You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/07 06:49:40 UTC
git commit: [KARAF-2934]Role-based security for Shell/Console
commands - backport to 2.x branch-more changes for the shell command acl
files
Repository: karaf
Updated Branches:
refs/heads/karaf-2.x 25e5df29f -> 1bcd032e8
[KARAF-2934]Role-based security for Shell/Console commands - backport to 2.x branch-more changes for the shell command acl files
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/1bcd032e
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/1bcd032e
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/1bcd032e
Branch: refs/heads/karaf-2.x
Commit: 1bcd032e84c38b94baa36cffa3e1847d849ed0eb
Parents: 25e5df2
Author: Freeman Fang <fr...@gmail.com>
Authored: Wed May 7 12:49:24 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Wed May 7 12:49:24 2014 +0800
----------------------------------------------------------------------
.../etc/org.apache.karaf.command.acl.config.cfg | 28 +++++++--------
.../org.apache.karaf.command.acl.features.cfg | 2 +-
.../etc/org.apache.karaf.command.acl.jaas.cfg | 2 +-
.../etc/org.apache.karaf.command.acl.osgi.cfg | 36 ++++++++++++++++----
.../etc/org.apache.karaf.command.acl.shell.cfg | 2 +-
.../apache/karaf/itests/SshCommandTestBase.java | 3 +-
6 files changed, 48 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
index e9a5be2..69a4705 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg
@@ -21,7 +21,7 @@
# This configuration file defines the ACLs for various commands in the config subshell
#
# For an explanation of the syntax of this file, see the file:
-# org.apache.karaf.command.acl.system.cfg
+# org.apache.karaf.command.acl.osgi.cfg
#
cancel = manager
@@ -30,16 +30,16 @@ edit = manager
edit[/.*jmx[.]acl.*/] = admin
edit[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
edit[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-append = manager
-property-append[/.*jmx[.]acl.*/] = admin
-property-append[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-append[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-delete = manager
-property-delete[/.*jmx[.]acl.*/] = admin
-property-delete[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-delete[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-property-set = manager
-property-set[/.*jmx[.]acl.*/] = admin
-property-set[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
-property-set[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
-update = manager
\ No newline at end of file
+propappend = manager
+propappend[/.*jmx[.]acl.*/] = admin
+propappend[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propappend[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+propdel = manager
+propdel[/.*jmx[.]acl.*/] = admin
+propdel[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propdel[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+propset = manager
+propset[/.*jmx[.]acl.*/] = admin
+propset[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+propset[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+update = manager
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
index fd41ab9..175fdf9 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg
@@ -21,7 +21,7 @@
# This configuration file defines the ACLs for commands in the kar subshell
#
# For an explanation of the syntax of this file, see the file:
-# org.apache.karaf.command.acl.system.cfg
+# org.apache.karaf.command.acl.osgi.cfg
#
install = admin
uninstall = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
index 0c0644b..5713dea 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg
@@ -21,7 +21,7 @@
# This configuration file defines the ACLs for commands in the jaas subshell
#
# For an explanation of the syntax of this file, see the file:
-# org.apache.karaf.command.acl.system.cfg
+# org.apache.karaf.command.acl.osgi.cfg
#
# Jaas commands commands have no effect until update is called.
update = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
index d50320e..0d03627 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg
@@ -16,18 +16,40 @@
# limitations under the License.
#
################################################################################
-
#
-# This configuration file defines the ACLs for commands in the bundle subshell
-#
-# For an explanation of the syntax of this file, see the file:
-# org.apache.karaf.command.acl.system.cfg
+# This configuration file defines the ACLs for commands in the osgi subshell
#
# This configuration relies on the fact that 'system' bundles need to be managed
-# with the
-# -f (--force)
+# with the
+# -f (--force)
# flag. Operations with -f need admin permission. Most of these operations without
# the 'force' option can be done by a manager.
+
+# The format of this file is as follows:
+# The name of the file corresponds to a Configuration Admin PID. This file is for PID:
+# org.apache.karaf.command.acl.osgi
+# The prefix org.apache.karaf.command.acl. determines that this file defines ACLs for karaf
+# commands. The last word on the PID declares the scope that it applies to, i.e. this file
+# is for the 'system' scope.
+# Entries in this file map to commands within the defined scope. The simplest role definition
+# has the form:
+# command = role1, role2, role3
+# Specific roles can also be declared for certain arguments to the command. This is done using
+# regular expression matching.
+# All the arguments to the command are represented as a list using the following syntax:
+# [arg1,arg2,arg3]
+# The matching is done after converting this list into a string. So the line
+# start-level[/.*[0-9][0-9][0-9]+.*/] = manager
+# declares that a manager role is needed to set a start level with 3 digits or more. The .*
+# wildcards at the beginning and end are used to match the '[' and ']' characters surrounding.
+# When looking for a match the regular-expression based ACLs are always checked first. If any
+# of them match the associated roles are used.
+#
+# If no match can be found based on reg-exp ACLs, a match is looked for based purely on the
+# command name.
+#
+# If no command-name match can be found it is assumed that the command does not need a specific
+# role and can therefore be invoked by any user.
install = admin
refresh[/.*[-][f].*/] = admin
refresh = manager
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
index 28880b6..c47f6f5 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg
@@ -21,7 +21,7 @@
# This configuration file defines the ACLs for commands in the shell subshell
#
# For an explanation of the syntax of this file, see the file:
-# org.apache.karaf.command.acl.system.cfg
+# org.apache.karaf.command.acl.osgi.cfg
#
edit = admin
exec = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
----------------------------------------------------------------------
diff --git a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
index b508451..a2004d4 100644
--- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
+++ b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
@@ -94,7 +94,8 @@ public class SshCommandTestBase extends KarafTestSupport {
//wait for command done;
closeSshChannel(pipe);
String output = new String(out.toByteArray());
-
+ System.out.println("the output is ======> " + output + "<========");
+
switch(result) {
case OK:
Assert.assertFalse("Should not contain 'Insufficient credentials' or 'Command not found': " + output,