I tried to invite a user to my IBM Cloud account by the REST API.
The user is successfully registered but its status didn't become Active, so that he can't use the account in my IBM CLoud account env.
How can I make the user status Active? When I invited a user by ibmcloud cli, the user is registered and becomes Active immediately without any additional operation.
Has anyone invited a user to IBM Cloud account and succeeded?
I ran the REST API and invited a user to my IBM CLoud account.
I got the response from the REST API.
{"resources":[{"id":"xxxx","email":"myuser#ibm.com","state":"PROCESSING"}]}
I checked the user status many times over 4 hours but its status remains PENDING. it didn't become Active.
"state": "PENDING",
I checked by ibmcloud cli. Then the status remains PENDING.
$ ibmcloud account users
Getting users under account $MYACCOUNT...
OK
User ID State Role
myuser#ibm.com PENDING MEMBER
user1#jp.ibm.com ACTIVE PRIMARY_OWNER
user2#jp.ibm.com ACTIVE MEMBER
Invite a user by the REST API
curl -X POST \
https://user-management.cloud.ibm.com/v2/accounts/&MYACCOUNT/users \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"users": [
{
"email": "myuser#ibm.com",
"account_role": "Member"
}],
"iam_policy": [
{
"roles": [
{
"id": "crn:v1:bluemix:public:iam::::role:Viewer"
}]
}]
}'
CHecked the user status
{
"id": "xxxx142ad70df5fd5a1f72",
"iam_id": "BSS-xxxxad70df5fd5a1f72",
"realm": "BSS",
"user_id": "myuser#ibm.com",
"firstname": "",
"lastname": "",
"state": "PENDING",
"email": "myuser#ibm.com",
"phonenumber": "",
"altphonenumber": "",
"photo": "",
"account_id": "$MYACCOUNT"
},
When I invited a user via the ibmcloud CLI, a user becomes ACTIVE immediately. How can I do the same operation by the API?
Related
I am working on a colab project with google cloud bucket. At first, I use my own Gmail account A, but I notice that I need a google service account for some operations. So I activate a service account B and I successfully log in with this service account.
But here are still a permission error:
tensorflow.python.framework.errors_impl.PermissionDeniedError: Error executing an HTTP request: HTTP response code 403 with body '{
"error": {
"code": 403,
"message": "gmailaccountA#gmail.com does not have storage.objects.list access to the Google Cloud Storage bucket.",
"errors": [
{
"message": "gmailaccountA#gmail.com does not have storage.objects.list access to the Google Cloud Storage bucket.",
"domain": "global",
"reason": "forbidden"
}
]
}
}
When I double check and run the "gcloud auth list", I get two active accounts, one is my gmail account A and one is my service account B. How could I make sure I am using the service account?
In order to set the account you want to use you can first list them to check the ones available using
gcloud auth list
and to set the chosen one use:
gcloud config set account ACCOUNT
You can read more about the gcloud config set command and its properties here
I have an application written in PHP that exposes a REST endpoint to allow a client to download a document stored in the application. One can also access this PHP system via a web browser and download a document when logged into the system.
When using the REST endpoint provided by this system for downloading documents, I expect a PDF or some other form, e.g. a link in the response. However, below is what it is in the response.
curl -X GET --header 'Accept: application/json' --header 'DOLAPIKEY: XXXXXXXXXX' 'http://dxxx.com.zw/api/index.php/documents/download?modulepart=order_supplier&original_file=000008'
Response
{
"filename": "000008",
"content-type": "application/octet-stream",
"filesize": 4096,
"content": "",
"encoding": "base64"
}
This response is not helpful. Nonetheless, I know for sure that if I am logged into this system, the internal links allows me to download the file. If I am not logged in, the system prompts for a username and password. This system provides a REST login endpoint, which is working and this is what it is returned.
{
"success": {
"code": 200,
"token": "XXXXXXXXXX",
"entity": "0",
"message": "Welcome doketera - This is your token (recorded for your user). You can use it to make any REST API call, or enter it into the DOLAPIKEY field to use the Dolibarr API explorer."
}
}
So my question then, is how do I use this information in the login response to emulate the same actions I would do on the web browser using the GET method in POSTMAN for example or within any other REST client . This is the internal link provided in the web browser.
http://dxxx.com.zw/document.php?modulepart=commande_fournisseur&file=000009%2F000009.pdf&entity=1
Is there way to create user-specific (aka. personal) access tokens in Keycloak?
So, our goal would be that a user creates one or more personal access tokens (like in GitHub or GitLab) and he/she uses these tokens for authentication.
Any idea how to achieve this using Keycloak?
Keycloak have no short size of personal API key
But you can use full size of JWT.
It is getting Access Token with password grant type.
