I'm trying to access a remote Elasticsearch cluster from a python script. The cluster is configured with SAML using Google Auth, and I can successfully access it through my web browser with my Google id and password. I've looked at the doc for both the requests package and the Elasticsearch package and it's not clear to me that either support this type of authentication. I've tried just passing my username and password using requests but access is denied. I've also looked at the Elasticsearch SAML documentation but am not clear whether I need to be using those API calls. Would appreciate any tips from someone who's successfully done this.
Related
My company uses Okta Authentication for all corporate applications. Is there a way or a workaround to circumvent the OKTA Authentication while connecting to AWS Athena? I'm trying to automate a Python Script that connects to Athena and it requires me to Okta Verify every time after the short-lived token expires. However, Google Suite (Docs, Sheets, Drive) API's doesn't require this type of AUTH verification method and it never requests one when I connect Python to Google Suites although our Google Suite use Okta Authentication for login.
Any help or references would be much appreciated. Thank you!
Hi I want to access an application that is behind OKTA sso. I am using python requests module for accessing the application. Before Okta I was able to access the application with userid and password from my python script. But after okta the script is failing to access the application.
what modification I need in my Python script using requests module
From what I understand, there is a big chance you want to access an application using Okta issued token.
You need to reach out to the application developers to identify how to properly retrieve a token. There are lots of ways to authenticate using Okta and without more information it's gonna be hard to help you out.
Once you have all those information you should be able to use any python module providing requests authentication classes for the authentication flow that you have to use.
Disclaimer: I wrote requests-auth providing Okta authentication classes that can be used with requests (nominated in the Okta developer community award).
I'm currently able to run a local python script that calls the Google vision API using the python client library (specifically, I'm using the google-cloud-vision package). However, I'm curious about how it's authenticating. In the python script that I'm running locally I do not provide any authentication information. From reading the below posts, it seems that a common way to authenticate when running locally is to set an environment variable to the path of a .JSON key file (i.e export GOOGLE_APPLICATION_CREDENTIALS = path/to/JSON/key/file), however, I don't recall doing this and if I run printenv, I do not have an environment variable called GOOGLE_APPLICATION_CREDENTIALS.
The below posts provide great details about different ways to authenticate using the client libraries locally, but how can I see/determine exactly how my program is being authenticated? Is there a way to query for this?
"Authenticating to the Cloud Vision API"...including the "Application Default Credentials" part of the above page
"Authenticating Applications With a Client Library" section of Creating and Enabling Service Accounts for Instances
"Providing Credentials to Your Application" section of "Setting Up Authentication for Server to Server Production Capabilities" page
"Setting the Environment Variable" Section of "Getting Started With Authentication" page:
Python client libraries "Getting Started" page:
"Authenticating to a Cloud API Service"
There's 4 different ways for the request to be authenticated without creating a credentials object.
If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set to the path of a valid service account JSON private key file, then it is used.
If the Google Cloud SDK is installed and has application default credentials set then it is used. Note that if you've done this step once in the past, it will stay valid. (I'm guessing that this is what you're currently using to authenticate.)
If the application is running in the App Engine Standard environment then the credentials and project ID from the App Identity Service are used. (Not applicable here but I'm listing it for completeness' sake.)
If the application is running in Compute Engine or the App Engine flexible environment then the credentials and project ID are obtained from the Metadata Service. (Not applicable here but I'm listing it as well for completeness' sake.)
If no credentials are found using the methods above, DefaultCredentialsError will be raised. Since you're not getting this error, and you don't have the environment variable from #1 set, and options #3 & #4 are not applicable, the only option that remains is number #2.
The above information can be found on the readthedocs.io page for the google-cloud Authentication page, and more specifically in the google.auth package page
You can check if you have the application default credentials set up by running this command:
gcloud auth application-default print-access-token
If this doesn't return an error but an access token, it means that #2 is set up. Don't share this token with anyone of course...
Some related information, you can check the token that was printed out with the command above here, or using the curl command below (paste the token at the end):
curl -i https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=
This doesn't exactly answer your question, but by process of elimination it should be the correct one...
I am writing a Python application to download csv files through an API on an internal server, by sending GET requests. When testing the requests through Postman, I was able to use Basic Auth along with my Windows credentials to generate a token and authenticate on the server.
Now when it comes to the Python application, I obviously don't want to hard-code my Windows credentials into the app, nor do I want to use the Basic Auth token that was generated (maybe I'm wrong, but this still seems like it would not be a very secure thing to do as I believe the token is a direct hash of my credentials, not to mention when I change my credentials I would have to go and update the token as well).
What I want to know is if it is possible to automatically use the windows credentials from wherever the program is run, in order to authenticate against the server. I tried using NTLM, but unless I am misunderstanding this would still require my credentials to be coded into the app, and from my testing it looks like the server only supports basic auth and not NTLM directly.
I am very new to authentication in Python (and in general), any help would be appreciated.
I'm using OpenStack Diablo on RHEL6 with packages from GridDynamics.
Everything seems to work with the EC2 api, but when using python-novaclient, the system just allow access to any api commands regardless of the authentication provided.
See https://github.com/masom/Puck/blob/master/server/plugins/virtualization/nova.py#L42
I am not using Keystone for authentication (Waiting for essex to be released).
Why is nova blindly allowing anyone to issue api commands regardless of the authentication data provided?
Turns out /etc/nova/api-paste.ini had noauth and ec2noauth
Moving to the deprecated auth (not using keystone) by changing noauth to auth did it.