Hi JB, On 7 August 2013 15:33, Jean-Baptiste Onofré <[email protected]> wrote:
> Hi, > > It sounds good. But currently, with our JAAS implementation, we have users > and roles (not groups, even if roles can look like groups). > An user can have multiple roles. For instance, in the default > users.properties we have: > > user=password,role1,role2,**role3,... > Right, and I'm proposing to extend that to include groups. So a user can have roles directly, or be part of a group. This group can then also have roles. When that user logs in he gets the union of all the roles associated with all of the groups (s)he is in and the roles directly associated with this user. This makes it more manageable to define ACLs in terms of roles and also have high-privilege groups such as an AdminGroup that have many roles. You can see how I propose to add groups to the mix here: https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37 > We don't use the roles currently (in the shell, etc). > > The first step that I proposed is to "secure" some commands and shell > scope depending of a role, and provide a generic service that other > applications can use. Right - this email trail was to kick off securing the JMX management API. I'm hoping to look at securing the shell commands soon ;) As I think the general feeling on this mailing list is supportive of my proposed contribution, I've created two JIRAs for this: Add support for JAAS groups: https://issues.apache.org/jira/browse/KARAF-2434 Add Role-based access to JMX: https://issues.apache.org/jira/browse/KARAF-2435 Is there already a JIRA for adding role-based security the console? If not I can add one... Cheers, David
