karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: Role based security for Karaf JMX access
Date Wed, 07 Aug 2013 22:06:13 GMT
Hi David,

thanks for the update, it sounds good to me !!

How can I help on that ?
Maybe we can explore some options to leverage other projects (like 
Apache Syncope for instance).

Regards
JB

On 08/07/2013 05:11 PM, David Bosschaert wrote:
> Hi JB,
>
> On 7 August 2013 15:33, Jean-Baptiste Onofré <jb@nanthrax.net> wrote:
>
>> Hi,
>>
>> It sounds good. But currently, with our JAAS implementation, we have users
>> and roles (not groups, even if roles can look like groups).
>
>
>
>> An user can have multiple roles. For instance, in the default
>> users.properties we have:
>>
>> user=password,role1,role2,**role3,...
>>
>
> Right, and I'm proposing to extend that to include groups. So a user can
> have roles directly, or be part of a group. This group can then also have
> roles. When that user logs in he gets the union of all the roles associated
> with all of the groups (s)he is in and the roles directly associated with
> this user.
>
> This makes it more manageable to define ACLs in terms of roles and also
> have high-privilege groups such as an AdminGroup that have many roles.
>
> You can see how I propose to add groups to the mix here:
> https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37
>
>
>> We don't use the roles currently (in the shell, etc).
>>
>> The first step that I proposed is to "secure" some commands and shell
>> scope depending of a role, and provide a generic service that other
>> applications can use.
>
>
> Right - this email trail was to kick off securing the JMX management API.
> I'm hoping to look at securing the shell commands soon ;)
>
> As I think the general feeling on this mailing list is supportive of my
> proposed contribution, I've created two JIRAs for this:
>
> Add support for JAAS groups:
> https://issues.apache.org/jira/browse/KARAF-2434
> Add Role-based access to JMX:
> https://issues.apache.org/jira/browse/KARAF-2435
>
> Is there already a JIRA for adding role-based security the console? If not
> I can add one...
>
> Cheers,
>
> David
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message