Repository: karaf Updated Branches: refs/heads/karaf-2.x 25e5df29f -> 1bcd032e8
[KARAF-2934]Role-based security for Shell/Console commands - backport to 2.x branch-more changes for the shell command acl files Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/1bcd032e Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/1bcd032e Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/1bcd032e Branch: refs/heads/karaf-2.x Commit: 1bcd032e84c38b94baa36cffa3e1847d849ed0eb Parents: 25e5df2 Author: Freeman Fang <[email protected]> Authored: Wed May 7 12:49:24 2014 +0800 Committer: Freeman Fang <[email protected]> Committed: Wed May 7 12:49:24 2014 +0800 ---------------------------------------------------------------------- .../etc/org.apache.karaf.command.acl.config.cfg | 28 +++++++-------- .../org.apache.karaf.command.acl.features.cfg | 2 +- .../etc/org.apache.karaf.command.acl.jaas.cfg | 2 +- .../etc/org.apache.karaf.command.acl.osgi.cfg | 36 ++++++++++++++++---- .../etc/org.apache.karaf.command.acl.shell.cfg | 2 +- .../apache/karaf/itests/SshCommandTestBase.java | 3 +- 6 files changed, 48 insertions(+), 25 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg index e9a5be2..69a4705 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.config.cfg @@ -21,7 +21,7 @@ # This configuration file defines the ACLs for various commands in the config subshell # # For an explanation of the syntax of this file, see the file: -# org.apache.karaf.command.acl.system.cfg +# org.apache.karaf.command.acl.osgi.cfg # cancel = manager @@ -30,16 +30,16 @@ edit = manager edit[/.*jmx[.]acl.*/] = admin edit[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin edit[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin -property-append = manager -property-append[/.*jmx[.]acl.*/] = admin -property-append[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin -property-append[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin -property-delete = manager -property-delete[/.*jmx[.]acl.*/] = admin -property-delete[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin -property-delete[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin -property-set = manager -property-set[/.*jmx[.]acl.*/] = admin -property-set[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin -property-set[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin -update = manager \ No newline at end of file +propappend = manager +propappend[/.*jmx[.]acl.*/] = admin +propappend[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin +propappend[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin +propdel = manager +propdel[/.*jmx[.]acl.*/] = admin +propdel[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin +propdel[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin +propset = manager +propset[/.*jmx[.]acl.*/] = admin +propset[/.*org[.]apache[.]karaf[.]command[.]acl[.].+/] = admin +propset[/.*org[.]apache[.]karaf[.]service[.]acl[.].+/] = admin +update = manager http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg index fd41ab9..175fdf9 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.features.cfg @@ -21,7 +21,7 @@ # This configuration file defines the ACLs for commands in the kar subshell # # For an explanation of the syntax of this file, see the file: -# org.apache.karaf.command.acl.system.cfg +# org.apache.karaf.command.acl.osgi.cfg # install = admin uninstall = admin http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg index 0c0644b..5713dea 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.jaas.cfg @@ -21,7 +21,7 @@ # This configuration file defines the ACLs for commands in the jaas subshell # # For an explanation of the syntax of this file, see the file: -# org.apache.karaf.command.acl.system.cfg +# org.apache.karaf.command.acl.osgi.cfg # # Jaas commands commands have no effect until update is called. update = admin http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg index d50320e..0d03627 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.osgi.cfg @@ -16,18 +16,40 @@ # limitations under the License. # ################################################################################ - # -# This configuration file defines the ACLs for commands in the bundle subshell -# -# For an explanation of the syntax of this file, see the file: -# org.apache.karaf.command.acl.system.cfg +# This configuration file defines the ACLs for commands in the osgi subshell # # This configuration relies on the fact that 'system' bundles need to be managed -# with the -# -f (--force) +# with the +# -f (--force) # flag. Operations with -f need admin permission. Most of these operations without # the 'force' option can be done by a manager. + +# The format of this file is as follows: +# The name of the file corresponds to a Configuration Admin PID. This file is for PID: +# org.apache.karaf.command.acl.osgi +# The prefix org.apache.karaf.command.acl. determines that this file defines ACLs for karaf +# commands. The last word on the PID declares the scope that it applies to, i.e. this file +# is for the 'system' scope. +# Entries in this file map to commands within the defined scope. The simplest role definition +# has the form: +# command = role1, role2, role3 +# Specific roles can also be declared for certain arguments to the command. This is done using +# regular expression matching. +# All the arguments to the command are represented as a list using the following syntax: +# [arg1,arg2,arg3] +# The matching is done after converting this list into a string. So the line +# start-level[/.*[0-9][0-9][0-9]+.*/] = manager +# declares that a manager role is needed to set a start level with 3 digits or more. The .* +# wildcards at the beginning and end are used to match the '[' and ']' characters surrounding. +# When looking for a match the regular-expression based ACLs are always checked first. If any +# of them match the associated roles are used. +# +# If no match can be found based on reg-exp ACLs, a match is looked for based purely on the +# command name. +# +# If no command-name match can be found it is assumed that the command does not need a specific +# role and can therefore be invoked by any user. install = admin refresh[/.*[-][f].*/] = admin refresh = manager http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg index 28880b6..c47f6f5 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/org.apache.karaf.command.acl.shell.cfg @@ -21,7 +21,7 @@ # This configuration file defines the ACLs for commands in the shell subshell # # For an explanation of the syntax of this file, see the file: -# org.apache.karaf.command.acl.system.cfg +# org.apache.karaf.command.acl.osgi.cfg # edit = admin exec = admin http://git-wip-us.apache.org/repos/asf/karaf/blob/1bcd032e/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java index b508451..a2004d4 100644 --- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java +++ b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java @@ -94,7 +94,8 @@ public class SshCommandTestBase extends KarafTestSupport { //wait for command done; closeSshChannel(pipe); String output = new String(out.toByteArray()); - + System.out.println("the output is ======> " + output + "<========"); + switch(result) { case OK: Assert.assertFalse("Should not contain 'Insufficient credentials' or 'Command not found': " + output,
