We're seeking a solution to enable us audit our HashiCorp Vault instance to obtain a namespace breakdown of:
For each Vault user, the roles or groups that their entity belongs to.
Having reviewed the Vault API explorer commands, it appears this is not a capability that is available using that utility. There's been a suggestion that the HashiCorp Vault API client (HVAC) for Python might be a possible solution, but my initial research doesn't appear to indicate so either.
Will an API client like Postman for instance be the possible answer? Any recommendations or suggestions on how we can perform this task?
The API does provide that information, but the data is organized with groups containing users. You must gather the data this way and create a map as you go. As #furas commented, you will likely hit the limits of Postman trying to do that.
I see you tagged your question with Python, so here is the list of steps you need to do, with links to the corresponding Vault API documentation and HVAC wrapper:
List groups by id to prime your loop. HVAC list_groups
For each group in the list:
Read the group detail to get the member_entity_ids list. HVAC read_group
For each user in the group:
Read the user details and save the results in a map (so that it can be indexed by user). HVAC read_entity
Add the group that got you there in that user's data. Something like users[entity_id].groups.append(current_group['data']['name']).
Print or export your map of users and their groups.
#ixe013 's response is good but you also asked about roles. Some people do tie usernames / email addresses to auth method roles (especially OIDC) by listing them in the auth/oidc/role/${role_name} endpoint's bound_claims map. I'm not suggesting people should use this method, as it doesn't scale as well as the identity system groups, but for completeness it is worth mentioning, as there are indeed three places policies can be assigned: from identity system entity objects, from identity system groups, or from auth method role definitions. And policies are how you grant effective permissions in Vault, so this is completely relevant in an auditing context.
Related
I was wondering if it's possible to utilize the Instagram API with Python in order to gather info on follower account status to seek trends/activity/etc. for my platform. Basically I want to see what brands, etc. users engage with by using the API to see where the accounts who are part of my network go, what they click like on, where they leave a comment/what type of feedback they give/interact across brands. The accounts will consent to this of course, but is this even possible with the API anyways? I have seen services offer this for a fee, so I assumed it's possible somehow.
I assume that when a user leaves a comment it is stored in some database that you can then use the API to see if it matches with some ID or such -- if not then maybe there is a way to do this indirectly, i.e., some kind of background service that can see if a comment/ID matches a username without having to use the API itself. Basically I'm interested if this is feasible/simple -- I'm not too savvy!
This is meant for business and non-business/personal accounts -- also just for the fun of it too.
I have peeked at the API but it does not mention this, and no amount of searching narrows it down.
I know Facebook made some changes with their graph API which basically makes this a dead end on their platform without some possible hackaround if that is even theoretically possible.
Does facebook allow to use one person's access token to fetch post info of another person (post comments, likes)?
I am thinking of implementing a pool of tokens in my app, so if token is broken I can use other persons token. Wondering if it's allowed and whether facebook have some restrictions on such a use case.
Additionally, I am currently using FQL, is there a difference for Graph API in how tokens work?
Short answer: It is not possible. That would be an incredibly large privacy problem anyway.
Also, for user postings you need the "read_stream" permission and you probably will not get this one approved:
This permission is reserved for apps that replicate the Facebook
client on platforms that don’t have a native client.
(https://developers.facebook.com/docs/facebook-login/permissions/v2.0)
About FQL: There is no difference, although keep in mind that FQL is deprecated and will be removed when support for v2.0 runs out. See this link for more information: https://developers.facebook.com/docs/apps/versions#versioning
(thanx to Tobi for clarification)
I'm doing some research, where I have a facebook app, that asks for some permissions on the users facebook to get some basic information.
I can see that my app has about 600 users, and I'd like to query them, to see some patterns in the users. i.e. how many friends do they have, how long messages do they post in updates etc.
My question is: Do I have to copy the data when the user first visits my app and grants access to his information, or can I query it as long as the user hasn't "removed" my app.
I hope the second option will be true, since I have a lot of considerations about "copying" user data, and storing it in a database - primarily ethical but also related to security issues, compliance, resources so on and so forth.
the programming language is not important, but if anyone needs to exemplify, lets say it's python.
NO. You don't have to copy the data.
