You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Paul Spencer <pa...@apache.org> on 2014/01/14 19:14:20 UTC
Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
Is there a configuration change I need to make?
***
* Use case
***
1) unzipped the distribution
2) Start the Karaf server with bin/start
3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
4) Start the Karaf client with bin/client
5) Install a bundle
6) Uninstall the newly installed bundle
***
* Command output
***
karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 79
karaf@root()> uninstall 79
Error executing command: Insufficient credentials.
karaf@root()>
***
* From karaf.log (I can post the full 28K log if necessary)
***
2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
java.lang.SecurityException: Insufficient credentials.
at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
Paul Spencer
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Paul,
I will create the Jira (thanks for the reminder).
Regards
JB
On 02/24/2014 05:13 PM, Paul Spencer wrote:
> I do not see a JIRA entry for this bug.
> 1) Has this bug been resolved?
> 2) What is the JIRA Entry?
>
> Paul Spencer
>
> On Jan 16, 2014, at 8:34 PM, Paul Spencer <pa...@apache.org> wrote:
>
>> David,
>>
>> 1) I see JB will file a bug for this issue.
>>
>> 2) The workaround is working for me.
>>
>> Paul Spencer
>>
>> On Jan 16, 2014, at 3:43 AM, David Bosschaert <da...@gmail.com> wrote:
>>
>>> Hi Paul,
>>>
>>> This could be an omission on my part. When I worked on the command
>>> security I didn't really focus at the client command, but mainly
>>> worked with the bin/karaf command and SSH access.
>>>
>>> I can look into this. Would you like to file a bug for it?
>>>
>>> In the mean time, if you need the bin/client command to access Karaf,
>>> you can use it with the shell commands RBAC disabled. You can disable
>>> it by commenting out the following line in etc/system.properties:
>>> karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*))
>>>
>>> Cheers,
>>>
>>> David
>>>
>>> On 15 January 2014 12:54, Paul Spencer <pa...@apache.org> wrote:
>>>> JB,
>>>> I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
>>>>
>>>> In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
>>>>
>>>> Paul Spencer
>>>> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>
>>>>> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>>>>>
>>>>> Did you see the issue with other commands ?
>>>>>
>>>>> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>>>>>> JB,
>>>>>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>>>>>
>>>>>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>>>>>
>>>>>>
>>>>>> ***
>>>>>> * Role definition in etc/system.properties
>>>>>> ***
>>>>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>>>>>> # Roles to use when logging into a local Karaf console.
>>>>>> karaf.local.roles = admin,manager,viewer
>>>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>>>
>>>>>> ***
>>>>>> * Log of connecting to Karaf via SSH then bin/client
>>>>>> ***
>>>>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>>>>>> Authenticated with partial success.
>>>>>> Authenticated with partial success.
>>>>>> Password authentication
>>>>>> Password:
>>>>>> __ __ ____
>>>>>> / //_/____ __________ _/ __/
>>>>>> / ,< / __ `/ ___/ __ `/ /_
>>>>>> / /| |/ /_/ / / / /_/ / __/
>>>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>>>
>>>>>> Apache Karaf (3.0.0)
>>>>>>
>>>>>> Hit '<tab>' for a list of available commands
>>>>>> and '[cmd] --help' for help on a specific command.
>>>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>>>
>>>>>> karaf@root()> list
>>>>>> START LEVEL 100 , List Threshold: 50
>>>>>> ID | State | Lvl | Version | Name
>>>>>> ----------------------------------------------------------------------
>>>>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>>>> karaf@root()> uninstall 80
>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>> Bundle ID: 81
>>>>>> karaf@root()> uninstall 81
>>>>>> karaf@root()> logout
>>>>>> Connection to 127.0.0.1 closed.
>>>>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>>>>>> Logging in as karaf
>>>>>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>>>>>> __ __ ____
>>>>>> / //_/____ __________ _/ __/
>>>>>> / ,< / __ `/ ___/ __ `/ /_
>>>>>> / /| |/ /_/ / / / /_/ / __/
>>>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>>>
>>>>>> Apache Karaf (3.0.0)
>>>>>>
>>>>>> Hit '<tab>' for a list of available commands
>>>>>> and '[cmd] --help' for help on a specific command.
>>>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>>>
>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>> Bundle ID: 82
>>>>>> karaf@root()> uninstall 82
>>>>>> Error executing command: Insufficient credentials.
>>>>>> karaf@root()> list
>>>>>> START LEVEL 100 , List Threshold: 50
>>>>>> ID | State | Lvl | Version | Name
>>>>>> ----------------------------------------------------------------------
>>>>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>>>> karaf@root()> logout
>>>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>>>
>>>>>> ***
>>>>>> * From data/log/karaf.log
>>>>>> ***
>>>>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>
>>>>>>
>>>>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>>
>>>>>>> Hi Pauln
>>>>>>>
>>>>>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>>>>>
>>>>>>> The local roles are define in etc/system.properties:
>>>>>>>
>>>>>>> karaf.local.roles = admin,manager,viewer
>>>>>>>
>>>>>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>>>>>
>>>>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>>>>>
>>>>>>> uninstall[/.*[-][f].*/] = admin
>>>>>>> uninstall = manager
>>>>>>>
>>>>>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>>>>>
>>>>>>> Regards
>>>>>>> JB
>>>>>>>
>>>>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>>>>>> JB,
>>>>>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>>>>>
>>>>>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>>>>>
>>>>>>>> karaf@root()> jaas:realm-manage --index 1
>>>>>>>> karaf@root()> jaas:user-list
>>>>>>>> User Name | Group | Role
>>>>>>>> --------------------------------
>>>>>>>> karaf | admingroup | admin
>>>>>>>> karaf | admingroup | manager
>>>>>>>> karaf | admingroup | viewer
>>>>>>>> karaf@root()>
>>>>>>>>
>>>>>>>>
>>>>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>>>>>
>>>>>>>> karaf@root()> bundle:uninstall 79
>>>>>>>> Error executing command: Insufficient credentials.
>>>>>>>> karaf@root()> bundle:uninstall -f 79
>>>>>>>> karaf@root()>
>>>>>>>>
>>>>>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>>>>>
>>>>>>>> Paul Spencer
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>>>>
>>>>>>>>> Hi Paul,
>>>>>>>>>
>>>>>>>>> take a look in the documentation:
>>>>>>>>>
>>>>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>>>>>
>>>>>>>>> in the console section.
>>>>>>>>>
>>>>>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> JB
>>>>>>>>>
>>>>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>>>>>
>>>>>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>>>>>
>>>>>>>>>> Is there a configuration change I need to make?
