I need to check whether the provided blob is assigned to the organisation represented by tenant ID.
Provided information is:
- storage URI
- SAS token
My solution is to list all the subscription within the organisation, get the subscription of provided blob and find the match.
The problem is, in Azure SDK i can not find any method to get information about subscription.
The only way I can list the properties about my storage account is to use azure CLI by running command
az storage account show
Is there any way to get subscription information having such parameters?
If not, could you suggest me some solution to check blob belongingness?
In your case, you need to have the permissions for all the subscriptions in the tenant(e.g. you are the owners of the subscriptions).
My workaround is to call the REST API Subscriptions - List in java(seems there is no sdk to list subscriptions), to call the rest api in java, you could refer to this link.
Then List resource groups in every subscription, after that you can List all storage accounts in a resource group. Then check the storage account if exists in them.
Could you recommend me some other solution to confirm blob belongingness? Maybe I need more input data? If so, what kind of data?
First, your purpose is a reverse search, so we could not know the subscription, resource group. So we could not know the details about the storage account, like the resource id of the storage account, becasue the resource id includes the subscription id and resource group name. So even if you have other input data, which is not related to the storage account directly, we just could use the workaround above.
Related
I am writing a custom Java webscript that accepts document noderef and an external username (string value) as parameters. I have auditing enabled and the audit log shows access to the document when I call the webscript. Now I wanted to know if it is possible to modify the audit trail so that when it shows the log for that particular document it also shows the name of the external user.
webscript url: http://localhost:8080/alfresco/service/node/{noderef}/user/{user}
On calling this I get the following output in log:
Extracted audit data:
Application: AuditApplication[ name=alfresco-access, id=1, disabledPathsId=2]
Values:
/alfresco-access/transaction/sub-actions=readContent
/alfresco-access/transaction/action=READ
/alfresco-access/transaction/node=workspace://SpacesStore/c21db432-4ad6-4af2-8bcf-78bc89724afe
/alfresco-access/transaction/type=cm:content
/alfresco-access/transaction/path=/app:company_home/app:shared/cm:audit-services-context.xml
/alfresco-access/transaction/user=admin
New Data:
/alfresco-access/transaction/sub-actions=readContent
/alfresco-access/transaction/action=READ
/alfresco-access/transaction/type=cm:content
/alfresco-access/transaction/user=admin
/alfresco-access/transaction/path=/app:company_home/app:shared/cm:audit-services-context.xml
I want to store the {user} also in the audit trail.
You can try to use AuthenticationUtil.setFullyAuthenticatedUser. I think this should help you. But I didn't test this.
You probably do not want to do that, at least not in the way you describe, not without making extra security precautions.
This goes IMHO opinion against security standards, if admin needs to read a document,the operation needs to be logged with his username, if a normal user needs to access a document, he needs to be properly authenticated for that operation.
Judging from the little context I have I would say this is actually an integration with some other app that does not share SSO with Alfresco. So I would recommend a solution of the following :
Use proper SSO between Alfresco and your application, have the concerned user ping the right endpoint in Alfresco and let SSO authenticate the request properly for you.
Use a shared secret (something like a shared passphrase to encode encode the authority name in the request + proper authentication subsystem or request filter to handle that) or a key pair (something like securecomms between solr and alfresco) to be able to securely pass on authority information to the request
Use a system account (preferably not admin, but one that is dedicated to this usecase/application integration) to generate a valid alf_ticket for the user in question, and have your app attach that ticket to the request. (Of course, your "impersonate" webscript would need to check for the right system/integration username, before running the snippet to get the alf_ticket from a runAsSystem block). In this case, I would also recommend not using the admin account for this but rather use a user with no permissions at all except for this usecase.
If you are going to opt for the quick implementation that you have, I would recommend at least the following :
You need to make sure that not any user can ping that webscript and that only admin/system user can actually access that webscript.
You probably should log the whole impersonation operation in the audit trail (either using the same audit entry or a separate one), so that it would be clear that this is actually an operation that was made on behalf of the user and not directly by the user himself
If you use the webscript in question for anything other than reading the content of the node (Can be the case also if you have a onReadContent behaviour that has some nasty AuthenticationUtil.setFullyAuthenticatedUser as well), and you require that operation to be logged as system/originally authenticated user, You will probably have a hard time doing that... and you should switch to a more robust approach!
Is there a way to determine whether a storage account is blob storage or general purpose storage using the Azure storage Java API
According to the Azure Storage REST API Create Storage Account(only version 2016-01-01 and later), you can see a parameter kind which determine what kind of storage account (Storage or BlobStorage) will be created in the request body.
For using Azure Storage Java API, there is an enum class Kind which includes the two kinds of storage account, you can select the one of you want via two interfaces (WithGeneralPurposeAccountKind and WithBlobStorageAccountKind) of StorageAccount.DefinitionStages interface.
