You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by to...@quarendon.net on 2017/08/31 10:35:48 UTC
Console role based access control and command completion
If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
Great.
However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
Re: Console role based access control and command completion
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Yeah, however, I think it could be painful to check the ACL for each completer.
Let me take a look anyway.
Regards
JB
On 08/31/2017 02:25 PM, tom@quarendon.net wrote:
> Hmm, OK.
> There's a comment somewhere that implies that someone had at least at some point tried doing that or thought that was what happened.
>
> It leads to *slightly* odd behaviour, of being told that a command exists, but then being told, "oh wait, not it doesn't".
>
> Thanks anyway.
>
>> On 31 August 2017 at 13:02 Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>
>> Hi Tom,
>>
>> We don't use the ACL in the completers, only on the action step. That's why you
>> can complete but not execute.
>>
>> Regards
>> JB
>>
>> On 08/31/2017 12:35 PM, tom@quarendon.net wrote:
>>> If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
>>> So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
>>>
>>> Great.
>>>
>>> However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
>>>
>>> Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Console role based access control and command completion
Posted by to...@quarendon.net.
Hmm, OK.
There's a comment somewhere that implies that someone had at least at some point tried doing that or thought that was what happened.
It leads to *slightly* odd behaviour, of being told that a command exists, but then being told, "oh wait, not it doesn't".
Thanks anyway.
> On 31 August 2017 at 13:02 Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
>
> Hi Tom,
>
> We don't use the ACL in the completers, only on the action step. That's why you
> can complete but not execute.
>
> Regards
> JB
>
> On 08/31/2017 12:35 PM, tom@quarendon.net wrote:
> > If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
> > So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
> >
> > Great.
> >
> > However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
> >
> > Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
> >
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Console role based access control and command completion
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Tom,
We don't use the ACL in the completers, only on the action step. That's why you
can complete but not execute.
Regards
JB
On 08/31/2017 12:35 PM, tom@quarendon.net wrote:
> If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
> So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
>
> Great.
>
> However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
>
> Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com