You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Mansour Al Akeel <ma...@gmail.com> on 2013/11/12 05:28:46 UTC
Role Based Security
I am try to understand how to get role based security to work. As I
was searching, I found this thread and the implementation
http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
https://issues.apache.org/jira/browse/KARAF-2455
Which (fortunately) has been merged into the trunk.
Still, I can not find documentation or a complete example on how to
secure a service using annotation like @RolesAllowed or @RunAs .. etc.
Thank you.
Re: Role Based Security
Posted by Mansour Al Akeel <ma...@gmail.com>.
Thank you all for all the support.
David, your work is highly appreciated.
I agree with you to some extent. Having the roles in a central
location, can be convenient in some cases. However, I look at bundles
as a stand alone component with all its configuration contained in it.
I understand that annotations pollute the object model, and here we
may find XML configuration is a better alternative. However, lets'
say I am writing an accounting component. This component has a service
"showEmployeeSalary", and this service should not be run by anyone by
a user with "ROLE_ACCOUNTING_MANAGER". Having to reach the *.cfg file
to include these information, is not as convenient as doing it inside
the bundle (annotation or XML).
So it might be good to support annotations and xml.
On the other hand, adding annotations and xml duplicates the
functionality offered by OpenEJB (please correct me here if I am
wrong). I am not sure at this point of the better option, supporting
security annotations or using OpenEJB !
Can anyone kindly, advice me about the difference if annotations
support was added to karaf compared to OpenEJB ??
Thank you.
On Tue, Nov 12, 2013 at 4:08 AM, David Bosschaert
<da...@gmail.com> wrote:
> I wrote a blog article about how RBAC for OSGi services in Karaf can
> be used: http://coderthoughts.blogspot.com/2013/10/role-based-access-control-for-karaf.html
>
> Currently all the roles are specified using Config Admin, i.e. via
> .cfg files in the etc directory.
> On the annotation support, I know that some really like that idea, but
> personally I'm not a big fan of specifying roles via annotations. Let
> me explain why.
> As a system's administrator you might want to do one or both of the following:
> 1. You want to get a complete picture of all the available roles in
> the system and what they are allowed to do.
> 2. You may want to change roles associated with certain operations,
> because the Karaf defaults don't work for you.
> Currently you can do 1. relatively easily as all the information is
> kept in the relevant .cfg files in the etc directory. If this
> information was also specifyable as an annotation it becomes much
> harder to get the complete picture of all the roles available and what
> roles services need. You will need to either look at the source code
> for the services or maybe even the bytecode. Additionally, this
> information would become very much spread out. It would become hard to
> know when you have all the information on all the services.
> With the pure .cfg file based ACLs you can also easily do 2. Sysadmins
> can completely change the roles and ACLs to suit their needs. With
> annotation-based role definitions you would have to change the source
> code of the annotations...
>
> Maybe it's all just a matter of taste, but I just wanted to share why
> I didn't support this in my initial version.
>
> Cheers,
>
> David
>
> On 12 November 2013 07:58, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>> It was plan by David. But the purpose, as you said, is to avoid to change
>> anything: intercept the current service (the commands are services).
>>
>> Regards
>> JB
>>
>>
>> On 11/12/2013 08:41 AM, Christian Schneider wrote:
>>>
>>> The role based security currently does not support annotations as far as
>>> I know. It should be possible to extend the mechanism in this way.
>>> I added an isseu to track this:
>>> https://issues.apache.org/jira/browse/KARAF-2570
>>>
>>> Btw. the current implementation has the advantage that you can protect
>>> services without changing them.
>>>
>>> Christian
>>>
>>> Am 12.11.2013 05:28, schrieb Mansour Al Akeel:
>>>>
>>>> I am try to understand how to get role based security to work. As I
>>>> was searching, I found this thread and the implementation
>>>>
>>>>
>>>> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
>>>>
>>>>
>>>> https://issues.apache.org/jira/browse/KARAF-2455
>>>>
>>>> Which (fortunately) has been merged into the trunk.
>>>>
>>>> Still, I can not find documentation or a complete example on how to
>>>> secure a service using annotation like @RolesAllowed or @RunAs .. etc.
>>>>
>>>>
>>>>
>>>> Thank you.
>>>
>>>
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
Re: Role Based Security
Posted by David Bosschaert <da...@gmail.com>.
I wrote a blog article about how RBAC for OSGi services in Karaf can
be used: http://coderthoughts.blogspot.com/2013/10/role-based-access-control-for-karaf.html
Currently all the roles are specified using Config Admin, i.e. via
.cfg files in the etc directory.
