You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2015/11/03 14:13:54 UTC
karaf git commit: [KARAF-4065] Provide default ACL files in
distributions
Repository: karaf
Updated Branches:
refs/heads/master 025b6fb44 -> 09d47ba57
[KARAF-4065] Provide default ACL files in distributions
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/09d47ba5
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/09d47ba5
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/09d47ba5
Branch: refs/heads/master
Commit: 09d47ba575fcf033c476b0f5c5ca1b1575642210
Parents: 025b6fb
Author: Jean-Baptiste Onofré <jb...@apache.org>
Authored: Tue Nov 3 14:13:01 2015 +0100
Committer: Jean-Baptiste Onofré <jb...@apache.org>
Committed: Tue Nov 3 14:13:01 2015 +0100
----------------------------------------------------------------------
.../resources/etc/jmx.acl.java.lang.Memory.cfg | 25 +++++++++
.../etc/jmx.acl.org.apache.karaf.bundle.cfg | 40 +++++++++++++++
.../etc/jmx.acl.org.apache.karaf.config.cfg | 52 +++++++++++++++++++
.../jmx.acl.org.apache.karaf.security.jmx.cfg | 27 ++++++++++
.../etc/jmx.acl.osgi.compendium.cm.cfg | 53 ++++++++++++++++++++
.../etc/org.apache.karaf.command.acl.bundle.cfg | 44 ++++++++++++++++
.../etc/org.apache.karaf.command.acl.config.cfg | 45 +++++++++++++++++
.../org.apache.karaf.command.acl.feature.cfg | 27 ++++++++++
.../etc/org.apache.karaf.command.acl.jaas.cfg | 27 ++++++++++
.../etc/org.apache.karaf.command.acl.kar.cfg | 27 ++++++++++
...rg.apache.karaf.command.acl.scope_bundle.cfg | 31 ++++++++++++
.../etc/org.apache.karaf.command.acl.shell.cfg | 29 +++++++++++
.../etc/org.apache.karaf.command.acl.system.cfg | 53 ++++++++++++++++++++
13 files changed, 480 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg
new file mode 100644
index 0000000..a58bcf5
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.java.lang.Memory.cfg
@@ -0,0 +1,25 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# JMX ACL specific to the java.lang.Memory MBean
+#
+# For a description of the format of this file, see jmx.acl.cfg
+#
+gc = manager
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg
new file mode 100644
index 0000000..dd318d8
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.bundle.cfg
@@ -0,0 +1,40 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# JMX ACL specific to the org.apache.karaf:type=bundle,name=* MBean which maps to the Karaf MBean
+# to control OSGi bundles.
+#
+# For a description of the format of this file, see jmx.acl.cfg
+#
+install = manager
+refresh = manager
+resolve = manager
+restart = manager
+setStartLevel(java.lang.String, int)[/([1-4])?[0-9]/,/.*/] = admin
+setStartLevel = manager
+start(java.lang.String)[/([1-4])?[0-9]/] = admin
+start = manager
+stop(java.lang.String)[/([1-4])?[0-9]/] = admin
+stop = manager
+uninstall(java.lang.String)["0"] = #this is a comment, no roles can perform this operation
+uninstall = admin
+update(java.lang.String)[/([1-4])?[0-9]/] = admin
+update(java.lang.String,java.lang.String)[/([1-4])?[0-9]/,/.*/] = admin
+update = manager
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg
new file mode 100644
index 0000000..a597112
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.config.cfg
@@ -0,0 +1,52 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# JMX ACL specific to the org.apache.karaf:type=config,name=* MBean which maps to the Karaf MBean to interact with the
+# OSGi Config Admin service.
+#
+# For a description of the format of this file, see jmx.acl.cfg
+#
+# By default, only an admin can make changes to the JMX ACL and shell command rules, but managers can make
+# changes to other PIDs.
