Adding custom session data to Dreamfactory JWT token

When working with Dreamfactory it might be desired and helpful to have additional claims (key/values) in the user session JWT token.

In my scenario I have custom API services / scripts which do calls to other services (DB, SOAP, external REST API). However not all calls work with only the email from the user session but rather require certain IDs not related to Dreamfactory at all. So the services would first have to fetch the Id by email resulting in additional API calls all the time causing slower response times.

So I was looking for a way to store those key/values. Read on after the jump how I solved it.

Read more

Orchestrating Dreamfactory with docker-compose and a LoadBalancer

As a followup on my introductive article about Dreamfactory + Docker and Dreamfactorys article “Scaling DreamFactory with Docker” about how to manually run Dreamfactory containers in a load-balancer pool, I’m taking the chance to show you how I implemented Dreamfactory Docker containers with docker-compose as an orchestrator. (You could aswell use any other like Marathon/Mesos, AWS ECS, Swarm..)

Read more

Scripting custom REST APIs with Dreamfactory

So in my last article I talked about how to get Dreamfactory running within a Docker container with having immutability and horizontal scalability in mind and being able to use it with a Docker orchestrator like Mesos, Marathon, AWS ECS etc.

This time I’ll go into some details about extending it with custom logic / API endpoints as you certainly dont want to let API users access all of the auto-generated API endpoints in regard of security or they simply lack logic.
Dreamfactory has a good role-based ACL which works just fine for several service-types (e.g. MySQL DBs) where you can define server-side filters (e.g. by email from their session) on a record-level which allows users to only work on records belonging to them.
However the roles have their limits. But this is only one reason for adding custom services. You can script your own services aswell as “hook” into existing (auto-generated) services pre/post-process.

Read more

Using Dreamfactory 2.x as REST API with Docker

For a new project I’m working on as Systems and Platform Architect, we were looking for an comparably easy and fast to implement, yet scalable and reliable way to build a RESTful API for various services we need to expose to mobile device users via iOS/Android Apps aswell as internal services.

Usually you have several MySQL/NoSQL Databases or similar which you need to query. We even have to deal with a 3rd party SOAP service. So wrapping all this into CRUD APIs and having ACLs for user roles etc would be quite a big story.

Fortunately there exists a great tool/framework which does alot of work for you nearly automagically. Its called Dreamfactory

Read on after the jump how Dreamfactory works and how we integrated it as BaaS into our docker-based PaaS.

Read more

Reviewing auditd logs with Spacewalk

One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.
Read more

Spacewalk Errata integration for Slack

We are using Slack at our company and we are having a #emergency room for collboration during critical situation. I thought it would be nice to have Spacewalk Errata information posted there additionally to the emails Spacewalk sends us.

So I made a small python script which can be run as a cron and collects all relevant security Errata affecting at least one system. It then posts those to a Slack channel or group.

Read more

Spacewalk 2.3 tested to work with Ubuntu / Debian clients

As announced on the Spacewalk Mailinglist Spacewalk 2.3 is going to be released soon and is on QA/QE now.

I took this as a reason for testing Ubuntu / Debian integration with Spacewalk 2.3 from nightly repo. As it turns out, everything is working good, namely:

  • Creation of Debian Channels
  • Pushing / Syncing .deb packages to Spacewalk
  • Registering Ubuntu systems
  • Importing Ubuntu Errata ( I updated errata-import.pl script slightly to make it work )
  • OSAD
  • Package management
  • Remote Command Execution

Refer to my other articles around Spacewalk about how to set all this up.

GPG signing APT repository in Spacewalk

After following my article on how to register Ubuntu and Debian clients with Spacewalk you might have noticed a APT warning

WARNING: The following packages cannot be authenticated.

This happens because the APT repositories in Spacewalk are not GPG signed. You can still install the packages but have to acknowledge it by entering “yes”.

For various reasons it would be better to have the repository signed. Read on after the jump how I got that working.
Read more

Testing Chef cookbooks on travis-ci / drone.io with chef-zero

If you are using your own Chef cookbooks you certainly have some sort of tests for them. Likely running test-kitchen with docker or vagrant driver. That setup works perfectly fine locally or on a self-hosted Jenkins server. However building them on public CI platforms like travis-ci or drone.io is not possible like that. Caused by their virtualization technology, we cant use test-kitchen with docker or vagrant driver there.

What people usually do to solve this: Use a cloud driver like EC2, Cloudstack, Rackspace so travis-ci will spin up a VM there. However I found this very clunky. This require additional accounts and costs with a Cloud provider.

So what I did is mimicing how the chef-zero provisioner for test-kitchen works as seen here https://github.com/test-kitchen/test-kitchen/blob/master/lib/kitchen/provisioner/chef_zero.rb
It basically boils down to installing Chef, copying all dependency cookbooks in place along with some configs and then running chef-client with chef-zero.

Read more

Spacewalk Remote Command Execution with Ubuntu / Debian clients

In my last article I’ve shown you how to get OSAD working for Ubuntu clients. Which comes in handy for my new article about remote command execution. With the help of OSAD the commands will be executed immediately and you dont need to wait for clients to check-in and pick them up.

Read on after the jump…

Read more