>>>>>>>>>>
>>>>>>>>>> ***
>>>>>>>>>> * Use case
>>>>>>>>>> ***
>>>>>>>>>> 1) unzipped the distribution
>>>>>>>>>> 2) Start the Karaf server with bin/start
>>>>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>>>>>> 4) Start the Karaf client with bin/client
>>>>>>>>>> 5) Install a bundle
>>>>>>>>>> 6) Uninstall the newly installed bundle
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ***
>>>>>>>>>> * Command output
>>>>>>>>>> ***
>>>>>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>>>>>> Bundle ID: 79
>>>>>>>>>> karaf@root()> uninstall 79
>>>>>>>>>> Error executing command: Insufficient credentials.
>>>>>>>>>> karaf@root()>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ***
>>>>>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>>>>>> ***
>>>>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>>
>>>>>>>>>> Paul Spencer
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Jean-Baptiste Onofré
>>>>>>>>> jbonofre@apache.org
>>>>>>>>> http://blog.nanthrax.net
>>>>>>>>> Talend - http://www.talend.com
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jean-Baptiste Onofré
>>>>>>> jbonofre@apache.org
>>>>>>> http://blog.nanthrax.net
>>>>>>> Talend - http://www.talend.com
>>>>>>
>>>>>
>>>>> --
>>>>> Jean-Baptiste Onofré
>>>>> jbonofre@apache.org
>>>>> http://blog.nanthrax.net
>>>>> Talend - http://www.talend.com
>>>>
>>
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Paul Spencer <pa...@apache.org>.
I do not see a JIRA entry for this bug.
1) Has this bug been resolved?
2) What is the JIRA Entry?
Paul Spencer
On Jan 16, 2014, at 8:34 PM, Paul Spencer <pa...@apache.org> wrote:
> David,
>
> 1) I see JB will file a bug for this issue.
>
> 2) The workaround is working for me.
>
> Paul Spencer
>
> On Jan 16, 2014, at 3:43 AM, David Bosschaert <da...@gmail.com> wrote:
>
>> Hi Paul,
>>
>> This could be an omission on my part. When I worked on the command
>> security I didn't really focus at the client command, but mainly
>> worked with the bin/karaf command and SSH access.
>>
>> I can look into this. Would you like to file a bug for it?
>>
>> In the mean time, if you need the bin/client command to access Karaf,
>> you can use it with the shell commands RBAC disabled. You can disable
>> it by commenting out the following line in etc/system.properties:
>> karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*))
>>
>> Cheers,
>>
>> David
>>
>> On 15 January 2014 12:54, Paul Spencer <pa...@apache.org> wrote:
>>> JB,
>>> I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
>>>
>>> In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
>>>
>>> Paul Spencer
>>> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>
>>>> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>>>>
>>>> Did you see the issue with other commands ?
>>>>
>>>> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>>>>
>>>> Regards
>>>> JB
>>>>
>>>> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>>>>> JB,
>>>>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>>>>
>>>>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>>>>
>>>>>
>>>>> ***
>>>>> * Role definition in etc/system.properties
>>>>> ***
>>>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>>>>> # Roles to use when logging into a local Karaf console.
>>>>> karaf.local.roles = admin,manager,viewer
>>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>>
>>>>> ***
>>>>> * Log of connecting to Karaf via SSH then bin/client
>>>>> ***
>>>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>>>>> Authenticated with partial success.
>>>>> Authenticated with partial success.
>>>>> Password authentication
>>>>> Password:
>>>>> __ __ ____
>>>>> / //_/____ __________ _/ __/
>>>>> / ,< / __ `/ ___/ __ `/ /_
>>>>> / /| |/ /_/ / / / /_/ / __/
>>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>>
>>>>> Apache Karaf (3.0.0)
>>>>>
>>>>> Hit '<tab>' for a list of available commands
>>>>> and '[cmd] --help' for help on a specific command.
>>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>>
>>>>> karaf@root()> list
>>>>> START LEVEL 100 , List Threshold: 50
>>>>> ID | State | Lvl | Version | Name
>>>>> ----------------------------------------------------------------------
>>>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>>> karaf@root()> uninstall 80
>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>> Bundle ID: 81
>>>>> karaf@root()> uninstall 81
>>>>> karaf@root()> logout
>>>>> Connection to 127.0.0.1 closed.
>>>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>>>>> Logging in as karaf
>>>>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>>>>> __ __ ____
>>>>> / //_/____ __________ _/ __/
>>>>> / ,< / __ `/ ___/ __ `/ /_
>>>>> / /| |/ /_/ / / / /_/ / __/
>>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>>
>>>>> Apache Karaf (3.0.0)
>>>>>
>>>>> Hit '<tab>' for a list of available commands
>>>>> and '[cmd] --help' for help on a specific command.
>>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>>
>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>> Bundle ID: 82
>>>>> karaf@root()> uninstall 82
>>>>> Error executing command: Insufficient credentials.
>>>>> karaf@root()> list
>>>>> START LEVEL 100 , List Threshold: 50
>>>>> ID | State | Lvl | Version | Name
>>>>> ----------------------------------------------------------------------
>>>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>>> karaf@root()> logout
>>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>>
>>>>> ***
>>>>> * From data/log/karaf.log
>>>>> ***
>>>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>
>>>>>
>>>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>
>>>>>> Hi Pauln
>>>>>>
>>>>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>>>>
>>>>>> The local roles are define in etc/system.properties:
>>>>>>
>>>>>> karaf.local.roles = admin,manager,viewer
>>>>>>
>>>>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>>>>
>>>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>>>>
>>>>>> uninstall[/.*[-][f].*/] = admin
>>>>>> uninstall = manager
>>>>>>
>>>>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>>>>> JB,
>>>>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>>>>
>>>>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>>>>
>>>>>>> karaf@root()> jaas:realm-manage --index 1
>>>>>>> karaf@root()> jaas:user-list
>>>>>>> User Name | Group | Role
>>>>>>> --------------------------------
>>>>>>> karaf | admingroup | admin
>>>>>>> karaf | admingroup | manager
>>>>>>> karaf | admingroup | viewer
>>>>>>> karaf@root()>
>>>>>>>
>>>>>>>
>>>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>>>>
>>>>>>> karaf@root()> bundle:uninstall 79
>>>>>>> Error executing command: Insufficient credentials.