+#
+appendProperty(java.lang.String,java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/,/.*/] = admin
+appendProperty(java.lang.String,java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl.+/,/.*/,/.*/] = admin
+appendProperty(java.lang.String,java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl.+/,/.*/,/.*/] = admin
+appendProperty(java.lang.String,java.lang.String,java.lang.String) = manager
+create(java.lang.String)[/jmx[.]acl.*/] = admin
+create(java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl.+/] = admin
+create(java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl.+/] = admin
+create(java.lang.String) = manager
+delete(java.lang.String)[/jmx[.]acl.*/] = admin
+delete(java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl.+/] = admin
+delete(java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl.+/] = admin
+delete(java.lang.String) = manager
+deleteProperty(java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/] = admin
+deleteProperty(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl.+/,/.*/] = admin
+deleteProperty(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl.+/,/.*/] = admin
+deleteProperty(java.lang.String,java.lang.String) = manager
+setProperty(java.lang.String,java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/,/.*/] = admin
+setProperty(java.lang.String,java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl.+/,/.*/,/.*/] = admin
+setProperty(java.lang.String,java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl.+/,/.*/,/.*/] = admin
+setProperty(java.lang.String,java.lang.String,java.lang.String) = manager
+update(java.lang.String,java.util.Map)[/jmx[.]acl.*/,/.*/] = admin
+update(java.lang.String,java.util.Map)[/org[.]apache[.]karaf[.]command[.]acl.+/,/.*/] = admin
+update(java.lang.String,java.util.Map)[/org[.]apache[.]karaf[.]service[.]acl.+/,/.*/] = admin
+update(java.lang.String,java.util.Map) = manager
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.security.jmx.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.security.jmx.cfg b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.security.jmx.cfg
new file mode 100644
index 0000000..0af2c96
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.org.apache.karaf.security.jmx.cfg
@@ -0,0 +1,27 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# JMX ACL specific to the org.apache.karaf:type=security,area=jmx MBean which
+# can be used to find out whether the currently logged in JMX user can invoke
+# the requested JMX operations.
+#
+# For a description of the format of this file, see jmx.acl.cfg
+#
+canInvoke = viewer
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg
new file mode 100644
index 0000000..7de362d
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/jmx.acl.osgi.compendium.cm.cfg
@@ -0,0 +1,53 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# JMX ACL specific to osgi.compendium.cm MBean
+#
+# For a description of the format of this file, see jmx.acl.cfg
+#
+# This configuration file configures the management of ConfigAdmin via the standard ConfigAdmin MBean
+# Such that only an admin can make changes to the JMX ACL rules, but managers can make
+# changes to other PIDs.
+#
+createFactoryConfiguration(java.lang.String)[/jmx[.]acl.*/] = admin
+createFactoryConfiguration(java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+createFactoryConfiguration(java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+createFactoryConfiguration(java.lang.String) = manager
+createFactoryConfigurationForLocation(java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/] = admin
+createFactoryConfigurationForLocation(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl[.].+/,/.*/] = admin
+createFactoryConfigurationForLocation(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl[.].+/,/.*/] = admin
+createFactoryConfigurationForLocation(java.lang.String,java.lang.String) = manager
+delete(java.lang.String)[/jmx[.]acl.*/] = admin
+delete(java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+delete(java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+delete(java.lang.String) = manager
+deleteConfigurations = admin
+deleteForLocation(java.lang.String,java.lang.String)[/jmx[.]acl.*/,/.*/] = admin
+deleteForLocation(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]command[.]acl[.].+/,/.*/] = admin
+deleteForLocation(java.lang.String,java.lang.String)[/org[.]apache[.]karaf[.]service[.]acl[.].+/,/.*/] = admin
+deleteForLocation(java.lang.String,java.lang.String) = manager
+update(java.lang.String,javax.management.openmbean.TabularData)[/jmx[.]acl.*/,/.*/] = admin
+update(java.lang.String,javax.management.openmbean.TabularData)[/org[.]apache[.]karaf[.]command[.]acl[.].+/,/.*/] = admin
+update(java.lang.String,javax.management.openmbean.TabularData)[/org[.]apache[.]karaf[.]service[.]acl[.].+/,/.*/] = admin
+update(java.lang.String,javax.management.openmbean.TabularData) = manager
+updateForLocation(java.lang.String,java.lang.String,javax.management.openmbean.TabularData)[/jmx[.]acl.*/,/.*/,/.*/] = admin
+updateForLocation(java.lang.String,java.lang.String,javax.management.openmbean.TabularData)[/org[.]apache[.]karaf[.]command[.]acl[.].+/,/.*/,/.*/] = admin
+updateForLocation(java.lang.String,java.lang.String,javax.management.openmbean.TabularData)[/org[.]apache[.]karaf[.]service[.]acl[.].+/,/.*/,/.*/] = admin
+updateForLocation(java.lang.String,java.lang.String,javax.management.openmbean.TabularData) = manager
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg
new file mode 100644
index 0000000..d50320e
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg
@@ -0,0 +1,44 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the bundle subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+# This configuration relies on the fact that 'system' bundles need to be managed
+# with the
+# -f (--force)
+# flag. Operations with -f need admin permission. Most of these operations without
+# the 'force' option can be done by a manager.
