Hi David,
thanks for the update, it sounds good to me !!
How can I help on that ?
Maybe we can explore some options to leverage other projects (like
Apache Syncope for instance).
Regards
JB
On 08/07/2013 05:11 PM, David Bosschaert wrote:
Hi JB,
On 7 August 2013 15:33, Jean-Baptiste Onofré <[email protected]> wrote:
Hi,
It sounds good. But currently, with our JAAS implementation, we have users
and roles (not groups, even if roles can look like groups).
An user can have multiple roles. For instance, in the default
users.properties we have:
user=password,role1,role2,**role3,...
Right, and I'm proposing to extend that to include groups. So a user can
have roles directly, or be part of a group. This group can then also have
roles. When that user logs in he gets the union of all the roles associated
with all of the groups (s)he is in and the roles directly associated with
this user.
This makes it more manageable to define ACLs in terms of roles and also
have high-privilege groups such as an AdminGroup that have many roles.
You can see how I propose to add groups to the mix here:
https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37
We don't use the roles currently (in the shell, etc).
The first step that I proposed is to "secure" some commands and shell
scope depending of a role, and provide a generic service that other
applications can use.
Right - this email trail was to kick off securing the JMX management API.
I'm hoping to look at securing the shell commands soon ;)
As I think the general feeling on this mailing list is supportive of my
proposed contribution, I've created two JIRAs for this:
Add support for JAAS groups:
https://issues.apache.org/jira/browse/KARAF-2434
Add Role-based access to JMX:
https://issues.apache.org/jira/browse/KARAF-2435
Is there already a JIRA for adding role-based security the console? If not
I can add one...
Cheers,
David
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