>>>>>>> karaf@root()> bundle:uninstall -f 79
>>>>>>> karaf@root()>
>>>>>>>
>>>>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>>>>
>>>>>>> Paul Spencer
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>>>
>>>>>>>> Hi Paul,
>>>>>>>>
>>>>>>>> take a look in the documentation:
>>>>>>>>
>>>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>>>>
>>>>>>>> in the console section.
>>>>>>>>
>>>>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> JB
>>>>>>>>
>>>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>>>>
>>>>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>>>>
>>>>>>>>> Is there a configuration change I need to make?
>>>>>>>>>
>>>>>>>>> ***
>>>>>>>>> * Use case
>>>>>>>>> ***
>>>>>>>>> 1) unzipped the distribution
>>>>>>>>> 2) Start the Karaf server with bin/start
>>>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>>>>> 4) Start the Karaf client with bin/client
>>>>>>>>> 5) Install a bundle
>>>>>>>>> 6) Uninstall the newly installed bundle
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ***
>>>>>>>>> * Command output
>>>>>>>>> ***
>>>>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>>>>> Bundle ID: 79
>>>>>>>>> karaf@root()> uninstall 79
>>>>>>>>> Error executing command: Insufficient credentials.
>>>>>>>>> karaf@root()>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ***
>>>>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>>>>> ***
>>>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>>
>>>>>>>>> Paul Spencer
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jean-Baptiste Onofré
>>>>>>>> jbonofre@apache.org
>>>>>>>> http://blog.nanthrax.net
>>>>>>>> Talend - http://www.talend.com
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jean-Baptiste Onofré
>>>>>> jbonofre@apache.org
>>>>>> http://blog.nanthrax.net
>>>>>> Talend - http://www.talend.com
>>>>>
>>>>
>>>> --
>>>> Jean-Baptiste Onofré
>>>> jbonofre@apache.org
>>>> http://blog.nanthrax.net
>>>> Talend - http://www.talend.com
>>>
>
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Paul Spencer <pa...@apache.org>.
David,
1) I see JB will file a bug for this issue.
2) The workaround is working for me.
Paul Spencer
On Jan 16, 2014, at 3:43 AM, David Bosschaert <da...@gmail.com> wrote:
> Hi Paul,
>
> This could be an omission on my part. When I worked on the command
> security I didn't really focus at the client command, but mainly
> worked with the bin/karaf command and SSH access.
>
> I can look into this. Would you like to file a bug for it?
>
> In the mean time, if you need the bin/client command to access Karaf,
> you can use it with the shell commands RBAC disabled. You can disable
> it by commenting out the following line in etc/system.properties:
> karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*))
>
> Cheers,
>
> David
>
> On 15 January 2014 12:54, Paul Spencer <pa...@apache.org> wrote:
>> JB,
>> I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
>>
>> In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
>>
>> Paul Spencer
>> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>>>
>>> Did you see the issue with other commands ?
>>>
>>> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>>>
>>> Regards
>>> JB
>>>
>>> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>>>> JB,
>>>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>>>
>>>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>>>
>>>>
>>>> ***
>>>> * Role definition in etc/system.properties
>>>> ***
>>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>>>> # Roles to use when logging into a local Karaf console.
>>>> karaf.local.roles = admin,manager,viewer
>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>
>>>> ***
>>>> * Log of connecting to Karaf via SSH then bin/client
>>>> ***
>>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>>>> Authenticated with partial success.
>>>> Authenticated with partial success.
>>>> Password authentication
>>>> Password:
>>>> __ __ ____
>>>> / //_/____ __________ _/ __/
>>>> / ,< / __ `/ ___/ __ `/ /_
>>>> / /| |/ /_/ / / / /_/ / __/
>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>
>>>> Apache Karaf (3.0.0)
>>>>
>>>> Hit '<tab>' for a list of available commands
>>>> and '[cmd] --help' for help on a specific command.
>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>
>>>> karaf@root()> list
>>>> START LEVEL 100 , List Threshold: 50
>>>> ID | State | Lvl | Version | Name
>>>> ----------------------------------------------------------------------
>>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>> karaf@root()> uninstall 80
>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 81
>>>> karaf@root()> uninstall 81
>>>> karaf@root()> logout
>>>> Connection to 127.0.0.1 closed.
>>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>>>> Logging in as karaf
>>>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>>>> __ __ ____
>>>> / //_/____ __________ _/ __/
>>>> / ,< / __ `/ ___/ __ `/ /_
>>>> / /| |/ /_/ / / / /_/ / __/
>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>
>>>> Apache Karaf (3.0.0)
>>>>
>>>> Hit '<tab>' for a list of available commands
>>>> and '[cmd] --help' for help on a specific command.
>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>
>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 82
>>>> karaf@root()> uninstall 82
>>>> Error executing command: Insufficient credentials.
>>>> karaf@root()> list
>>>> START LEVEL 100 , List Threshold: 50
>>>> ID | State | Lvl | Version | Name
>>>> ----------------------------------------------------------------------
>>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>> karaf@root()> logout
>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>
>>>> ***
>>>> * From data/log/karaf.log
>>>> ***
>>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>> java.lang.SecurityException: Insufficient credentials.
>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>
>>>>
>>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>
>>>>> Hi Pauln
>>>>>
>>>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>>>
>>>>> The local roles are define in etc/system.properties:
>>>>>
>>>>> karaf.local.roles = admin,manager,viewer
>>>>>
>>>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>>>
>>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>>>
>>>>> uninstall[/.*[-][f].*/] = admin
>>>>> uninstall = manager
>>>>>
>>>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>>>> JB,
>>>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>>>
>>>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>>>
>>>>>> karaf@root()> jaas:realm-manage --index 1
>>>>>> karaf@root()> jaas:user-list
>>>>>> User Name | Group | Role
>>>>>> --------------------------------
>>>>>> karaf | admingroup | admin
>>>>>> karaf | admingroup | manager
>>>>>> karaf | admingroup | viewer
>>>>>> karaf@root()>
>>>>>>
>>>>>>
>>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>>>
>>>>>> karaf@root()> bundle:uninstall 79
>>>>>> Error executing command: Insufficient credentials.
>>>>>> karaf@root()> bundle:uninstall -f 79
>>>>>> karaf@root()>
>>>>>>
>>>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>>>
>>>>>> Paul Spencer
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>>
>>>>>>> Hi Paul,
>>>>>>>
>>>>>>> take a look in the documentation:
>>>>>>>
>>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>>>
>>>>>>> in the console section.
>>>>>>>
>>>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>>>
>>>>>>> Regards
>>>>>>> JB
>>>>>>>
>>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>>>
>>>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>>>
>>>>>>>> Is there a configuration change I need to make?
