karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Bosschaert <david.bosscha...@gmail.com>
Subject Re: Role based security for Karaf JMX access
Date Wed, 07 Aug 2013 15:11:54 GMT
Hi JB,

On 7 August 2013 15:33, Jean-Baptiste Onofré <jb@nanthrax.net> wrote:

> Hi,
>
> It sounds good. But currently, with our JAAS implementation, we have users
> and roles (not groups, even if roles can look like groups).



> An user can have multiple roles. For instance, in the default
> users.properties we have:
>
> user=password,role1,role2,**role3,...
>

Right, and I'm proposing to extend that to include groups. So a user can
have roles directly, or be part of a group. This group can then also have
roles. When that user logs in he gets the union of all the roles associated
with all of the groups (s)he is in and the roles directly associated with
this user.

This makes it more manageable to define ACLs in terms of roles and also
have high-privilege groups such as an AdminGroup that have many roles.

You can see how I propose to add groups to the mix here:
https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37


> We don't use the roles currently (in the shell, etc).
>
> The first step that I proposed is to "secure" some commands and shell
> scope depending of a role, and provide a generic service that other
> applications can use.


Right - this email trail was to kick off securing the JMX management API.
I'm hoping to look at securing the shell commands soon ;)

As I think the general feeling on this mailing list is supportive of my
proposed contribution, I've created two JIRAs for this:

Add support for JAAS groups:
https://issues.apache.org/jira/browse/KARAF-2434
Add Role-based access to JMX:
https://issues.apache.org/jira/browse/KARAF-2435

Is there already a JIRA for adding role-based security the console? If not
I can add one...

Cheers,

David

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message