This is demo
localhost:8180 – is a host and a port number on which the Keycloak server is running,
test – is a Keycloak Realm,
admin-cli – one of default client,
user: user name
1234: password
password : grand_type
The Grant Type is a way to exchange a user’s credentials for an access token.
$ curl -v -d "client_id=admin-cli" -d "username=user" -d "password=1234" -d "grant_type=password" -X POST "http://localhost:8180/auth/realms/test/protocol/openid-connect/token" | jq '.access_token'
result in terminal
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6Q0hvYVhPX2hqbXFRTnNYOVlacnhkZmpUdk1sbWozUFNkSXpTWUJjMzRFIn0.eyJleHAiOjE2NjAzMzU4ODIsImlhdCI6MTY2MDMzNTU4MiwianRpIjoiYmFkMmFlNjktMWNiYS00NGMyLWEyZDctYzdhOWQ5YjQ4OGI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiIzOTRiNjcwOS0zOGEyLTRhYTAtYTg0OS1mZTRjODFlNDA2MjQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiZGM5YjI1YzEtOTRlMy00MTlhLTliOGQtMjYwZTVkMmY3MzcxIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImRjOWIyNWMxLTk0ZTMtNDE5YS05YjhkLTI2MGU1ZDJmNzM3MSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBDdXJpZXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQ3VyaWVzIiwiZW1haWwiOiJ1c2VyQHRlc3QuY29tIn0.Gnx6WwpsUxQM990H89BBYi_Kiy3BdAQcCYFRknDJ9qpkGAZSYrAAjjEeEBA5ZXKIUzu0O2trly0iWVW1r4Lb5ihiqSva1BaR42v5WWXHL9gpeS-ttsoKP6N1x74msHXssRmjN5vZG_dwXF-gpKhhJmXI0fLW3-_uuH3LZ9Ar-4zNliVLjJGmePtzq74nn7WbwhggiWDQu2_mQFBnf9vJvcxn6jY9TX5oxppn4BNcvXrChAZyDXLt7RW32ud3p1Cs7Jn360Vg6cRo4wq7-Mams8hhnonhDEaakJtcin7gLK6jwFC7f2ND8banDYL3CEsem4HpmxSRX43UBhfyO64Z8A"
API call for getting user information with this access_token
$ curl --location --request GET 'http://localhost:8180/auth/realms/test/protocol/openid-connect/userinfo' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6Q0hvYVhPX2hqbXFRTnNYOVlacnhkZmpUdk1sbWozUFNkSXpTWUJjMzRFIn0.eyJleHAiOjE2NjAzMzU4MjMsImlhdCI6MTY2MDMzNTUyMywianRpIjoiYjc3MjMzY2ItYTI2Zi00ZGNiLWJkZTktNjRiNzhiMmQzZTM2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiIzOTRiNjcwOS0zOGEyLTRhYTAtYTg0OS1mZTRjODFlNDA2MjQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNjg2Y2EyNDctMzZjYS00MTNiLWE4M2YtODUyZjJmNWY3YWVmIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjY4NmNhMjQ3LTM2Y2EtNDEzYi1hODNmLTg1MmYyZjVmN2FlZiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBDdXJpZXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQ3VyaWVzIiwiZW1haWwiOiJ1c2VyQHRlc3QuY29tIn0.KNioWAOTl7S5bYi303ZWkYRnTv4BnH9B7Q-Oe6j5nO5g_QD2RrWhMO1bUXA3uHdj5P3Y9Mk3vWYfsOlacVfYGmuYmGYhTD6LhbCILPf1r4qMBHUnAtPmWBUmLPNy1XQc-PPjVU6I0FzwW4-UoHCmrqgpDvSoarxf3PiUgwaYzPGm6IeAaHw-ndSO0vkhue2j2s8eVfiiH6TExkngq3zc8E1Y0WK3EM_LxcoDbfrRTNROYDqjK6Bi6_jIECjuRRC6E4ies1svMd8XGwS8iYuHB62hX7_rEBT4PmCwddjfE-IO6XoPy970gdWFUZfiRxbz1Orh-6SySVaeEPdskTGb2Q' | jq
result in terminal
{
"sub": "394b6709-38a2-4aa0-a849-fe4c81e40624",
"email_verified": false,
"name": "Tom Curies",
"preferred_username": "user",
"given_name": "Tom",
"family_name": "Curies",
"email": "user#test.com"
}
You can get the token end point by curl commend.
