You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@karaf.apache.org by da...@apache.org on 2013/10/03 12:42:43 UTC

Re: Role based security for Karaf JMX access

Hi all,

A quick update on this. JB has just merge my patches for KARAF-2434
and KARAF-2435 (thanks JB!) so this stuff is now available on trunk.

I wrote a little blog post about how it works here:
http://coderthoughts.blogspot.com/2013/10/jmx-role-based-access-control-for-karaf.html

Cheers,

David

On 7 August 2013 23:06, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> Hi David,
>
> thanks for the update, it sounds good to me !!
>
> How can I help on that ?
> Maybe we can explore some options to leverage other projects (like Apache
> Syncope for instance).
>
> Regards
> JB
>
>
> On 08/07/2013 05:11 PM, David Bosschaert wrote:
>>
>> Hi JB,
>>
>> On 7 August 2013 15:33, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>> Hi,
>>>
>>> It sounds good. But currently, with our JAAS implementation, we have
>>> users
>>> and roles (not groups, even if roles can look like groups).
>>
>>
>>
>>
>>> An user can have multiple roles. For instance, in the default
>>> users.properties we have:
>>>
>>> user=password,role1,role2,**role3,...
>>>
>>
>> Right, and I'm proposing to extend that to include groups. So a user can
>> have roles directly, or be part of a group. This group can then also have
>> roles. When that user logs in he gets the union of all the roles
>> associated
>> with all of the groups (s)he is in and the roles directly associated with
>> this user.
>>
>> This makes it more manageable to define ACLs in terms of roles and also
>> have high-privilege groups such as an AdminGroup that have many roles.
>>
>> You can see how I propose to add groups to the mix here:
>>
>> https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37
>>
>>
>>> We don't use the roles currently (in the shell, etc).
>>>
>>> The first step that I proposed is to "secure" some commands and shell
>>> scope depending of a role, and provide a generic service that other
>>> applications can use.
>>
>>
>>
>> Right - this email trail was to kick off securing the JMX management API.
>> I'm hoping to look at securing the shell commands soon ;)
>>
>> As I think the general feeling on this mailing list is supportive of my
>> proposed contribution, I've created two JIRAs for this:
>>
>> Add support for JAAS groups:
>> https://issues.apache.org/jira/browse/KARAF-2434
>> Add Role-based access to JMX:
>> https://issues.apache.org/jira/browse/KARAF-2435
>>
>> Is there already a JIRA for adding role-based security the console? If not
>> I can add one...
>>
>> Cheers,
>>
>> David
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com