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * Use case
>>>>>>>> ***
>>>>>>>> 1) unzipped the distribution
>>>>>>>> 2) Start the Karaf server with bin/start
>>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>>>> 4) Start the Karaf client with bin/client
>>>>>>>> 5) Install a bundle
>>>>>>>> 6) Uninstall the newly installed bundle
>>>>>>>>
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * Command output
>>>>>>>> ***
>>>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>>>> Bundle ID: 79
>>>>>>>> karaf@root()> uninstall 79
>>>>>>>> Error executing command: Insufficient credentials.
>>>>>>>> karaf@root()>
>>>>>>>>
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>>>> ***
>>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>
>>>>>>>> Paul Spencer
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jean-Baptiste Onofré
>>>>>>> jbonofre@apache.org
>>>>>>> http://blog.nanthrax.net
>>>>>>> Talend - http://www.talend.com
>>>>>>
>>>>>
>>>>> --
>>>>> Jean-Baptiste Onofré
>>>>> jbonofre@apache.org
>>>>> http://blog.nanthrax.net
>>>>> Talend - http://www.talend.com
>>>>
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi David,
I started to fix the client (it's not a big deal as it's likely a SSH
client).
I gonna create the Jira and attach my current patch.
Regards
JB
On 01/16/2014 09:43 AM, David Bosschaert wrote:
> Hi Paul,
>
> This could be an omission on my part. When I worked on the command
> security I didn't really focus at the client command, but mainly
> worked with the bin/karaf command and SSH access.
>
> I can look into this. Would you like to file a bug for it?LOGGER David,
>
> In the mean time, if you need the bin/client command to access Karaf,
> you can use it with the shell commands RBAC disabled. You can disable
> it by commenting out the following line in etc/system.properties:
> karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*))
>
> Cheers,
>
> David
>
> On 15 January 2014 12:54, Paul Spencer <pa...@apache.org> wrote:
>> JB,
>> I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
>>
>> In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
>>
>> Paul Spencer
>> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>>>
>>> Did you see the issue with other commands ?
>>>
>>> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>>>
>>> Regards
>>> JB
>>>
>>> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>>>> JB,
>>>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>>>
>>>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>>>
>>>>
>>>> ***
>>>> * Role definition in etc/system.properties
>>>> ***
>>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>>>> # Roles to use when logging into a local Karaf console.
>>>> karaf.local.roles = admin,manager,viewer
>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>
>>>> ***
>>>> * Log of connecting to Karaf via SSH then bin/client
>>>> ***
>>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>>>> Authenticated with partial success.
>>>> Authenticated with partial success.
>>>> Password authentication
>>>> Password:
>>>> __ __ ____
>>>> / //_/____ __________ _/ __/
>>>> / ,< / __ `/ ___/ __ `/ /_
>>>> / /| |/ /_/ / / / /_/ / __/
>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>
>>>> Apache Karaf (3.0.0)
>>>>
>>>> Hit '<tab>' for a list of available commands
>>>> and '[cmd] --help' for help on a specific command.
>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>
>>>> karaf@root()> list
>>>> START LEVEL 100 , List Threshold: 50
>>>> ID | State | Lvl | Version | Name
>>>> ----------------------------------------------------------------------
>>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>> karaf@root()> uninstall 80
>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 81
>>>> karaf@root()> uninstall 81
>>>> karaf@root()> logout
>>>> Connection to 127.0.0.1 closed.
>>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>>>> Logging in as karaf
>>>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>>>> __ __ ____
>>>> / //_/____ __________ _/ __/
>>>> / ,< / __ `/ ___/ __ `/ /_
>>>> / /| |/ /_/ / / / /_/ / __/
>>>> /_/ |_|\__,_/_/ \__,_/_/
>>>>
>>>> Apache Karaf (3.0.0)
>>>>
>>>> Hit '<tab>' for a list of available commands
>>>> and '[cmd] --help' for help on a specific command.
>>>> Hit 'system:shutdown' to shutdown Karaf.
>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>>
>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 82
>>>> karaf@root()> uninstall 82
>>>> Error executing command: Insufficient credentials.
>>>> karaf@root()> list
>>>> START LEVEL 100 , List Threshold: 50
>>>> ID | State | Lvl | Version | Name
>>>> ----------------------------------------------------------------------
>>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>>> karaf@root()> logout
>>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>>
>>>> ***
>>>> * From data/log/karaf.log
>>>> ***
>>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>> java.lang.SecurityException: Insufficient credentials.
>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>
>>>>
>>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>
>>>>> Hi Pauln
>>>>>
>>>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>>>
>>>>> The local roles are define in etc/system.properties:
>>>>>
>>>>> karaf.local.roles = admin,manager,viewer
>>>>>
>>>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>>>
>>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>>>
>>>>> uninstall[/.*[-][f].*/] = admin
>>>>> uninstall = manager
>>>>>
>>>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>>>> JB,
>>>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>>>
>>>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>>>
>>>>>> karaf@root()> jaas:realm-manage --index 1
>>>>>> karaf@root()> jaas:user-list
>>>>>> User Name | Group | Role
>>>>>> --------------------------------
>>>>>> karaf | admingroup | admin
>>>>>> karaf | admingroup | manager
>>>>>> karaf | admingroup | viewer
>>>>>> karaf@root()>
>>>>>>
>>>>>>
>>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>>>
>>>>>> karaf@root()> bundle:uninstall 79
>>>>>> Error executing command: Insufficient credentials.
>>>>>> karaf@root()> bundle:uninstall -f 79
>>>>>> karaf@root()>
>>>>>>
>>>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>>>
>>>>>> Paul Spencer
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>>
>>>>>>> Hi Paul,
>>>>>>>
>>>>>>> take a look in the documentation:
>>>>>>>
>>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>>>
>>>>>>> in the console section.
>>>>>>>
>>>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>>>
>>>>>>> Regards
>>>>>>> JB
>>>>>>>
>>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>>>
>>>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>>>
>>>>>>>> Is there a configuration change I need to make?
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * Use case
>>>>>>>> ***
>>>>>>>> 1) unzipped the distribution
>>>>>>>> 2) Start the Karaf server with bin/start
>>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>>>> 4) Start the Karaf client with bin/client
>>>>>>>> 5) Install a bundle
>>>>>>>> 6) Uninstall the newly installed bundle
>>>>>>>>
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * Command output
>>>>>>>> ***
>>>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>>>> Bundle ID: 79
>>>>>>>> karaf@root()> uninstall 79
>>>>>>>> Error executing command: Insufficient credentials.