It is not necessary the access token.
curl --location --request GET 'http://localhost:8180/auth/realms/test/.well-known/openid-configuration' | jq
It will give a full list of result OIDC Discovery
{
"issuer": "http://localhost:8180/auth/realms/test",
"authorization_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/logout",
>>> deleted here next lines
I think you can customize the authentication flow using a custom Keycloak authentication SPI in that propagates passed personal token to the same 3-rd service that returns if the user is authenticated or not (see https://wjw465150.gitbooks.io/keycloak-documentation/content/server_development/topics/auth-spi.html for details)
Of course, you also need to create some web UI for token creation that will be then stored and verified with this custom SPI.
i'm getting an error while trying to invite a user to an ibm cloud account by REST API.
The error says that the IMS account is not valid.
Does anyone know whats an IMS Account?
here is my request:
curl -X POST \
https://user-management.cloud.ibm.com/v2/accounts/&MYACCOUNT/users \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"users": [
{
"email": "myuser#ibm.com",
"account_role": "Member"
}],
"iam_policy": [
{
"roles": [
{
"id": "crn:v1:bluemix:public:iam::::role:Viewer"
}]
}]
}'
And the respsonse:
{
"trace": "558156745",
"errors": [
{
"code": 9999,
"message": "Not Authenticated.",
"more_info": "IMS account id from token is incorrect."
}
]
}
Any ideas how to handle this ?
API keys on IBM Cloud are tied to either a user or can be for a service ID, a specific service and more. The API keys for user IDs and service IDs can be used to generate an IAM (authentication) token.
When you call into a REST API and use a token, it is checked that the token is not expired, belongs to a valid user and if the required privileges are held to execute that desired function.
If you want to invite a user to an account and want to grant privileges as part of that invitation process, you would need to use a user ID with the privilege to invite to that specific account. It can be different for any account in an enterprise hierarchy, including the enterprise account. On top of that, the privileges to grant the desired roles or resource access is needed. If one is missing, it gives an error message (not always the best).
I'm trying to get all users from JIRA REST API. I need to save all users to my Database from my own java client. Is it possible to do that ?
If so how we going to do that?
At present time:
for Jira Cloud:
to get all (active + inactive) users:
GET /rest/api/2/users/search?query
to get all active users:
GET /rest/api/2/user/search?query
for Jira Server:
to get all (active + inactive) users:
GET /rest/api/2/user/search?username=.&includeInactive=true
to get all active users:
GET /rest/api/2/user/search?username=.
There seems to be an undocumented way:
Use the "Find user" api
https://docs.atlassian.com/jira/REST/latest/#api/2/user-findUsers
For the username query use %
EG:
/rest/api/2/user/search?username=%
You can get all users that are assignable to a specific project. If everyone is assignable you will get all users.
/rest/api/2/user/assignable/search?project=PROJECT
Curl:
curl -D -u USERNAME:PASSWORD -X GET -H "Content-Type: application/json" https://company.atlassian.net/rest/api/2/user/assignable/search?project=PROJECT
This worked for me:
https://company_name.altassian.net/rest/api/3/users/search?
It will return something like this:
[
{
"accountId": "id",
"accountType": "app",
"avatarUrls": {},
"displayName": "Slack",
"active": true
},
{
"self": "profile_link of ther user",
"accountId": "id",
"accountType": "atlassian",
"avatarUrls": {},
"displayName": "**Real user**",
"active": true,
"locale": "en_US"
}
]
Before saving to DB you'll have to check the accountType:
if (accountType == 'altassian') {
then do push; // or whatever
}
I know it's an old thread but if anyone is searching for this now, this works for me at the moment:
GET /rest/api/latest/user/search?query=+&maxResults=1000
Thanks ;)
One possible way to get all of the users in your JIRA instance is to use the Crowd API's /rest/usermanagement/1/search endpoint:
curl -X GET \
'https://jira.url/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1000&expand=user' \
-H 'Accept: application/json' -u username:password
Do note that you'll need to create a new JIRA User Server entry to create Crowd credentials (the username:password parameter above) for your application to use in its REST API calls:
Go to User Management.
Select JIRA User Server.
Add an application.
Enter the application name and password that the application will use when accessing your JIRA server application.
Enter the IP address, addresses, or IP CIDR block of the application, and click Save.
There is no direct method to get all users in Jira Rest API. You might have to use Search function(Which requires passing in atleast one letter to search) or Groups functions, if you have users readily grouped in Jira application.
Go through their documentation for better reference.
https://docs.atlassian.com/jira/REST/latest/#d2e2
https://docs.atlassian.com/jira/REST/latest/#d2e808
You can use simple JDBC scripts to some advanced ones for writing users list to database, through your java client.
Hope this helps!
I also suffered with this problem for a long time. I had a task search by project completed tasks by user. Answer:
https://developer.atlassian.com/rest/api/2/search?jql = project = yourProject + AND + status = done + AND + assignee= yourUser