You can query Facebook as long as you have a valid access token regardless of whether the user is online or offline.
However, the only thing you need to take care of is handling of expired access token, because in that case the user will need to re-authorize your application for you to get the access_token.
First than all, I don't even know if this is a session related question. But I could not think a better way to describe it in the title.
I'm developing a web application for registered users so they can create and manage trade unions.
A user can create several unions. Each union can store an image, a description and a name.
The index page shows the list of unions created by the currently registered user.
When the user clicks on a union from the list, all the pages of the application must show
in they headers the corresponding name and image stored for that union.
Also, all the options of the application must refer to the currently selected union.
That is the process for every selected union.
How could I do this on App Engine Python? What technique could I use? Is it something
related to sessions? I do the authentication process with the Gmail service.
I hope I explained myself clearly.
Thanks in advance!
You'd use the datastore to create a union as an entity class, with a description and a name. If your image is small you can store it in your entity, if it's large, you may store it in the blobstore and store a link to it inside your entity.
You can use the python User API for authentication. You don't really need any special session work if you're using the User API.
I'm working on an application that lets registered users create or upload content, and allows anonymous users to view that content and browse registered users' pages to find that content - this is very similar to how a site like Flickr, for example, allows people to browse its users' pages.
To do this, I need a way to identify the user in the anonymous HTTP GET request. A user should be able to type http://myapplication.com/browse/<userid>/<contentid> and get to the right page - should be unique, but mustn't be something like the user's email address, for privacy reasons.
Through Google App Engine, I can get the email address associated with the user, but like I said, I don't want to use that. I can have users of my application pick a unique user name when they register, but I would like to make that optional if at all possible, so that the registration process is as short as possible.
Another option is to generate some random cookie (a GUID?) during the registration process, and use that, I don't see an obvious way of guaranteeing uniqueness of such a cookie without a trip to the database.
Is there a way, given an App Engine user object, of getting a unique identifier for that object that can be used in this way?
I'm looking for a Python solution - I forgot that GAE also supports Java now. Still, I expect the techniques to be similar, regardless of the language.
Your timing is impeccable: Just yesterday, a new release of the SDK came out, with support for unique, permanent user IDs. They meet all the criteria you specified.
I think you should distinguish between two types of users:
1) users that have logged in via Google Accounts or that have already registered on your site with a non-google e-mail address
2) users that opened your site for the first time and are not logged in in any way
For the second case, I can see no other way than to generate some random string (e.g. via uuid.uuid4() or from this user's session cookie key), as an anonymous user does not carry any unique information with himself.
For users that are logged in, however, you already have a unique identifier -- their e-mail address. I agree with your privacy concerns -- you shouldn't use it as an identifier. Instead, how about generating a string that seems random, but is in fact generated from the e-mail address? Hashing functions are perfect for this purpose. Example:
>>> import hashlib
>>> email = 'user#host.com'
>>> salt = 'SomeLongStringThatWillBeAppendedToEachEmail'
>>> key = hashlib.sha1('%s$%s' % (email, salt)).hexdigest()
>>> print key
f6cd3459f9a39c97635c652884b3e328f05be0f7
As hashlib.sha1 is not a random function, but for given data returns always the same result, but it is proven to be practically irreversible, you can safely present the hashed key on the website without compromising user's e-mail address. Also, you can safely assume that no two hashes of distinct e-mails will be the same (they can be, but probability of it happening is very, very small). For more information on hashing functions, consult the Wikipedia entry.
Do you mean session cookies?
Try http://code.google.com/p/gaeutilities/
What DzinX said. The only way to create an opaque key that can be authenticated without a database roundtrip is using encryption or a cryptographic hash.
Give the user a random number and hash it or encrypt it with a private key. You still run the (tiny) risk of collisions, but you can avoid this by touching the database on key creation, changing the random number in case of a collision. Make sure the random number is cryptographic, and add a long server-side random number to prevent chosen plaintext attacks.
You'll end up with a token like the Google Docs key, basically a signature proving the user is authenticated, which can be verified without touching the database.
However, given the pricing of GAE and the speed of bigtable, you're probably better off using a session ID if you really can't use Google's own authentication.