Re: Overriding the default realm for SSH, WebConsole, ...

2024-05-05 Thread Steinar Bang 
> Cedric Jonas :

> Hi,
> We currently distribute new versions via tar-ball / ZIPs.
> It is intended to be distributed as a Maven dependency which could then be 
> used as a "template" / platform distribution to be customized again via the 
> karaf-maven-plugin. But we weren't able to get that done so far.
> Docker could be a topic in future.

Hm... then I don't know if this helps:

I have created a debian package for karaf:
 https://steinar.bang.priv.no/2018/01/23/installing-apache-karaf-on-debian/

And then I just edit the files I need to in /etc/karaf/ and apt upgrades
leaves that config alone and/or tells me if there is a conflict.

Alternatively I've done a, shall we say, non-standard docker image
thing... (sort of breaking/subverting the docker ideal of packing
everything into containers).

I do all of my karaf apps as "install with maven", meaning that I
deploy/release to maven karaf features that can be loaded via maven.

For the applications running on my debian packaged karaf, I have created
a master feature to load them all:
 https://github.com/steinarb/myapps
(so when I "apt upgrade" the karaf and all installed apps are wiped I
can ssh into karaf and install all apps with a single maven-loaded
feature)

But anyway: I have leveraged the install-from-maven bit when creating
docker images, e.g. like this one:
 https://github.com/steinarb/sonar-collector/tree/master/docker/docker

Basically what I do is start with the standard karaf docker image and
then replace the org.karaf.features.cfg file with a file that adds the
application's feature to the boot set (version LATEST) and add a
datasource config file that uses environment variables to set the JDBC
URL, the username and the password.

Both config files are dropped into the etc directory of the karaf in the
docker image and the end result is the LATEST version of the app, pulled
from maven central, running inside the docker container after startup.

Re: Overriding the default realm for SSH, WebConsole, ...

2024-05-02 Thread Cedric Jonas 
Hi,

We currently distribute new versions via tar-ball / ZIPs.
It is intended to be distributed as a Maven dependency which could then be used 
as a "template" / platform distribution to be customized again via the 
karaf-maven-plugin. But we weren't able to get that done so far.
Docker could be a topic in future.

Regards,
Cédric

From: Steinar Bang 
Sent: Tuesday, April 30, 2024 6:30 PM
To: user@karaf.apache.org 
Subject: Re: Overriding the default realm for SSH, WebConsole, ...

!! External !! This email was sent from outside the organization. Do not click 
on links or open attachments unless you can identify the sender and trust that 
the content is safe.


>>>>> Cedric Jonas :

> Our goal was to customize the existing Karaf configuration files so that we 
> do not have to spend additional sync efforts each time we update to a new 
> version of Karaf (at least, we need to check if the default configuration 
> file didn't change).

> Is there any good way to do that?

How do you distribute new versions?  As a docker image? As a
tar-ball/zip to be unpacked and started?  Other?


Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | 
+49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister 
Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | 
Aufsichtsratsvorsitzender: Dr. Thomas Klevers
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorised 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.

Re: Overriding the default realm for SSH, WebConsole, ...

2024-05-02 Thread Cedric Jonas 
Hi,

We decided to override the karaf realm instead of adding a new one and have to 
modify all configurations. Works perfectly so far, thanks!

But it would still be nice if we could also replace config key values via e.g. 
Assembly Property Edits. The following allows only to replace the whole 
configuration with this or multiple key-value pairs, not to replace one single 
value:
 
   
 
   org.apache.karaf.webconsole.cfg
   
 put
   
   realm
   kisters-water
 
   
 

Something similar could perhaps also be supported by the config element in 
feature.xml, which is currently limited the same way:
   
 test=value
   

Thanks!

Regards,
Cédric

From: Jean-Baptiste Onofré 
Sent: Tuesday, April 30, 2024 2:22 PM
To: user@karaf.apache.org 
Subject: Re: Overriding the default realm for SSH, WebConsole, ...

!! External !! This email was sent from outside the organization. Do not click 
on links or open attachments unless you can identify the sender and trust that 
the content is safe.

Hi Cédric

You can provide the security schema via blueprint or programmatically,
overriding the karaf realm.
Or you can create a new realm and update all services (ssh, etc) with
this realm (more changes to do).