Here are the usual usages of them.
Create a default kind storage account via define method, see the completed sample code here.
StorageAccount storageAccount = azure.storageAccounts().define(storageAccountName)
.withRegion(Region.US_EAST)
.withNewResourceGroup(rgName)
.create();
According to the source code of define method, the default kind of storage account is Storage via WithGeneralPurposeAccountKind.
Create a storage account of BlobStorage kind.
StorageAccount storageAccount = azure.storageAccounts().define(storageAccountName)
.withBlobStorageAccountKind() // Set the kind as `BlobStorage`
.withRegion(Region.US_EAST)
.withNewResourceGroup(rgName)
.create();
Im creating an application to login in Google+ and get friends emails.
Im authenticating succesfully and get token back , but when i fetch friends list , the user class of any single friends has emails=null...
here is the code (After already signed in and get authenticator class):
// Generated libraries for Google APIs
using Google.Apis.Authentication.OAuth2;
using Google.Apis.Authentication.OAuth2.DotNetOpenAuth;
using Google.Apis.Services;
using Google.Apis.Util;
using Google.Apis.Plus.v1;
using Google.Apis.Plus.v1.Data;
// For OAuth2
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;
//....code for authentication skipped ....
//...callback from json (authentication success)
PlusService ps = new PlusService(new BaseClientService.Initializer()
{
Authenticator = authenticator
});
PeopleFeed peopleFeed = ps.People.List("me", PeopleResource.CollectionEnum.Visible).Fetch();
//After that when i inspect peopleFeed[0].Emails <--- this is null..
any help?
The Google+ API only returns public information. So even if you are permitted to see a person's email address, it does not necessarily mean that the information is public and that it will be returned.
Furthermore, the documentation at https://developers.google.com/+/api/latest/people/list only guarantees that the list of people returned will contain the person's
id
displayName
image
url
and that to get other information about the person, you will need to do a people.get against that ID. But, again, note that you may still not get their email if that information isn't public.
You could also use the Contacts v3 API to get friend's email addresses. You can cross map this to Google+ contacts by looking at the gContact:website element for the contact that comes back in the XML response:
<gContact:website href='http://www.google.com/profiles/1234567890' rel='profile'/>
In that element's href attribute, 1234567890 is the person identifier that would match the id field of the relevant person resource from people.list of the Google+ API.
Note that the profile link is not guaranteed to come back for a contact entry. This occurs when the contact has not been linked to a Google+ profile.
My first guess would be that it's a rights management issue. I remember when I asked for my Google API key, I had to mention what information I want to get.
Could you check your API key settings in the Google Developer network and see if you need to enable it there?
I have an application which syncs user data from source to destination.
Current Use case: Sync Facebook photo to dropbox.
I have implemented following steps to retrieve user photos:
Take user access token; then exchange it with extended access token.
Save the extended access token to DB.
Poll to Facebook on Timeline Photo album with the help of extended access token and using lastSync check to check if new photo is present.
If there are any new photos available, then get those photos and upload them to user's Dropbox account folder (assuming that we have Oauth permissions for user's Dropbox account). Finally update lastsync in DB as currect timestamp.
My new use case is to get Facebook posts/photos with criteria like if n number of comments are posted to a photo/post; then retrieve it and sync it to Dropbox. In this case; it can be a old post or photo too.
I tried it with Real-Time update subscription but it didn't helped me much.
Any help on the above use case will be very helpful.
BTW, I am using Restfb.
is it possible to retrieve the username of a google account that i have succesfully authenticated using OAuth?
i have retrieved the users Access tokens but i am wondering if their is a API call i can make such has https://google.api/getUserName and pass the access tokens to that call and succesfully retrieve the users email/username?
In a normal OAuth web service, all you need is the secret and id access tokens to make calls to the web service but in google you also need the username too.
Any ideas?
Take a look at http://sites.google.com/site/oauthgoog/Home/emaildisplayscope . That should work for you.
The only way I figured so far is using the Spreadsheet API.
If you request the feed, that lists all documents
https://spreadsheets.google.com/feeds/spreadsheets/private/full?alt=json
There is a field with the username as well:
response.data.feed.title.$t
Unfortunately, this means prompting the user to grant access to his GDocs account, which may be confusing..
But I don't know of any API by Google to directly get the username.
Best way, the following feed was retrieved from the Contacts Data API:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=0
and get next fields from the feed:
response.data.feed.id
or
response.data.feed.author.name.$t
response.data.feed.author.email.$t
http://code.google.com/intl/ja/apis/accounts/docs/AuthForInstalledApps.html#Errors
This one is PHP, i think a slight modification in JAVA could make this workout
http://www.electrictoolbox.com/google-analytics-login-php-curl-username-password/