You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by gn...@apache.org on 2017/09/06 14:05:05 UTC
karaf git commit: [KARAF-5330] Require a specific role to access the
SSH console
Repository: karaf
Updated Branches:
refs/heads/master 47451b0ed -> 952593086
[KARAF-5330] Require a specific role to access the SSH console
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/95259308
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/95259308
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/95259308
Branch: refs/heads/master
Commit: 9525930864b9c21585ce57991854429c48a84c8a
Parents: 47451b0
Author: Guillaume Nodet <gn...@apache.org>
Authored: Wed Sep 6 16:04:44 2017 +0200
Committer: Guillaume Nodet <gn...@apache.org>
Committed: Wed Sep 6 16:04:58 2017 +0200
----------------------------------------------------------------------
.../src/main/resources/resources/etc/users.properties | 2 +-
.../features/standard/src/main/feature/feature.xml | 5 +++++
.../main/java/org/apache/karaf/shell/ssh/Activator.java | 3 ++-
.../apache/karaf/shell/ssh/KarafJaasAuthenticator.java | 11 ++++++++++-
4 files changed, 18 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/base/src/main/resources/resources/etc/users.properties
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/users.properties b/assemblies/features/base/src/main/resources/resources/etc/users.properties
index 0657308..ace2282 100644
--- a/assemblies/features/base/src/main/resources/resources/etc/users.properties
+++ b/assemblies/features/base/src/main/resources/resources/etc/users.properties
@@ -30,4 +30,4 @@
# with the name "karaf".
#
karaf = karaf,_g_:admingroup
-_g_\:admingroup = group,admin,manager,viewer,systembundles
+_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/standard/src/main/feature/feature.xml
----------------------------------------------------------------------
diff --git a/assemblies/features/standard/src/main/feature/feature.xml b/assemblies/features/standard/src/main/feature/feature.xml
index 45df505..f3fde1f 100644
--- a/assemblies/features/standard/src/main/feature/feature.xml
+++ b/assemblies/features/standard/src/main/feature/feature.xml
@@ -165,6 +165,11 @@
sshRealm = karaf
#
+ # sshRole defines the role required to access the console through ssh
+ #
+ sshRole = ssh
+
+ #
# The location of the hostKey file defines where the private/public key of the server
# is located. If no file is at the defined location it will be ignored.
#
http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
index 0ffbbba..4c7667b 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
@@ -146,6 +146,7 @@ public class Activator extends BaseActivator implements ManagedService {
long sshIdleTimeout = getLong("sshIdleTimeout", 1800000);
int nioWorkers = getInt("nio-workers", 2);
String sshRealm = getString("sshRealm", "karaf");
+ String sshRole = getString("sshRole", null);
String hostKey = getString("hostKey", System.getProperty("karaf.etc") + "/host.key");
String[] authMethods = getStringArray("authMethods", "keyboard-interactive,password,publickey");
int keySize = getInt("keySize", 2048);
@@ -158,7 +159,7 @@ public class Activator extends BaseActivator implements ManagedService {
Path serverKeyPath = Paths.get(hostKey);
KeyPairProvider keyPairProvider = new OpenSSHKeyPairProvider(serverKeyPath.toFile(), algorithm, keySize);
- KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm);
+ KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole);
UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory();
authFactoriesFactory.setAuthMethods(authMethods);
http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index e1420f4..3ab370d 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -45,9 +45,11 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class);
private String realm;
+ private String role;
- public KarafJaasAuthenticator(String realm) {
+ public KarafJaasAuthenticator(String realm, String role) {
this.realm = realm;
+ this.role = role;
}
public boolean authenticate(final String username, final String password, final ServerSession session) {
@@ -95,15 +97,22 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
}
private void assertRolePresent(Subject subject) throws FailedLoginException {
+ boolean hasCorrectRole = role == null || role.isEmpty();
int roleCount = 0;
for (Principal principal : subject.getPrincipals()) {
if (principal instanceof RolePrincipal) {
+ if (!hasCorrectRole) {
+ hasCorrectRole = role.equals(principal.getName());
+ }
roleCount++;
}
}
if (roleCount == 0) {
throw new FailedLoginException("User doesn't have role defined");
}
+ if (!hasCorrectRole) {
+ throw new FailedLoginException("User doesn't have the required role " + role);
+ }
}
}