You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/07 06:49:40 UTC

git commit: [KARAF-2934]Role-based security for Shell/Console commands - backport to 2.x branch-more changes for the shell command acl files

Repository: karaf
Updated Branches:
  refs/heads/karaf-2.x 25e5df29f -> 1bcd032e8


[KARAF-2934]Role-based security for Shell/Console commands - backport to 2.x branch-more changes for the shell command acl files


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/1bcd032e
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/1bcd032e
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/1bcd032e

Branch: refs/heads/karaf-2.x
Commit: 1bcd032e84c38b94baa36cffa3e1847d849ed0eb
Parents: 25e5df2
Author: Freeman Fang <fr...@gmail.com>
Authored: Wed May 7 12:49:24 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Wed May 7 12:49:24 2014 +0800

----------------------------------------------------------------------
 .../etc/org.apache.karaf.command.acl.config.cfg | 28 +++++++--------
 .../org.apache.karaf.command.acl.features.cfg   |  2 +-
 .../etc/org.apache.karaf.command.acl.jaas.cfg   |  2 +-
 .../etc/org.apache.karaf.command.acl.osgi.cfg   | 36 ++++++++++++++++----
 .../etc/org.apache.karaf.command.acl.shell.cfg  |  2 +-
 .../apache/karaf/itests/SshCommandTestBase.java |  3 +-
 6 files changed, 48 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
index e9a5be2..69a4705 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
@@ -21,7 +21,7 @@
 # This configuration file defines the ACLs for various commands in the config subshell
 # 
 # For an explanation of the syntax of this file, see the file:
-#   org.apache.karaf.command.acl.system.cfg
+#   org.apache.karaf.command.acl.osgi.cfg
 #
 
 cancel = manager
@@ -30,16 +30,16 @@ edit = manager
 edit[/.*jmx[.]acl.*/] = admin
 edit[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
 edit[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-append = manager
-property-append[/.*jmx[.]acl.*/] = admin
-property-append[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-append[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-delete = manager
-property-delete[/.*jmx[.]acl.*/] = admin
-property-delete[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-delete[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-set = manager
-property-set[/.*jmx[.]acl.*/] = admin
-property-set[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-set[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-update = manager
\ No newline at end of file
+propappend = manager
+propappend[/.*jmx[.]acl.*/] = admin
+propappend[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propappend[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+propdel = manager
+propdel[/.*jmx[.]acl.*/] = admin
+propdel[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propdel[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+propset = manager
+propset[/.*jmx[.]acl.*/] = admin
+propset[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propset[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+update = manager

http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
index fd41ab9..175fdf9 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
@@ -21,7 +21,7 @@
 # This configuration file defines the ACLs for commands in the kar subshell
 # 
 # For an explanation of the syntax of this file, see the file:
-#   org.apache.karaf.command.acl.system.cfg
+#   org.apache.karaf.command.acl.osgi.cfg
 #
 install = admin
 uninstall = admin

http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
index 0c0644b..5713dea 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
@@ -21,7 +21,7 @@
 # This configuration file defines the ACLs for commands in the jaas subshell
 # 
 # For an explanation of the syntax of this file, see the file:
-#   org.apache.karaf.command.acl.system.cfg
+#   org.apache.karaf.command.acl.osgi.cfg
 #
 # Jaas commands commands have no effect until update is called.
 update = admin

http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
index d50320e..0d03627 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
@@ -16,18 +16,40 @@
 #    limitations under the License.
 #
 ################################################################################
-
 #
-# This configuration file defines the ACLs for commands in the bundle subshell
-# 
-# For an explanation of the syntax of this file, see the file:
-#   org.apache.karaf.command.acl.system.cfg
+# This configuration file defines the ACLs for commands in the osgi subshell
 #
 # This configuration relies on the fact that 'system' bundles need to be managed
-# with the 
-#   -f (--force) 
+# with the
+#   -f (--force)
 # flag. Operations with -f need admin permission. Most of these operations without
 # the 'force' option can be done by a manager.
+
+# The format of this file is as follows:
+# The name of the file corresponds to a Configuration Admin PID. This file is for PID:
+#    org.apache.karaf.command.acl.osgi
+# The prefix org.apache.karaf.command.acl. determines that this file defines ACLs for karaf
+# commands. The last word on the PID declares the scope that it applies to, i.e. this file
+# is for the 'system' scope.
+# Entries in this file map to commands within the defined scope. The simplest role definition
+# has the form:
+#   command = role1, role2, role3
+# Specific roles can also be declared for certain arguments to the command. This is done using
+# regular expression matching.
+# All the arguments to the command are represented as a list using the following syntax:
+#   [arg1,arg2,arg3]
+# The matching is done after converting this list into a string. So the line
+#   start-level[/.*[0-9][0-9][0-9]+.*/] = manager
+# declares that a manager role is needed to set a start level with 3 digits or more. The .*
+# wildcards at the beginning and end are used to match the '[' and ']' characters surrounding.
+# When looking for a match the regular-expression based ACLs are always checked first. If any
+# of them match the associated roles are used.
+#
+# If no match can be found based on reg-exp ACLs, a match is looked for based purely on the
+# command name.
+#
+# If no command-name match can be found it is assumed that the command does not need a specific
+# role and can therefore be invoked by any user.
 install = admin
 refresh[/.*[-][f].*/] = admin
 refresh = manager

http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
index 28880b6..c47f6f5 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
@@ -21,7 +21,7 @@
 # This configuration file defines the ACLs for commands in the shell subshell
 # 
 # For an explanation of the syntax of this file, see the file:
-#   org.apache.karaf.command.acl.system.cfg
+#   org.apache.karaf.command.acl.osgi.cfg
 #
 edit = admin
 exec = admin

http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
----------------------------------------------------------------------
diff --git a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
index b508451..a2004d4 100644
--- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
+++ b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
@@ -94,7 +94,8 @@ public class SshCommandTestBase extends KarafTestSupport {
         //wait for command done;
         closeSshChannel(pipe);
         String output = new String(out.toByteArray());
-            
+        System.out.println("the output is ======> " + output + "<========");
+
         switch(result) {
         case OK:
             Assert.assertFalse("Should not contain 'Insufficient credentials' or 'Command not found': " + output,