I would go more with the overriding karaf realm, probably easier (the
overriding bundle would be part of your distribution).

Regards
JB

On Tue, Apr 30, 2024 at 9:35 AM Cedric Jonas  wrote:
>
> Hi,
>
> We provide a custom Karaf distribution for other developers within our 
> company. As part of that, we also provide a custom authentication realm using 
> OpenID Connect.
>
> Now we would like to ensure that this new realm is configured by default for 
> SSH, WebConsole, etc. I could not find any nice way to do that - whenever I 
> tried to override property values in e.g. 
> etc/org.apache.karaf.webconsole.cfg, I end up with a completely new file 
> which is not what we want. Either the property replacement abilities of the 
> Karaf Maven plugin / features.xml did replace the whole existing 
> configuration file with my one customized value ("realm" key) or it created 
> the file before the WebConsole feature was installed, and the WebConsole 
> feature install obviously doesn't merge both.
>
> Our goal was to customize the existing Karaf configuration files so that we 
> do not have to spend additional sync efforts each time we update to a new 
> version of Karaf (at least, we need to check if the default configuration 
> file didn't change).
>
> Is there any good way to do that?
>
> In the documentation 
> (https://karaf.apache.org/manual/latest/#_schema_and_deployer<https://karaf.apache.org/manual/latest/#_schema_and_deployer>)
>  I found there's a way to override the default realm ("karaf") configuration 
> using Blueprint and ranks - meaning I would probably replace the existing 
> karaf realm with a new configuration but using the same realm name.
> Is that the only way? Isn't it possible to simply configure a new realm name 
> for SSH, WebConsole etc. when building a new custom distribution? Without 
> being forced to rewrite the whole configuration file and sync the configs 
> each time we update?
>
> Thanks!
>
> Regards,
> Cédric
> 
> Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE 
> | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | 
> Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters 
> | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
> This e-mail may contain confidential and/or privileged information. If you 
> are not the intended recipient (or have received this e-mail in error) please 
> notify the sender immediately and destroy this e-mail. Any unauthorised 
> copying, disclosure or distribution of the material in this e-mail is 
> strictly forbidden.
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
> Weitergabe dieser Mail ist nicht gestattet.

Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | 
+49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister 
Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | 
Aufsichtsratsvorsitzender: Dr. Thomas Klevers
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have recei

Re: Overriding the default realm for SSH, WebConsole, ...

2024-04-30 Thread Steinar Bang 
> Cedric Jonas :

> Our goal was to customize the existing Karaf configuration files so that we 
> do not have to spend additional sync efforts each time we update to a new 
> version of Karaf (at least, we need to check if the default configuration 
> file didn't change).

> Is there any good way to do that?

How do you distribute new versions?  As a docker image? As a
tar-ball/zip to be unpacked and started?  Other?

Re: Overriding the default realm for SSH, WebConsole, ...

2024-04-30 Thread Jean-Baptiste Onofré 
Hi Cédric

You can provide the security schema via blueprint or programmatically,
overriding the karaf realm.
Or you can create a new realm and update all services (ssh, etc) with
this realm (more changes to do).

I would go more with the overriding karaf realm, probably easier (the
overriding bundle would be part of your distribution).

