Repository: karaf Updated Branches: refs/heads/master 47451b0ed -> 952593086
[KARAF-5330] Require a specific role to access the SSH console Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/95259308 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/95259308 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/95259308 Branch: refs/heads/master Commit: 9525930864b9c21585ce57991854429c48a84c8a Parents: 47451b0 Author: Guillaume Nodet <[email protected]> Authored: Wed Sep 6 16:04:44 2017 +0200 Committer: Guillaume Nodet <[email protected]> Committed: Wed Sep 6 16:04:58 2017 +0200 ---------------------------------------------------------------------- .../src/main/resources/resources/etc/users.properties | 2 +- .../features/standard/src/main/feature/feature.xml | 5 +++++ .../main/java/org/apache/karaf/shell/ssh/Activator.java | 3 ++- .../apache/karaf/shell/ssh/KarafJaasAuthenticator.java | 11 ++++++++++- 4 files changed, 18 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/base/src/main/resources/resources/etc/users.properties ---------------------------------------------------------------------- diff --git a/assemblies/features/base/src/main/resources/resources/etc/users.properties b/assemblies/features/base/src/main/resources/resources/etc/users.properties index 0657308..ace2282 100644 --- a/assemblies/features/base/src/main/resources/resources/etc/users.properties +++ b/assemblies/features/base/src/main/resources/resources/etc/users.properties @@ -30,4 +30,4 @@ # with the name "karaf". # karaf = karaf,_g_:admingroup -_g_\:admingroup = group,admin,manager,viewer,systembundles +_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/standard/src/main/feature/feature.xml ---------------------------------------------------------------------- diff --git a/assemblies/features/standard/src/main/feature/feature.xml b/assemblies/features/standard/src/main/feature/feature.xml index 45df505..f3fde1f 100644 --- a/assemblies/features/standard/src/main/feature/feature.xml +++ b/assemblies/features/standard/src/main/feature/feature.xml @@ -165,6 +165,11 @@ sshRealm = karaf # + # sshRole defines the role required to access the console through ssh + # + sshRole = ssh + + # # The location of the hostKey file defines where the private/public key of the server # is located. If no file is at the defined location it will be ignored. # http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java index 0ffbbba..4c7667b 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java @@ -146,6 +146,7 @@ public class Activator extends BaseActivator implements ManagedService { long sshIdleTimeout = getLong("sshIdleTimeout", 1800000); int nioWorkers = getInt("nio-workers", 2); String sshRealm = getString("sshRealm", "karaf"); + String sshRole = getString("sshRole", null); String hostKey = getString("hostKey", System.getProperty("karaf.etc") + "/host.key"); String[] authMethods = getStringArray("authMethods", "keyboard-interactive,password,publickey"); int keySize = getInt("keySize", 2048); @@ -158,7 +159,7 @@ public class Activator extends BaseActivator implements ManagedService { Path serverKeyPath = Paths.get(hostKey); KeyPairProvider keyPairProvider = new OpenSSHKeyPairProvider(serverKeyPath.toFile(), algorithm, keySize); - KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm); + KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole); UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory(); authFactoriesFactory.setAuthMethods(authMethods); http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java index e1420f4..3ab370d 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java @@ -45,9 +45,11 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class); private String realm; + private String role; - public KarafJaasAuthenticator(String realm) { + public KarafJaasAuthenticator(String realm, String role) { this.realm = realm; + this.role = role; } public boolean authenticate(final String username, final String password, final ServerSession session) { @@ -95,15 +97,22 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA } private void assertRolePresent(Subject subject) throws FailedLoginException { + boolean hasCorrectRole = role == null || role.isEmpty(); int roleCount = 0; for (Principal principal : subject.getPrincipals()) { if (principal instanceof RolePrincipal) { + if (!hasCorrectRole) { + hasCorrectRole = role.equals(principal.getName()); + } roleCount++; } } if (roleCount == 0) { throw new FailedLoginException("User doesn't have role defined"); } + if (!hasCorrectRole) { + throw new FailedLoginException("User doesn't have the required role " + role); + } } }
