Hi all, A quick update on this. JB has just merge my patches for KARAF-2434 and KARAF-2435 (thanks JB!) so this stuff is now available on trunk.
I wrote a little blog post about how it works here: http://coderthoughts.blogspot.com/2013/10/jmx-role-based-access-control-for-karaf.html Cheers, David On 7 August 2013 23:06, Jean-Baptiste Onofré <[email protected]> wrote: > Hi David, > > thanks for the update, it sounds good to me !! > > How can I help on that ? > Maybe we can explore some options to leverage other projects (like Apache > Syncope for instance). > > Regards > JB > > > On 08/07/2013 05:11 PM, David Bosschaert wrote: >> >> Hi JB, >> >> On 7 August 2013 15:33, Jean-Baptiste Onofré <[email protected]> wrote: >> >>> Hi, >>> >>> It sounds good. But currently, with our JAAS implementation, we have >>> users >>> and roles (not groups, even if roles can look like groups). >> >> >> >> >>> An user can have multiple roles. For instance, in the default >>> users.properties we have: >>> >>> user=password,role1,role2,**role3,... >>> >> >> Right, and I'm proposing to extend that to include groups. So a user can >> have roles directly, or be part of a group. This group can then also have >> roles. When that user logs in he gets the union of all the roles >> associated >> with all of the groups (s)he is in and the roles directly associated with >> this user. >> >> This makes it more manageable to define ACLs in terms of roles and also >> have high-privilege groups such as an AdminGroup that have many roles. >> >> You can see how I propose to add groups to the mix here: >> >> https://github.com/bosschaert/karaf/commit/6598f088c53aa5bce217cdc2e066a96f8f3d5d37 >> >> >>> We don't use the roles currently (in the shell, etc). >>> >>> The first step that I proposed is to "secure" some commands and shell >>> scope depending of a role, and provide a generic service that other >>> applications can use. >> >> >> >> Right - this email trail was to kick off securing the JMX management API. >> I'm hoping to look at securing the shell commands soon ;) >> >> As I think the general feeling on this mailing list is supportive of my >> proposed contribution, I've created two JIRAs for this: >> >> Add support for JAAS groups: >> https://issues.apache.org/jira/browse/KARAF-2434 >> Add Role-based access to JMX: >> https://issues.apache.org/jira/browse/KARAF-2435 >> >> Is there already a JIRA for adding role-based security the console? If not >> I can add one... >> >> Cheers, >> >> David >> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com