Regards
JB

On Tue, Apr 30, 2024 at 9:35 AM Cedric Jonas  wrote:
>
> Hi,
>
> We provide a custom Karaf distribution for other developers within our 
> company. As part of that, we also provide a custom authentication realm using 
> OpenID Connect.
>
> Now we would like to ensure that this new realm is configured by default for 
> SSH, WebConsole, etc. I could not find any nice way to do that - whenever I 
> tried to override property values in e.g. 
> etc/org.apache.karaf.webconsole.cfg, I end up with a completely new file 
> which is not what we want. Either the property replacement abilities of the 
> Karaf Maven plugin / features.xml did replace the whole existing 
> configuration file with my one customized value ("realm" key) or it created 
> the file before the WebConsole feature was installed, and the WebConsole 
> feature install obviously doesn't merge both.
>
> Our goal was to customize the existing Karaf configuration files so that we 
> do not have to spend additional sync efforts each time we update to a new 
> version of Karaf (at least, we need to check if the default configuration 
> file didn't change).
>
> Is there any good way to do that?
>
> In the documentation 
> (https://karaf.apache.org/manual/latest/#_schema_and_deployer) I found 
> there's a way to override the default realm ("karaf") configuration using 
> Blueprint and ranks - meaning I would probably replace the existing karaf 
> realm with a new configuration but using the same realm name.
> Is that the only way? Isn't it possible to simply configure a new realm name 
> for SSH, WebConsole etc. when building a new custom distribution? Without 
> being forced to rewrite the whole configuration file and sync the configs 
> each time we update?
>
> Thanks!
>
> Regards,
> Cédric
> 
> Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE 
> | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | 
> Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters 
> | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
> This e-mail may contain confidential and/or privileged information. If you 
> are not the intended recipient (or have received this e-mail in error) please 
> notify the sender immediately and destroy this e-mail. Any unauthorised 
> copying, disclosure or distribution of the material in this e-mail is 
> strictly forbidden.
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
> Weitergabe dieser Mail ist nicht gestattet.

Overriding the default realm for SSH, WebConsole, ...

2024-04-30 Thread Cedric Jonas 
Hi,

We provide a custom Karaf distribution for other developers within our company. 
As part of that, we also provide a custom authentication realm using OpenID 
Connect.

Now we would like to ensure that this new realm is configured by default for 
SSH, WebConsole, etc. I could not find any nice way to do that - whenever I 
tried to override property values in e.g. etc/org.apache.karaf.webconsole.cfg, 
I end up with a completely new file which is not what we want. Either the 
property replacement abilities of the Karaf Maven plugin / features.xml did 
replace the whole existing configuration file with my one customized value 
("realm" key) or it created the file before the WebConsole feature was 
installed, and the WebConsole feature install obviously doesn't merge both.

Our goal was to customize the existing Karaf configuration files so that we do 
not have to spend additional sync efforts each time we update to a new version 
of Karaf (at least, we need to check if the default configuration file didn't 
change).

Is there any good way to do that?

In the documentation 
(https://karaf.apache.org/manual/latest/#_schema_and_deployer) I found there's 
a way to override the default realm ("karaf") configuration using Blueprint and 
ranks - meaning I would probably replace the existing karaf realm with a new 
configuration but using the same realm name.
Is that the only way? Isn't it possible to simply configure a new realm name 
for SSH, WebConsole etc. when building a new custom distribution? Without being 
forced to rewrite the whole configuration file and sync the configs each time 
we update?

Thanks!

Regards,
Cédric

Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | 
+49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister 
Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | 
Aufsichtsratsvorsitzender: Dr. Thomas Klevers
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorised 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.

Overriding the default realm for SSH, WebConsole, ...

2024-04-30 Thread Cedric Jonas 
Hi,

We provide a custom Karaf distribution for other developers within our company. 
As part of that, we also provide a custom authentication realm using OpenID 
Connect.

Now we would like to ensure that this new realm is configured by default for 
SSH, WebConsole, etc. I could not find any nice way to do that - whenever I 
tried to override property values in e.g. etc/org.apache.karaf.webconsole.cfg, 
I end up with a completely new file which is not what we want. Either the 
property replacement abilities of the Karaf Maven plugin / features.xml did 
replace the whole existing configuration file with my one customized value 
("realm" key) or it created the file before the WebConsole feature was 
installed, and the WebConsole feature install obviously doesn't merge both.

Our goal was to customize the existing Karaf configuration files so that we do 
not have to spend additional sync efforts each time we update to a new version 
of Karaf (at least, we need to check if the default configuration file didn't 
change).

Is there any good way to do that?

In the documentation 
(https://karaf.apache.org/manual/latest/#_schema_and_deployer) I found there's 
a way to override the default realm ("karaf") configuration using Blueprint and 
ranks - meaning I would probably replace the existing karaf realm with a new 
configuration but using the same realm name.
Is that the only way? Isn't it possible to simply configure a new realm name 
for SSH, WebConsole etc. when building a new custom distribution? Without being 
forced to rewrite the whole configuration file and sync the configs each time 
we update?

Thanks!

Regards,
Cédric

Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | 
+49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister 
Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | 
Aufsichtsratsvorsitzender: Dr. Thomas Klevers
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorised 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.