>>>>>>>> karaf@root()>
>>>>>>>>
>>>>>>>>
>>>>>>>> ***
>>>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>>>> ***
>>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>>
>>>>>>>> Paul Spencer
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jean-Baptiste Onofré
>>>>>>> jbonofre@apache.org
>>>>>>> http://blog.nanthrax.net
>>>>>>> Talend - http://www.talend.com
>>>>>>
>>>>>
>>>>> --
>>>>> Jean-Baptiste Onofré
>>>>> jbonofre@apache.org
>>>>> http://blog.nanthrax.net
>>>>> Talend - http://www.talend.com
>>>>
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by David Bosschaert <da...@gmail.com>.
Hi Paul,
This could be an omission on my part. When I worked on the command
security I didn't really focus at the client command, but mainly
worked with the bin/karaf command and SSH access.
I can look into this. Would you like to file a bug for it?
In the mean time, if you need the bin/client command to access Karaf,
you can use it with the shell commands RBAC disabled. You can disable
it by commenting out the following line in etc/system.properties:
karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*))
Cheers,
David
On 15 January 2014 12:54, Paul Spencer <pa...@apache.org> wrote:
> JB,
> I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
>
> In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
>
> Paul Spencer
> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
>> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>>
>> Did you see the issue with other commands ?
>>
>> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>>
>> Regards
>> JB
>>
>> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>>> JB,
>>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>>
>>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>>
>>>
>>> ***
>>> * Role definition in etc/system.properties
>>> ***
>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>>> # Roles to use when logging into a local Karaf console.
>>> karaf.local.roles = admin,manager,viewer
>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>
>>> ***
>>> * Log of connecting to Karaf via SSH then bin/client
>>> ***
>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>>> Authenticated with partial success.
>>> Authenticated with partial success.
>>> Password authentication
>>> Password:
>>> __ __ ____
>>> / //_/____ __________ _/ __/
>>> / ,< / __ `/ ___/ __ `/ /_
>>> / /| |/ /_/ / / / /_/ / __/
>>> /_/ |_|\__,_/_/ \__,_/_/
>>>
>>> Apache Karaf (3.0.0)
>>>
>>> Hit '<tab>' for a list of available commands
>>> and '[cmd] --help' for help on a specific command.
>>> Hit 'system:shutdown' to shutdown Karaf.
>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>
>>> karaf@root()> list
>>> START LEVEL 100 , List Threshold: 50
>>> ID | State | Lvl | Version | Name
>>> ----------------------------------------------------------------------
>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>> karaf@root()> uninstall 80
>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>> Bundle ID: 81
>>> karaf@root()> uninstall 81
>>> karaf@root()> logout
>>> Connection to 127.0.0.1 closed.
>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>>> Logging in as karaf
>>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>>> __ __ ____
>>> / //_/____ __________ _/ __/
>>> / ,< / __ `/ ___/ __ `/ /_
>>> / /| |/ /_/ / / / /_/ / __/
>>> /_/ |_|\__,_/_/ \__,_/_/
>>>
>>> Apache Karaf (3.0.0)
>>>
>>> Hit '<tab>' for a list of available commands
>>> and '[cmd] --help' for help on a specific command.
>>> Hit 'system:shutdown' to shutdown Karaf.
>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>>
>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>> Bundle ID: 82
>>> karaf@root()> uninstall 82
>>> Error executing command: Insufficient credentials.
>>> karaf@root()> list
>>> START LEVEL 100 , List Threshold: 50
>>> ID | State | Lvl | Version | Name
>>> ----------------------------------------------------------------------
>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>>> karaf@root()> logout
>>> sparrow-2:apache-karaf-3.0.0 paul$
>>>
>>> ***
>>> * From data/log/karaf.log
>>> ***
>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>> java.lang.SecurityException: Insufficient credentials.
>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>
>>>
>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>
>>>> Hi Pauln
>>>>
>>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>>
>>>> The local roles are define in etc/system.properties:
>>>>
>>>> karaf.local.roles = admin,manager,viewer
>>>>
>>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>>
>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>>
>>>> uninstall[/.*[-][f].*/] = admin
>>>> uninstall = manager
>>>>
>>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>>
>>>> Regards
>>>> JB
>>>>
>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>>> JB,
>>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>>
>>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>>
>>>>> karaf@root()> jaas:realm-manage --index 1
>>>>> karaf@root()> jaas:user-list
>>>>> User Name | Group | Role
>>>>> --------------------------------
>>>>> karaf | admingroup | admin
>>>>> karaf | admingroup | manager
>>>>> karaf | admingroup | viewer
>>>>> karaf@root()>
>>>>>
>>>>>
>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>>
>>>>> karaf@root()> bundle:uninstall 79
>>>>> Error executing command: Insufficient credentials.
>>>>> karaf@root()> bundle:uninstall -f 79
>>>>> karaf@root()>
>>>>>
>>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>>
>>>>> Paul Spencer
>>>>>
>>>>>
>>>>>
>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>>
>>>>>> Hi Paul,
>>>>>>
>>>>>> take a look in the documentation:
>>>>>>
>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>>
>>>>>> in the console section.
>>>>>>
>>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>>
>>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>>
>>>>>>> Is there a configuration change I need to make?
>>>>>>>
>>>>>>> ***
>>>>>>> * Use case
>>>>>>> ***
>>>>>>> 1) unzipped the distribution
>>>>>>> 2) Start the Karaf server with bin/start
>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>>> 4) Start the Karaf client with bin/client
>>>>>>> 5) Install a bundle
>>>>>>> 6) Uninstall the newly installed bundle
>>>>>>>
>>>>>>>
>>>>>>> ***
>>>>>>> * Command output
>>>>>>> ***
>>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>>> Bundle ID: 79
>>>>>>> karaf@root()> uninstall 79
>>>>>>> Error executing command: Insufficient credentials.
>>>>>>> karaf@root()>
>>>>>>>
>>>>>>>
>>>>>>> ***
>>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>>> ***
>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>>
>>>>>>> Paul Spencer
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jean-Baptiste Onofré
>>>>>> jbonofre@apache.org
>>>>>> http://blog.nanthrax.net
>>>>>> Talend - http://www.talend.com
>>>>>
>>>>
>>>> --
>>>> Jean-Baptiste Onofré
>>>> jbonofre@apache.org
>>>> http://blog.nanthrax.net
>>>> Talend - http://www.talend.com
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Paul Spencer <pa...@apache.org>.
JB,
I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf.
