I wrote a blog article about how RBAC for OSGi services in Karaf can be used: http://coderthoughts.blogspot.com/2013/10/role-based-access-control-for-karaf.html
Currently all the roles are specified using Config Admin, i.e. via .cfg files in the etc directory. On the annotation support, I know that some really like that idea, but personally I'm not a big fan of specifying roles via annotations. Let me explain why. As a system's administrator you might want to do one or both of the following: 1. You want to get a complete picture of all the available roles in the system and what they are allowed to do. 2. You may want to change roles associated with certain operations, because the Karaf defaults don't work for you. Currently you can do 1. relatively easily as all the information is kept in the relevant .cfg files in the etc directory. If this information was also specifyable as an annotation it becomes much harder to get the complete picture of all the roles available and what roles services need. You will need to either look at the source code for the services or maybe even the bytecode. Additionally, this information would become very much spread out. It would become hard to know when you have all the information on all the services. With the pure .cfg file based ACLs you can also easily do 2. Sysadmins can completely change the roles and ACLs to suit their needs. With annotation-based role definitions you would have to change the source code of the annotations... Maybe it's all just a matter of taste, but I just wanted to share why I didn't support this in my initial version. Cheers, David On 12 November 2013 07:58, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > It was plan by David. But the purpose, as you said, is to avoid to change > anything: intercept the current service (the commands are services). > > Regards > JB > > > On 11/12/2013 08:41 AM, Christian Schneider wrote: >> >> The role based security currently does not support annotations as far as >> I know. It should be possible to extend the mechanism in this way. >> I added an isseu to track this: >> https://issues.apache.org/jira/browse/KARAF-2570 >> >> Btw. the current implementation has the advantage that you can protect >> services without changing them. >> >> Christian >> >> Am 12.11.2013 05:28, schrieb Mansour Al Akeel: >>> >>> I am try to understand how to get role based security to work. As I >>> was searching, I found this thread and the implementation >>> >>> >>> http://karaf.922171.n3.nabble.com/Some-thoughts-around-adding-security-for-Karaf-Shell-Commands-td4029474.html >>> >>> >>> https://issues.apache.org/jira/browse/KARAF-2455 >>> >>> Which (fortunately) has been merged into the trunk. >>> >>> Still, I can not find documentation or a complete example on how to >>> secure a service using annotation like @RolesAllowed or @RunAs .. etc. >>> >>> >>> >>> Thank you. >> >> >> > > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com
