When I am trying to call the API from POSTMAN in Airflow DAG, I am facing a 403 Forbidden error.
I have enabled the headers for basic authentication with the username and password in Postman. In the airflow.cfg file, I have enabled auth_backend = airflow.contrib.auth.backends.password_auth. This error occurs when I attempt to work solely in Postman. When I copy the same URL and try it directly in the browser, I am able to access the link.
I'm having trouble with authorization now that I've enabled authentication.
I attempted to use the curl command but received the same forbidden error.
The airflow version is 1.10.
The basic auth seems fine, it is base64 encoded already. 403 means you are authorized in the application but this specific action is forbidden. In airflow there are different roles admin/dag manager/operator and not all roles are allowed to do DAG operations. Can you specify the user role and operations you try to do? Have in mind that base64 auth string can be easily decoded to plain text and people can see your username and password.
In the picture you have shared the verb you are using is POST, opening the link in tbe browser is probably a GET operation which is different in terms of permissions required.
Related
I am trying to set up SAML Single Sign-On (SSO) with my Django app, but I am getting an error when I try to login to my app.
I go to the app url, Microsoft processes the request (the url displays microsoft.loginonline.com/etc briefly), and then I get redirected to this page:
https://my-app.azurewebsites.net/.auth/login/aad/callback
which displays this error:
{"code":400,"message":"IDX10501: Signature validation failed. Unable to match keys: \nkid: '[PII is hidden]', \ntoken: '[PII is hidden]'."}
The reply url is set to:
https://my-app.azurewebsites.net/.auth/login/aad/callback
I did the set-up following both the Azure docs and following this documentation: https://django-auth-adfs.readthedocs.io, it's ostensibly working on my localhost, just not on the actual azure app service... I am unsure of what I am doing wrong, and the error message is not very informative for me as I am new to back-end programming and cloud.
Any help is appreciated, thanks!
As stated by you, you have configured SAML SSO with Django app in the backend and encountering the said error while logging in. As per the error reported, the ‘PII value is hidden’ due to which the signature keys couldn’t be validated by the AAD. So, you will need to add some strings to your ‘settings.py’ file to notify the Django web app the returned value of token from AAD. Please find the below strings to be added to the respective file: -
Please add the below string to AUTHENTICATION_BACKENDS section in ‘settings.py’ file.
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
After adding the above string to the said file, the app should work and so the SSO too.
Also, please find the below link to a similar thread for your reference: -
JWT token authentication fails with message "PII is hidden"
Thanks
I'm new to firebase and I'm trying to update some data in an existing project but I'm getting the following error: 401 Client Error: Unauthorized for url. So how to fix this problem and thank you! I just want to mention also that I have been added to the project, so I'm not the owner.
this is my code:
from firebase import firebase
firebase = firebase.FirebaseApplication("the http path", None) # None bcz we are testing
firebase.put("/esco-lebanon/device-configs/atest-dev", "brightness", 50)
print("Updated")
According to the documentation, a 401 error means one of the following:
The auth token has expired.
The auth token used in the request is invalid.
Authenticating with an access_token failed.
The request violates your Firebase Realtime Database Rules.
The understanding here is that your client code needs to correctly identify a Firebase Authentication user with a token in access_token, and that user account must have access to read the data in the database according to its security rules. Since you haven't provided a token, your access is coming in anonymously, so you could only query data where security rules allow universal access.
If you haven't investigated using authentication in your request, you should read the documentation about that.
I am trying to integrate Todoist to Gnome-Todo. I was implementing the OAuth but I'm stuck at the second step after the user grants the access the redirected url doesn't seem to contain the code which needs to be exchanged for access token.
At this page I give grant the access:
http://imgur.com/a/76Qgd
After this i am redirected to this page but the url doesn't contain any parameter named code which I need to exchange to get the access token. I also don't know what this ei is? Any ideas?
The URL doesn't contain code because the browser is at your configured redirect_url. Browser will be redirected to your configured redirect_url after user log into your app and grant the permission.
I need to access the Jenkins JSON API from a Python script. The problem is that our Jenkins installation is secured so to log in users have to select a certificate. Sadly, in Jenkins Remote Access Documentation they don't mention a thing about certificates and I tried using the API Token without success.
How can I get to authenticate from a Python script to use their JSON API?
Thanks in advance!
You have to authenticate to the JSON API using HTTP Basic Auth.
To make scripted clients (such as wget) invoke operations that require authorization (such as scheduling a build), use HTTP BASIC authentication to specify the user name and the API token. This is often more convenient than emulating the form-based authentication
https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients
Here is a sample of using Basic Auth with Python.
http://docs.python-requests.org/en/master/user/authentication/
Keep in mind if you are using a Self Signed certificate on an internal Jenkin Server you'll need to turn off certificate validation OR get the certificate from the server and add it to the HTTP request
http://docs.python-requests.org/en/master/user/advanced/
I finally found out how to authenticate to Jenkins using certs and wget. I had to convert my pfx certificates into pem ones with cert and keys in separate files For more info about that come here. In the end this is the command I used.
wget --certificate=/home/B/cert.pem --private-key=/home/B/key.pem --no-check-certificate --output-document=jenkins.json https:<URL>
I'm not completely sure it covers your certificate use case, but since it took me some time to find out, I still want to share this snipped that retrieves the email address for a given user name in Python without special Jenkins libraries. It uses an API token and "supports" (actually ignores) https:
def _get_email_adress(user):
request = urllib.request.Request("https://jenkins_server/user/"+ user +"/api/json")
#according to https://stackoverflow.com/a/28052583/4609258 the following is ugly
context = ssl._create_unverified_context()
base64string = base64.b64encode(bytes('%s:%s' % ('my user name', 'my API token'),'ascii'))
request.add_header("Authorization", "Basic %s" % base64string.decode('utf-8'))
with urllib.request.urlopen(request, context=context) as url:
user_data = json.loads(url.read().decode())
for property in user_data['property']:
if property["_class"]=="hudson.tasks.Mailer$UserProperty":
return property["address"];
buddies
One of my GAE restful service needs login with admin account. And I'm writing an automation script in python for testing this service. The script simply do a HTTP POST and then check the returned response. The difficult part for me is how to authenticate the test script as an admin user.
I created an admin account for testing purpose. But I'm not sure how to use that account in my test script. Is there a way that my test script can use oath2 or other approach to authenticate itself as a test admin account?
Ok I think this might be what you are looking for, client libraries to authenticate and yeah I believe appengine now recommends using the oauth2 for any kind of authentication:
https://developers.google.com/accounts/docs/OAuth2#libraries
Then you get an auth token where you pass in headers on your restful request like:
# Your authenticated request
Authorization: Bearer TokenHere
Then in your handler you get it like:
try:
user = oauth.get_current_user('https://www.googleapis.com/auth/userinfo')
except NotAllowedError:
user = None
# then from the first link you should be able to access if
user.is_current_user_admin()
This is how I authenticate on android, but I only do this once and store it in session and just enable cookie jar on the httpclient.