Paul Spencer
On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> Let me try to reproduce the issue using bin/client. It's weird as bin/client is a ssh client, so it's basically the same as ssh.
>
> Did you see the issue with other commands ?
>
> I think that the ACL can be enhanced: instead of checking the -f option, it should check the bundle level. It's not so easy as bundle:uninstall accept bundle ID, bundle name, etc.
>
> Regards
> JB
>
> On 01/15/2014 12:45 PM, Paul Spencer wrote:
>> JB,
>> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>>
>> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>>
>>
>> ***
>> * Role definition in etc/system.properties
>> ***
>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
>> # Roles to use when logging into a local Karaf console.
>> karaf.local.roles = admin,manager,viewer
>> sparrow-2:apache-karaf-3.0.0 paul$
>>
>> ***
>> * Log of connecting to Karaf via SSH then bin/client
>> ***
>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
>> Authenticated with partial success.
>> Authenticated with partial success.
>> Password authentication
>> Password:
>> __ __ ____
>> / //_/____ __________ _/ __/
>> / ,< / __ `/ ___/ __ `/ /_
>> / /| |/ /_/ / / / /_/ / __/
>> /_/ |_|\__,_/_/ \__,_/_/
>>
>> Apache Karaf (3.0.0)
>>
>> Hit '<tab>' for a list of available commands
>> and '[cmd] --help' for help on a specific command.
>> Hit 'system:shutdown' to shutdown Karaf.
>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>
>> karaf@root()> list
>> START LEVEL 100 , List Threshold: 50
>> ID | State | Lvl | Version | Name
>> ----------------------------------------------------------------------
>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>> karaf@root()> uninstall 80
>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>> Bundle ID: 81
>> karaf@root()> uninstall 81
>> karaf@root()> logout
>> Connection to 127.0.0.1 closed.
>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
>> Logging in as karaf
>> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
>> __ __ ____
>> / //_/____ __________ _/ __/
>> / ,< / __ `/ ___/ __ `/ /_
>> / /| |/ /_/ / / / /_/ / __/
>> /_/ |_|\__,_/_/ \__,_/_/
>>
>> Apache Karaf (3.0.0)
>>
>> Hit '<tab>' for a list of available commands
>> and '[cmd] --help' for help on a specific command.
>> Hit 'system:shutdown' to shutdown Karaf.
>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>>
>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>> Bundle ID: 82
>> karaf@root()> uninstall 82
>> Error executing command: Insufficient credentials.
>> karaf@root()> list
>> START LEVEL 100 , List Threshold: 50
>> ID | State | Lvl | Version | Name
>> ----------------------------------------------------------------------
>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
>> karaf@root()> logout
>> sparrow-2:apache-karaf-3.0.0 paul$
>>
>> ***
>> * From data/log/karaf.log
>> ***
>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>> java.lang.SecurityException: Insufficient credentials.
>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>
>>
>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>> Hi Pauln
>>>
>>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>>
>>> The local roles are define in etc/system.properties:
>>>
>>> karaf.local.roles = admin,manager,viewer
>>>
>>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>>
>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>>
>>> uninstall[/.*[-][f].*/] = admin
>>> uninstall = manager
>>>
>>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>>
>>> Regards
>>> JB
>>>
>>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>>> JB,
>>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>>
>>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>>
>>>> karaf@root()> jaas:realm-manage --index 1
>>>> karaf@root()> jaas:user-list
>>>> User Name | Group | Role
>>>> --------------------------------
>>>> karaf | admingroup | admin
>>>> karaf | admingroup | manager
>>>> karaf | admingroup | viewer
>>>> karaf@root()>
>>>>
>>>>
>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>>
>>>> karaf@root()> bundle:uninstall 79
>>>> Error executing command: Insufficient credentials.
>>>> karaf@root()> bundle:uninstall -f 79
>>>> karaf@root()>
>>>>
>>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>>
>>>> Paul Spencer
>>>>
>>>>
>>>>
>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>>
>>>>> Hi Paul,
>>>>>
>>>>> take a look in the documentation:
>>>>>
>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>>
>>>>> in the console section.
>>>>>
>>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>>
>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>>
>>>>>> Is there a configuration change I need to make?
>>>>>>
>>>>>> ***
>>>>>> * Use case
>>>>>> ***
>>>>>> 1) unzipped the distribution
>>>>>> 2) Start the Karaf server with bin/start
>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>>> 4) Start the Karaf client with bin/client
>>>>>> 5) Install a bundle
>>>>>> 6) Uninstall the newly installed bundle
>>>>>>
>>>>>>
>>>>>> ***
>>>>>> * Command output
>>>>>> ***
>>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>>> Bundle ID: 79
>>>>>> karaf@root()> uninstall 79
>>>>>> Error executing command: Insufficient credentials.
>>>>>> karaf@root()>
>>>>>>
>>>>>>
>>>>>> ***
>>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>>> ***
>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>>
>>>>>> Paul Spencer
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Jean-Baptiste Onofré
>>>>> jbonofre@apache.org
>>>>> http://blog.nanthrax.net
>>>>> Talend - http://www.talend.com
>>>>
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Let me try to reproduce the issue using bin/client. It's weird as
bin/client is a ssh client, so it's basically the same as ssh.
Did you see the issue with other commands ?
I think that the ACL can be enhanced: instead of checking the -f option,
it should check the bundle level. It's not so easy as bundle:uninstall
accept bundle ID, bundle name, etc.
Regards
JB
On 01/15/2014 12:45 PM, Paul Spencer wrote:
> JB,
> If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
>
> Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
>
>
> ***
> * Role definition in etc/system.properties
> ***
> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
> # Roles to use when logging into a local Karaf console.
> karaf.local.roles = admin,manager,viewer
> sparrow-2:apache-karaf-3.0.0 paul$
>
> ***
> * Log of connecting to Karaf via SSH then bin/client
> ***
> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
> Authenticated with partial success.
> Authenticated with partial success.
> Password authentication
> Password:
> __ __ ____
> / //_/____ __________ _/ __/
> / ,< / __ `/ ___/ __ `/ /_
> / /| |/ /_/ / / / /_/ / __/
> /_/ |_|\__,_/_/ \__,_/_/
>
> Apache Karaf (3.0.0)
>
> Hit '<tab>' for a list of available commands
> and '[cmd] --help' for help on a specific command.
> Hit 'system:shutdown' to shutdown Karaf.
> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>
> karaf@root()> list
> START LEVEL 100 , List Threshold: 50
> ID | State | Lvl | Version | Name
> ----------------------------------------------------------------------
> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
> karaf@root()> uninstall 80
> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
> Bundle ID: 81
> karaf@root()> uninstall 81
> karaf@root()> logout
> Connection to 127.0.0.1 closed.
