[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15943449#comment-15943449 ] Jean-Baptiste Onofré commented on KARAF-4439: - As a possible improvement, we can imagine to define a minimal set of roles (for JMX and SSH) to prevent user authentication. > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.0.9, 4.1.1 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15943445#comment-15943445 ] ASF subversion and git services commented on KARAF-4439: Commit 0e88e07b4d88e350ea09aa2be6b5a0a2800e9e9b in karaf's branch refs/heads/karaf-4.0.x from [~jbonofre] [ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=0e88e07 ] [KARAF-4439] Prevent user authentication if the user doesn't have any role defined > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.0.9, 4.1.1 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15943444#comment-15943444 ] ASF subversion and git services commented on KARAF-4439: Commit 60b19f82fe2dbd35a31c6b2c36a7c784651efad0 in karaf's branch refs/heads/master from [~jbonofre] [ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=60b19f8 ] [KARAF-4439] Prevent user authentication if the user doesn't have any role defined > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.0.9, 4.1.1 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15773135#comment-15773135 ] Achim Nierbeck commented on KARAF-4439: --- Still I'm not sure how the roles for shell and JMX are supposed to affect any webconsole :) > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.1.0, 4.0.9 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15772665#comment-15772665 ] Jean-Baptiste Onofré commented on KARAF-4439: - It's my top priority for next releases. > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.1.0, 4.0.9 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4439) Prevent user authentication (shell & JMX) if he doesn't have role
[ https://issues.apache.org/jira/browse/KARAF-4439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15772634#comment-15772634 ] Oliver Wulff commented on KARAF-4439: - This issue has been replanned again and again. It is quite important because usually configuration (viewer can read configuration) can contain username/passwords and the passwords can not always be encrypted (ex. ActiveMQ Webconsole) or other sensitive information. > Prevent user authentication (shell & JMX) if he doesn't have role > - > > Key: KARAF-4439 > URL: https://issues.apache.org/jira/browse/KARAF-4439 > Project: Karaf > Issue Type: Bug > Components: karaf-management, karaf-security, karaf-shell >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 4.1.0, 4.0.9 > > > Right now, if an user doesn't have any role defined, he can logon and perform > "non" critical operations (the "critical" operation). > We should define a minimum role required for login and prevent users access > if they don't have the minimum role (before the ACL). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
