-party access" to "restrict third-party application access". Reverting to the previous settings within the github organization resolved the problem.
See github oauth-app-access-restrictions for details on how to configure that properly.
The assignment of roles to users is stored in config.xml file. Add the ID of the user directly to the role and then restart Jenkins.
In my case, I have a role named editor and a bunch of users assigned to the role.
<role name="editor" pattern=".*">
<permissions>
<...>
<permission>hudson.model.Item.Create</permission>
<permission>hudson.model.Item.Workspace</permission>
<permission>...</permission>
</permissions>
<assignedSIDs>
<sid>bob</sid>
<sid>alice</sid>
<sid>**newuser**</sid>
</assignedSIDs>
</role>
The matrix security is not terribly clear. I am a member of a specific group in our org that has admin privileges however I am also an authenticated user. I would think that the one group super-cedes the other however I have to have both in order to actually log into the system and be admin. It's screwed up IMO.
go to your-jenkins-host:port/role-strategy/assign-roles and configure roles for the user
I had the same problem before,
your OAuth application need your organization owner's approve,
then the OAuth Plugin can access the private data in it
I am using Crowd 2 plugin and I have the same problem.
I fixed it by downgrading OWASP Markup Formatter Plugin from varsion 1.2 to version 1.1 and then changing Markup Formatter in Configure Global Security value to Raw HTML, before it was Plain text.
I had exactly the same problem and adding the plugin Role Strategy Plugin fixed the problem.
All I had to do was install the plugin, create two groups - admin / developer and then add users to the groups.
A much much better solution than recreating the whole permissions matrix :)
I had a similar problem I was not able access Jenkin account and the system was locked.
I had only an error message. "Access Denied "
When I tried to reinstall Jenkins then it prompted to Repair option.
By clicking Repair option it fixed the problem.
Go to $JENKINS_HOME (linux, jenkins in windows), and find config.xml file.
Open this file in the editor. (take backup of .jenkins home)
Look for the <useSecurity>true</useSecurity> element in this file.
Replace "true" with "false"
Remove the elements authorizationStrategy and securityRealm
Start Jenkins
I found it in
C:\ProgramData\Jenkins\.jenkins
Jenkins Version: 2.319.2
Instead of removing all security (the top answer), Add admin access as root, to the user you want to give admin to. We had the same issue where all admins were no longer with the company. This is how I resolved the authentication problem: I logged into:
jenkins#<jenkins server>:/var/lib/jenkins/
Edit config.xml file, and add a config for
<permission>hudson.model.Hudson.Administer:<username></permission>
Then restart Jenkins:
root#<jenkins server>:/$ /etc/init.d/jenkins restart
Just use Jenkins > Configure Global Security bottom page matrix to provide permissions to the user (start w/ read)
I edited the /var/lib/jenkins/config.xml file and replaced the
<authorizationStrategy>...</authorizationStrategy>
with
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
It is the default settings after installation. Then restart the jenkins service.
If I understand correctly the standard git deploy implementation with capistrano v3 deploys the same repository on all roles. I have a more difficult app that has several types of servers and each type has its own code base with its own repository. My database server for example does not need to deploy any code.
How do I tackle such a problem in capistrano v3?
Should I write my own deployment tasks for each of the roles?
How do I tackle such a problem in capistrano v3?
All servers get the code, as in certain environments the code is needed to perform some actions. For example in a typical setup the web server needs your static assets, the app server needs your code to serve the app, and the db server needs your code to run migrations.
If that's not true in your environment and you don't want the code on the servers in some roles, you could easily send a pull request to add the no_release feature back from Cap2 in to Cap3.
You can of course take the .rake files out of the Gem, and load those in your Capfile, which is a perfectly valid way to use the tool, and modify them for your own needs.
The general approach is that if you don't need code on your DB server, for example, why is it listed in your deployment file?
I can confirm you can use no_release: true to disable a server from deploying the repository code.
I needed to do this so I could specifically run a restart task for a different server.
Be sure to give your server a role so that you can target it. There is a handy function called release_roles() you can use to target servers that have your repository code.
Then you can separate any tasks (like my restart) to be independent from the deploy procedure.
For Example:
server '10.10.10.10', port: 22, user: 'deploy', roles: %w{web app db assets}
server '10.10.10.20', port: 22, user: 'deploy', roles: %w{frontend}, no_release: true
namespace :nginx do
desc 'Reloading PHP will clear OpCache. Remove Nginx Cache files to force regeneration.'
task :reload do
on roles(:frontend) do
execute "sudo /usr/sbin/service php7.1-fpm reload"
execute "sudo /usr/bin/find /var/run/nginx-cache -type f -delete"
end
end
end
after 'deploy:finished', 'nginx:reload'
after 'deploy:rollback', 'nginx:reload'
# Example of a task for release_roles() only
desc 'Update composer'
task :update do
on release_roles(:all) do
execute "cd #{release_path} && composer update"
end
end
before 'deploy:publishing', 'composer:update'
I can think of many scenarios where this would come in handy.
FYI, this link has more useful examples:
https://capistranorb.com/documentation/advanced-features/property-filtering/