> sparrow-2:apache-karaf-3.0.0 paul$ bin/client
> Logging in as karaf
> 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
> __ __ ____
> / //_/____ __________ _/ __/
> / ,< / __ `/ ___/ __ `/ /_
> / /| |/ /_/ / / / /_/ / __/
> /_/ |_|\__,_/_/ \__,_/_/
>
> Apache Karaf (3.0.0)
>
> Hit '<tab>' for a list of available commands
> and '[cmd] --help' for help on a specific command.
> Hit 'system:shutdown' to shutdown Karaf.
> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
>
> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
> Bundle ID: 82
> karaf@root()> uninstall 82
> Error executing command: Insufficient credentials.
> karaf@root()> list
> START LEVEL 100 , List Threshold: 50
> ID | State | Lvl | Version | Name
> ----------------------------------------------------------------------
> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
> karaf@root()> logout
> sparrow-2:apache-karaf-3.0.0 paul$
>
> ***
> * From data/log/karaf.log
> ***
> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
> java.lang.SecurityException: Insufficient credentials.
> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
> at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>
>
> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
>> Hi Pauln
>>
>> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>>
>> The local roles are define in etc/system.properties:
>>
>> karaf.local.roles = admin,manager,viewer
>>
>> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>>
>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>>
>> uninstall[/.*[-][f].*/] = admin
>> uninstall = manager
>>
>> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>>
>> Regards
>> JB
>>
>> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>>> JB,
>>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>>
>>> - Per etc/system.properties, the local user has admin and manage roles.
>>>
>>> karaf@root()> jaas:realm-manage --index 1
>>> karaf@root()> jaas:user-list
>>> User Name | Group | Role
>>> --------------------------------
>>> karaf | admingroup | admin
>>> karaf | admingroup | manager
>>> karaf | admingroup | viewer
>>> karaf@root()>
>>>
>>>
>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>>
>>> karaf@root()> bundle:uninstall 79
>>> Error executing command: Insufficient credentials.
>>> karaf@root()> bundle:uninstall -f 79
>>> karaf@root()>
>>>
>>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>>
>>> Paul Spencer
>>>
>>>
>>>
>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>>
>>>> Hi Paul,
>>>>
>>>> take a look in the documentation:
>>>>
>>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>>
>>>> in the console section.
>>>>
>>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>>
>>>> Regards
>>>> JB
>>>>
>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>>
>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>>
>>>>> Is there a configuration change I need to make?
>>>>>
>>>>> ***
>>>>> * Use case
>>>>> ***
>>>>> 1) unzipped the distribution
>>>>> 2) Start the Karaf server with bin/start
>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>>> 4) Start the Karaf client with bin/client
>>>>> 5) Install a bundle
>>>>> 6) Uninstall the newly installed bundle
>>>>>
>>>>>
>>>>> ***
>>>>> * Command output
>>>>> ***
>>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>>> Bundle ID: 79
>>>>> karaf@root()> uninstall 79
>>>>> Error executing command: Insufficient credentials.
>>>>> karaf@root()>
>>>>>
>>>>>
>>>>> ***
>>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>>> ***
>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>>> java.lang.SecurityException: Insufficient credentials.
>>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>>
>>>>> Paul Spencer
>>>>>
>>>>>
>>>>
>>>> --
>>>> Jean-Baptiste Onofré
>>>> jbonofre@apache.org
>>>> http://blog.nanthrax.net
>>>> Talend - http://www.talend.com
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Paul Spencer <pa...@apache.org>.
JB,
If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client?
***
* Role definition in etc/system.properties
***
sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
# Roles to use when logging into a local Karaf console.
karaf.local.roles = admin,manager,viewer
sparrow-2:apache-karaf-3.0.0 paul$
***
* Log of connecting to Karaf via SSH then bin/client
***
sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
Authenticated with partial success.
Authenticated with partial success.
Password authentication
Password:
__ __ ____
/ //_/____ __________ _/ __/
/ ,< / __ `/ ___/ __ `/ /_
/ /| |/ /_/ / / / /_/ / __/
/_/ |_|\__,_/_/ \__,_/_/
Apache Karaf (3.0.0)
Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
karaf@root()> list
START LEVEL 100 , List Threshold: 50
ID | State | Lvl | Version | Name
----------------------------------------------------------------------
80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
karaf@root()> uninstall 80
karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 81
karaf@root()> uninstall 81
karaf@root()> logout
Connection to 127.0.0.1 closed.
sparrow-2:apache-karaf-3.0.0 paul$ bin/client
Logging in as karaf
566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key:
__ __ ____
/ //_/____ __________ _/ __/
/ ,< / __ `/ ___/ __ `/ /_
/ /| |/ /_/ / / / /_/ / __/
/_/ |_|\__,_/_/ \__,_/_/
Apache Karaf (3.0.0)
Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 82
karaf@root()> uninstall 82
Error executing command: Insufficient credentials.
karaf@root()> list
START LEVEL 100 , List Threshold: 50
ID | State | Lvl | Version | Name
----------------------------------------------------------------------
82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
karaf@root()> logout
sparrow-2:apache-karaf-3.0.0 paul$
***
* From data/log/karaf.log
***
2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
java.lang.SecurityException: Insufficient credentials.
at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> Hi Pauln
>
> it's not a regression: command, services, and JMX security don't exist at all in 2.3.x, it's a new feature from 3.0.0.
>
> The local roles are define in etc/system.properties:
>
> karaf.local.roles = admin,manager,viewer
>
> It's the roles used by the "local" console. When you use remote console (via ssh), Karaf use the role of the user.
>
> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can see:
>
> uninstall[/.*[-][f].*/] = admin
> uninstall = manager
>
> If you are manager, you can use uninstall for non system bundle (with start level greater than 80, so without requiring the -f option). To uninstall system bundle, you have to be admin (who can use the -f option for system bundle).
>
> Regards
> JB
>
> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>> JB,
>> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>>
>> - Per etc/system.properties, the local user has admin and manage roles.
>>
>> karaf@root()> jaas:realm-manage --index 1
>> karaf@root()> jaas:user-list
>> User Name | Group | Role
>> --------------------------------
>> karaf | admingroup | admin
>> karaf | admingroup | manager
>> karaf | admingroup | viewer
>> karaf@root()>
>>
>>
>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>>
>> karaf@root()> bundle:uninstall 79
>> Error executing command: Insufficient credentials.