+install = admin
+refresh[/.*[-][f].*/] = admin
+refresh = manager
+restart[/.*[-][f].*/] = admin
+restart = manager
+start[/.*[-][f].*/] = admin
+start = manager
+stop[/.*[-][f].*/] = admin
+stop = manager
+uninstall[/.*[-][f].*/] = admin
+uninstall = manager
+update[/.*[-][f].*/] = admin
+update = manager
+watch = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg
new file mode 100644
index 0000000..e9a5be2
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg
@@ -0,0 +1,45 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for various commands in the config subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+
+cancel = manager
+delete = admin
+edit = manager
+edit[/.*jmx[.]acl.*/] = admin
+edit[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+edit[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+property-append = manager
+property-append[/.*jmx[.]acl.*/] = admin
+property-append[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+property-append[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+property-delete = manager
+property-delete[/.*jmx[.]acl.*/] = admin
+property-delete[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+property-delete[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+property-set = manager
+property-set[/.*jmx[.]acl.*/] = admin
+property-set[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin
+property-set[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin
+update = manager
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg
new file mode 100644
index 0000000..fd41ab9
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg
@@ -0,0 +1,27 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the kar subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+install = admin
+uninstall = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg
new file mode 100644
index 0000000..0c0644b
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg
@@ -0,0 +1,27 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the jaas subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+# Jaas commands commands have no effect until update is called.
+update = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg
new file mode 100644
index 0000000..fd41ab9
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg
@@ -0,0 +1,27 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the kar subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+install = admin
+uninstall = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.scope_bundle.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.scope_bundle.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.scope_bundle.cfg
new file mode 100644
index 0000000..5e909e5
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.scope_bundle.cfg
@@ -0,0 +1,31 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for scope bundles
+#
+features=org.apache.karaf.features.command
+jaas=org.apache.karaf.jaas.command
+admin=org.apache.karaf.admin.command
+osgi=org.apache.karaf.shell.osgi
+log=org.apache.karaf.shell.log
+packages=org.apache.karaf.shell.packages
+config=org.apache.karaf.shell.config
+ssh=org.apache.karaf.shell.ssh
+shell=org.apache.karaf.shell.commands
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg
new file mode 100644
index 0000000..28880b6
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg
@@ -0,0 +1,29 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the shell subshell
+#
+# For an explanation of the syntax of this file, see the file:
+# org.apache.karaf.command.acl.system.cfg
+#
+edit = admin
+exec = admin
+new = admin
+java = admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/09d47ba5/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg
new file mode 100644
index 0000000..7927798
--- /dev/null
+++ b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg
@@ -0,0 +1,53 @@
+################################################################################
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+#
+# This configuration file defines the ACLs for commands in the system subshell
+#
+# The format of this file is as follows:
+# The name of the file corresponds to a Configuration Admin PID. This file is for PID:
+# org.apache.karaf.command.acl.system
+# The prefix org.apache.karaf.command.acl. determines that this file defines ACLs for karaf
+# commands. The last word on the PID declares the scope that it applies to, i.e. this file
+# is for the 'system' scope.
+# Entries in this file map to commands within the defined scope. The simplest role definition
+# has the form:
+# command = role1, role2, role3
+# Specific roles can also be declared for certain arguments to the command. This is done using
+# regular expression matching.
+# All the arguments to the command are represented as a list using the following syntax:
+# [arg1,arg2,arg3]
+# The matching is done after converting this list into a string. So the line
+# start-level[/.*[0-9][0-9][0-9]+.*/] = manager
+# declares that a manager role is needed to set a start level with 3 digits or more. The .*
+# wildcards at the beginning and end are used to match the '[' and ']' characters surrounding.
+# When looking for a match the regular-expression based ACLs are always checked first. If any
+# of them match the associated roles are used.
+#
+# If no match can be found based on reg-exp ACLs, a match is looked for based purely on the
+# command name.
+#
+# If no command-name match can be found it is assumed that the command does not need a specific
+# role and can therefore be invoked by any user.
+
+property = admin
+shutdown = admin
+start-level[/.*[0-9][0-9][0-9]+.*/] = manager # manager can set startlevels above 100
+start-level[/[^0-9]*/] = viewer # viewer can obtain the current start level
+start-level = admin # admin can set any start level, including < 100