Scenario:
I have a console application that needs to access a network share with read/write permissions.
There is no problems when run it manually.
The problem:
When I add this application as a job in my quartz.net server, it cannot access the share. I do not have access to change permissions on the network share, so basically I need my quartz job or if necessary my quartz server to run jobs as me (or as a user that has the proper permissions).
Any ideas in how to accomplish this?
Thanks
You need to change the user that the service is ran with (so this actually isn't a Quartz.NET issue). Open service properties in services and change the user from SYSTEM or NETWORK SERVICE to some named user account that has proper rights to the network share.
You can also use impersonation to change the user you're running as on the fly.
Related
I am have AWS EC2 Server with my App Backend and Database there.
My new developer needs to upload few things in the Database and update Backend code but I don't want to give him the PEM.
He needs to SSH
Whats the best possible way to do it? I was thinking of creating an IAM User for him - but I only want him to give SSH Access, so permission would that be? I could only find a general full permission EC2 which would also give him permission to edit the Security Group and things like that.
I do trust him well, but I just don't want to give him full access in general.
What can I do?
Why not allow your developer to connect using session manager.
If you use this he can access the environment either in his browser or via the AWS CLI.
He should be able to mimic a regular session but without having the key, then when he's done you remove the permissions of the server. You can also enable logging to check the history of his sessions actions.
If you want to update code you should at some point take a look at using code deploy to have the code automatically rolled out without even accessing the server.
So my goal is to create a Rundeck job that runs on a schedule and isn't run as my personal user, or any "regular" user, but rather a bot user. Ideally this bot user wouldn't have login access and restricted permissions for security reasons, but would be able to run certain jobs. I've tried searching, but the only information I'm finding is about how to create a "regular" user in Rundeck. Even if I go down that route of creating the bot user as a "regular" user, to use it, you need to pass in either the login credentials or an API token. An API token would be fine, if it could be generated and pulled in on the fly. However, that is not the case, the API has an expiration itself. If there is something I'm missing, please let me know. I'd love to get this working.
Rundeck Version: Rundeck 3.2.1-20200113
Rundeck Cli Version: 1.1.7
You can set the following configuration in your rundeck-config.properties file (usually at /etc/rundeck/ directory):
rundeck.api.tokens.duration.max=0
This will disable your maximum period, you can see this in the official documentation here.
With that, your "bot user" can do it through API / RD CLI as you wrote.
Try using webhooks https://docs.rundeck.com/docs/manual/12-webhooks.html
You can trigger a job by making a http-request
The way I've implemented bots is as a user who is a member of a 'bot' user group, with ACLs that lock down that group as required. Any passwords required for the scheduled job are loaded into the key storage of the bot user.
With this approach you still need someone who knows the bot credentials to login as them and set passwords/SSH keys, but that's a one-off. Is that what you're trying to avoid?
The one annoying thing I've found is that a scheduled job always seems to run as the last user to edit the job - so I grant edit access to bot users and make sure to set/reset the schedule after any edit by a normal user. Hoping to address this through https://github.com/rundeck/rundeck/issues/1603, you might want to give it a 👍.
We're trying to get our first containerized build running in Azure Devops Server.
The build runs fine in the container, but, unfortunately, it needs to access resources on another server. As such, I need this to be running as a domain user (GMSA account will work) so that it can authenticate the network share to access those resources.
I can't seem to find any documentation on running a containerized build as a specific user.
Can anyone point me to how to setup the yml for passing credentials, or gmsa account? That would be great.
Thanks in advance
Alright... so I figured it out.
First you have to create a credential spec
In powershell New-CredentialSpec -AccountName GMSAAccountName
Then add this in the yml file beneath the container declaration:
options: --security-opt "credentialspec=file://Domain_GMSAAccountName.json"
That was it... and now it works.
Have you tried using PAT(Personal Access Token) to run in agent build?
When setup asks for your authentication type, choose PAT. Then paste the PAT token you created into the command prompt window.
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops#permissions
We currently have a FileMaker Server instanace running, it already has PHP web publishing running.
I'm just wondering is it as simple as ticking enable XML web publishing for it to be up and running or have I got to restart the server??
Thanks
You need to enable it in the server deployment, then you need at least 1 user account in the file with the extended privilege to grant access via php/xml/iwp etc. You will need a user account in EACH file you want to have access to with the appropriate extended privilege.
Then comes the fun of actually working with the FMXML or FMPHP engine hehe.
My build agents are not starting after I change the properties credentials to the domain account from the network service. I done this because the network service account cannot write to my drop folder.
Each time I add the network service to the drop folder share, it appears then disappears.
http://msdn.microsoft.com/en-us/library/bb778394.aspx I followed this but some steps are different, i have xp and it doesn't show the share tab so i go through security tab
So I guess I'm asking two questions here;
Agents are not starting after changing credentials.
Network service not able to write to the drop folder.
Thanks in advance
Yes, Network Service won't have permissions to write to a drop location. That's pretty standard. You need to be using a domain account.
The TFS Build Service will need to run as a domain user so it can write to the drop location.
The domain account for the build agent will need to be in the TFS Project Collection group for build service accounts (internal to TFS). I can't remember what it's actually called but you need to be a collection administrator to update it.
The domain account will also need some login as batch/service permissions but that should be done automatically when you reconfigure the service. Do you use the TFS Admin console to reconfigure the agent or did you just set the credentials on the service? (You should use the TFS Admin console).