>> karaf@root()> bundle:uninstall -f 79
>> karaf@root()>
>>
>> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>>
>> Paul Spencer
>>
>>
>>
>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>> Hi Paul,
>>>
>>> take a look in the documentation:
>>>
>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>
>>> in the console section.
>>>
>>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>
>>> Regards
>>> JB
>>>
>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>
>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>>
>>>> Is there a configuration change I need to make?
>>>>
>>>> ***
>>>> * Use case
>>>> ***
>>>> 1) unzipped the distribution
>>>> 2) Start the Karaf server with bin/start
>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>>> 4) Start the Karaf client with bin/client
>>>> 5) Install a bundle
>>>> 6) Uninstall the newly installed bundle
>>>>
>>>>
>>>> ***
>>>> * Command output
>>>> ***
>>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 79
>>>> karaf@root()> uninstall 79
>>>> Error executing command: Insufficient credentials.
>>>> karaf@root()>
>>>>
>>>>
>>>> ***
>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>> ***
>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>>> java.lang.SecurityException: Insufficient credentials.
>>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>
>>>> Paul Spencer
>>>>
>>>>
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Pauln
it's not a regression: command, services, and JMX security don't exist
at all in 2.3.x, it's a new feature from 3.0.0.
The local roles are define in etc/system.properties:
karaf.local.roles = admin,manager,viewer
It's the roles used by the "local" console. When you use remote console
(via ssh), Karaf use the role of the user.
If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you
can see:
uninstall[/.*[-][f].*/] = admin
uninstall = manager
If you are manager, you can use uninstall for non system bundle (with
start level greater than 80, so without requiring the -f option). To
uninstall system bundle, you have to be admin (who can use the -f option
for system bundle).
Regards
JB
On 01/14/2014 10:34 PM, Paul Spencer wrote:
> JB,
> - The use case is successful in 2.3.x, to this sounds like a regression issue.
>
> - Per etc/system.properties, the local user has admin and manage roles.
>
> karaf@root()> jaas:realm-manage --index 1
> karaf@root()> jaas:user-list
> User Name | Group | Role
> --------------------------------
> karaf | admingroup | admin
> karaf | admingroup | manager
> karaf | admingroup | viewer
> karaf@root()>
>
>
> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
>
> karaf@root()> bundle:uninstall 79
> Error executing command: Insufficient credentials.
> karaf@root()> bundle:uninstall -f 79
> karaf@root()>
>
> So why is the “bundle:uninstall” command failing when the local user has the manager role?
>
> Paul Spencer
>
>
>
> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
>> Hi Paul,
>>
>> take a look in the documentation:
>>
>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>
>> in the console section.
>>
>> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>
>> Regards
>> JB
>>
>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>
>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>>
>>> Is there a configuration change I need to make?
>>>
>>> ***
>>> * Use case
>>> ***
>>> 1) unzipped the distribution
>>> 2) Start the Karaf server with bin/start
>>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>>> 4) Start the Karaf client with bin/client
>>> 5) Install a bundle
>>> 6) Uninstall the newly installed bundle
>>>
>>>
>>> ***
>>> * Command output
>>> ***
>>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>> Bundle ID: 79
>>> karaf@root()> uninstall 79
>>> Error executing command: Insufficient credentials.
>>> karaf@root()>
>>>
>>>
>>> ***
>>> * From karaf.log (I can post the full 28K log if necessary)
>>> ***
>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>>> java.lang.SecurityException: Insufficient credentials.
>>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>
>>> Paul Spencer
>>>
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Paul Spencer <pa...@apache.org>.
JB,
- The use case is successful in 2.3.x, to this sounds like a regression issue.
- Per etc/system.properties, the local user has admin and manage roles.
karaf@root()> jaas:realm-manage --index 1
karaf@root()> jaas:user-list
User Name | Group | Role
--------------------------------
karaf | admingroup | admin
karaf | admingroup | manager
karaf | admingroup | viewer
karaf@root()>
- The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in the admin group can “install” a bundle and needs to be in the manager group to “uninstall” without the “-f” option.
karaf@root()> bundle:uninstall 79
Error executing command: Insufficient credentials.
karaf@root()> bundle:uninstall -f 79
karaf@root()>
So why is the “bundle:uninstall” command failing when the local user has the manager role?
Paul Spencer
On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> Hi Paul,
>
> take a look in the documentation:
>
> http://karaf.apache.org/manual/latest/users-guide/security.html
>
> in the console section.
>
> You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg files.
>
> Regards
> JB
>
> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>
>> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>>
>> Is there a configuration change I need to make?
>>
>> ***
>> * Use case
>> ***
>> 1) unzipped the distribution
>> 2) Start the Karaf server with bin/start
>> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
>> 4) Start the Karaf client with bin/client
>> 5) Install a bundle
>> 6) Uninstall the newly installed bundle
>>
>>
>> ***
>> * Command output
>> ***
>> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>> Bundle ID: 79
>> karaf@root()> uninstall 79
>> Error executing command: Insufficient credentials.
>> karaf@root()>
>>
>>
>> ***
>> * From karaf.log (I can post the full 28K log if necessary)
>> ***
>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
>> java.lang.SecurityException: Insufficient credentials.
>> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>
>> Paul Spencer
>>
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands in Karaf 3.0.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Paul,
take a look in the documentation:
http://karaf.apache.org/manual/latest/users-guide/security.html
in the console section.
You will the explanations about
etc/org.apache.karaf.command.acl.<scope>.cfg files.
Regards
JB
On 01/14/2014 07:14 PM, Paul Spencer wrote:
> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>
> I am getting a "java.lang.SecurityException: Insufficient credentials.” error when executing various commands on a newly installed Karaf 3.0.0. The use case below is for uninstalling a bundle.
>
> Is there a configuration change I need to make?
>
> ***
> * Use case
> ***
> 1) unzipped the distribution
> 2) Start the Karaf server with bin/start
> 3) Tail the log file until the JMX OSGi Agent is finished registering objects (about 30 seconds)
> 4) Start the Karaf client with bin/client
> 5) Install a bundle
> 6) Uninstall the newly installed bundle
>
>
> ***
> * Command output
> ***
> karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
> Bundle ID: 79
> karaf@root()> uninstall 79
> Error executing command: Insufficient credentials.
> karaf@root()>
>
>
> ***
> * From karaf.log (I can post the full 28K log if necessary)
> ***
> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments
> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command
> java.lang.SecurityException: Insufficient credentials.
> at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
> at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
> at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
> at org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
> at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
> at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
> at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>
> Paul Spencer
>
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com