On the annotation support, I know that some really like that idea, but
personally I'm not a big fan of specifying roles via annotations. Let
me explain why.
As a system's administrator you might want to do one or both of the following:
1. You want to get a complete picture of all the available roles in
the system and what they are allowed to do.
2. You may want to change roles associated with certain operations,
because the Karaf defaults don't work for you.
Currently you can do 1. relatively easily as all the information is
kept in the relevant .cfg files in the etc directory. If this
information was also specifyable as an annotation it becomes much
harder to get the complete picture of all the roles available and what
roles services need. You will need to either look at the source code
for the services or maybe even the bytecode. Additionally, this
information would become very much spread out. It would become hard to
know when you have all the information on all the services.
With the pure .cfg file based ACLs you can also easily do 2. Sysadmins
can completely change the roles and ACLs to suit their needs. With
annotation-based role definitions you would have to change the source
code of the annotations...
Maybe it's all just a matter of taste, but I just wanted to share why
I didn't support this in my initial version.
Cheers,
David
On 12 November 2013 07:58, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> It was plan by David. But the purpose, as you said, is to avoid to change
> anything: intercept the current service (the commands are services).
>
> Regards
> JB
>
>
> On 11/12/2013 08:41 AM, Christian Schneider wrote:
>>
>> The role based security currently does not support annotations as far as
>> I know. It should be possible to extend the mechanism in this way.
>> I added an isseu to track this:
>> https://issues.apache.org/jira/browse/KARAF-2570
>>
>> Btw. the current implementation has the advantage that you can protect
>> services without changing them.
>>
>> Christian
>>
>> Am 12.11.2013 05:28, schrieb Mansour Al Akeel:
>>>
>>> I am try to understand how to get role based security to work. As I
>>> was searching, I found this thread and the implementation
>>>
>>>
>>> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
>>>
>>>
>>> https://issues.apache.org/jira/browse/KARAF-2455
>>>
>>> Which (fortunately) has been merged into the trunk.
>>>
>>> Still, I can not find documentation or a complete example on how to
>>> secure a service using annotation like @RolesAllowed or @RunAs .. etc.
>>>
>>>
>>>
>>> Thank you.
>>
>>
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Role Based Security
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
It was plan by David. But the purpose, as you said, is to avoid to
change anything: intercept the current service (the commands are services).
Regards
JB
On 11/12/2013 08:41 AM, Christian Schneider wrote:
> The role based security currently does not support annotations as far as
> I know. It should be possible to extend the mechanism in this way.
> I added an isseu to track this:
> https://issues.apache.org/jira/browse/KARAF-2570
>
> Btw. the current implementation has the advantage that you can protect
> services without changing them.
>
> Christian
>
> Am 12.11.2013 05:28, schrieb Mansour Al Akeel:
>> I am try to understand how to get role based security to work. As I
>> was searching, I found this thread and the implementation
>>
>> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
>>
>>
>> https://issues.apache.org/jira/browse/KARAF-2455
>>
>> Which (fortunately) has been merged into the trunk.
>>
>> Still, I can not find documentation or a complete example on how to
>> secure a service using annotation like @RolesAllowed or @RunAs .. etc.
>>
>>
>>
>> Thank you.
>
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Role Based Security
Posted by Christian Schneider <ch...@die-schneider.net>.
The role based security currently does not support annotations as far as
I know. It should be possible to extend the mechanism in this way.
I added an isseu to track this:
https://issues.apache.org/jira/browse/KARAF-2570
Btw. the current implementation has the advantage that you can protect
services without changing them.
Christian
Am 12.11.2013 05:28, schrieb Mansour Al Akeel:
> I am try to understand how to get role based security to work. As I
> was searching, I found this thread and the implementation
>
> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
>
> https://issues.apache.org/jira/browse/KARAF-2455
>
> Which (fortunately) has been merged into the trunk.
>
> Still, I can not find documentation or a complete example on how to
> secure a service using annotation like @RolesAllowed or @RunAs .. etc.
>
>
>
> Thank you.
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
Re: Role Based Security
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Mansour,
I'm working on updating the documentation for Karaf 3.0.0 release.
It should be done by tomorrow.
Regards
JB
On 11/12/2013 05:28 AM, Mansour Al Akeel wrote:
> I am try to understand how to get role based security to work. As I
> was searching, I found this thread and the implementation
>
> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html
>
> https://issues.apache.org/jira/browse/KARAF-2455
>
> Which (fortunately) has been merged into the trunk.
>
> Still, I can not find documentation or a complete example on how to
> secure a service using annotation like @RolesAllowed or @RunAs .. etc.
>
>
>
> Thank you.
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com