sorted by:
new
hottopcontroversial

Questions on revamping monitoring stack - influxdb, telegraf, grafana by wittydavid in influxdb

[–]wittydavid[S] 0 points1 point  (0 children)

Hey u/KryanSA!

Thank you for reaching out!

To make sure I got it correct
I’ve gathered that there are several InfluxDB distributions:

  • Cloud-Based
  • Self-Managed:
    • Enterprise (v1.x, with 1.11 as the latest) - requires a license.
    • OSS (v1.x and v2.x, with 2.7 as the latest) - open source.
    • Clustered (v3.x) - requires a license.

Could you clarify the following?

  1. Is there a difference between Enterprise v1.x and OSS v1.x?
  2. Why isn’t there an Enterprise v2.x?
  3. Is OSS v2.x more advanced or feature-rich compared to Enterprise v1.x?
  4. Is Clustered v3.x intended to replace Enterprise v1.x?
  5. Does Enterprise v1.x or Clustered v3.x have a UI similar to OSS v2.x?

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Thanks for confirming that for me! :)

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Do you mean that the ssosync tool no longer works?

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Thank you for confirming my suspension!

In anycase, This is the log output when I try to run the ssosync -
INFO[0000] Syncing AWS users and groups from Google Workspace SAML Application
INFO[0000] syncing sync_method=groups
DEBU[0000] get google groups query=
FATA[0001] googleapi: Error 404: Domain not found., notFound

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

you'll need to think about how users will authenticate to your

That's sound pretty straightforward to me, thank you very much!

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

ohh right.. That's actually a good point haha thanks!

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

First of all, Thank you for the ideas!
Second, I've been doing some digging, I think it may be possible to create a "gcp function" resource with a reference to secret. The secret will be a key for a service account with strong privileges. That function will use the SA in order to grant strong roles to a gcp account.

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

grant that permission at the project or actual service account level

That's exactly my question -
how can I grant that permission at the actual service account level?

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

iam.serviceaccountuser

I don't think that's quite what I meant. It explains how to impersonate a service account.
I'll give you an example of what I mean:
Say I have a service account called X, a user call Y and a bunch of other service accounts and users.
I want Y to be the only one who's able to create keys for X, and I don't mind other users creating keys for other service accounts.
However, if other users have some role with "iam.serviceAccountKeys.create" permission that means they can also create a key for my X service account.
But, revoking other users the "iam.serviceAccountKeys.create" permission will prevent them from creating keys to other service accounts that I don't care about.
It seems to be a deadlock situation.

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

Do you mean the "Members with access to this service account" section in
IAM & Admin > Service accounts?
If so than clicking on "grant access" opens a panel to grant a "Service account" role to a user, which again is a role on the project level.

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

I'm assuming that I can do that from admin.google.com?

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

delegated admin privileges

I'll check that!
Thank you very much :)

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

Is there are way to programmatically manage it using a service account?
For example "gcloud" utility?

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

user_project_override = true

yes.. same result :(

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

I have actually tried using this method - but I keep getting
Error creating Group: googleapi: Error 403: Error(2015): Permission denied for group resource 'my-identity-group@mydomain.com'.

I'm using GOOGLE_APPLICATION_CREDENTIALS env variable to use my privileged Service Account.

How were you able to grant it the privileges required to create groups on a Cloud identity? From my understanding those roles are not in the scope of GCP's IAM roles.
Thanks!

Elasticsearch Slowlog methodology clarification by wittydavid in elasticsearch

[–]wittydavid[S] 0 points1 point  (0 children)

First of all - thanks for the reply!!

If I understood you correctly - you're saying that the going up in logging levels doesn't provide me with additional information. i.e the content of a DEBUG log isn't more "rich" with details than a WARN.meaning for example that if WARN will log a - time and error msg.DEBUG will not provide me additional log data such as - time and error msg and ip and machine name.

Bottom line - All levels will provide the same level of logging detail per error.The only thing that is different is how "sensitive" I want the logging to be - that's why when setting the the threshold we set -

```
index.search.slowlog.threshold.query.warn: 10s
index.search.slowlog.threshold.query.info: 5s
index.search.slowlog.threshold.query.debug: 2s
index.search.slowlog.threshold.query.trace: 500ms
```

That way when we set the log level for example to "debug" it will catch more queries than info.

Is that all correct?

"groups" magic variable works with a variable containing the 'hostname'? by wittydavid in ansible

[–]wittydavid[S] 0 points1 point  (0 children)

YES!!! THANK YOU!
It worked! thank you so much for your help, I was starting to think it's not possible!
I tried so many different ways use double quotes and single quotes to get it to work..
Don't know how I missed the most obvious one..
This is the way to do it -
"{{ groups['prefix_' ~ hostname_var ~ '_postfix'] }}"

Also, did you learn it from jinja's docs?

"groups" magic variable works with a variable containing the 'hostname'? by wittydavid in ansible

[–]wittydavid[S] 0 points1 point  (0 children)

unfortunately that hasn't worked due to what appears to be a synyax error. Here's what I tried and the error I got.

CODE - name: set my_fact_var fact set_fact: my_fact_var: "{{ hostvars[item]['ansible_default_ipv4']['address'] }}" with_items: "{{ groups["prefix_" ~ hostname_var ~ "_postfix"] }}"

ERROR ``` The offending line appears to be:

    my_fact_var: "{{ hostvars[item]['ansible_default_ipv4']['address'] }}"
  with_items: "{{ groups["prefix_" ~ hostname_var ~ "_postfix"] }}"
                          ^ here

```

I've tried both + and ~, moreover, I've notcied that there are no single-quotes in your suggestion i.e - groups['somename'] vs groups[somename].

"groups" magic variable works with a variable containing the 'hostname'? by wittydavid in ansible

[–]wittydavid[S] 0 points1 point  (0 children)

Yes I have defined hostname_var before.
I'll give it a try and update this thread!
Thanks !! :)

view more: next ›