JB, If is connect to Karaf vis SSH, the use case works, but if I connect via bin/client the use case fails.
Why does the command uninstall without -f generate the log message “Current user does not have required roles ([manager]) for service” when connected to Karaf via bin/client? *** * Role definition in etc/system.properties *** sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties # Roles to use when logging into a local Karaf console. karaf.local.roles = admin,manager,viewer sparrow-2:apache-karaf-3.0.0 paul$ *** * Log of connecting to Karaf via SSH then bin/client *** sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101 Authenticated with partial success. Authenticated with partial success. Password authentication Password: __ __ ____ / //_/____ __________ _/ __/ / ,< / __ `/ ___/ __ `/ /_ / /| |/ /_/ / / / /_/ / __/ /_/ |_|\__,_/_/ \__,_/_/ Apache Karaf (3.0.0) Hit '<tab>' for a list of available commands and '[cmd] --help' for help on a specific command. Hit 'system:shutdown' to shutdown Karaf. Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. karaf@root()> list START LEVEL 100 , List Threshold: 50 ID | State | Lvl | Version | Name ---------------------------------------------------------------------- 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution karaf@root()> uninstall 80 karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT Bundle ID: 81 karaf@root()> uninstall 81 karaf@root()> logout Connection to 127.0.0.1 closed. sparrow-2:apache-karaf-3.0.0 paul$ bin/client Logging in as karaf 566 [pool-2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at /0.0.0.0:8101 presented unverified key: __ __ ____ / //_/____ __________ _/ __/ / ,< / __ `/ ___/ __ `/ /_ / /| |/ /_/ / / / /_/ / __/ /_/ |_|\__,_/_/ \__,_/_/ Apache Karaf (3.0.0) Hit '<tab>' for a list of available commands and '[cmd] --help' for help on a specific command. Hit 'system:shutdown' to shutdown Karaf. Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. karaf@root()> install mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT Bundle ID: 82 karaf@root()> uninstall 82 Error executing command: Insufficient credentials. karaf@root()> list START LEVEL 100 , List Threshold: 50 ID | State | Lvl | Version | Name ---------------------------------------------------------------------- 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution karaf@root()> logout sparrow-2:apache-karaf-3.0.0 paul$ *** * From data/log/karaf.log *** 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not have required roles ([manager]) for service [org.apache.karaf.shell.console.CompletableFunction, org.apache.karaf.shell.console.commands.BlueprintCommand, org.apache.karaf.shell.commands.CommandWithAction, org.apache.felix.service.command.Function, org.apache.karaf.shell.commands.basic.AbstractCommand] method public java.lang.Object org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) throws java.lang.Exception and/or arguments 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while executing command java.lang.SecurityException: Insufficient credentials. at org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) at org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) at org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown Source)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) at org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) at org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25] at org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] at org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Pauln > > it's not a regression: command, services, and JMX security don't exist at all > in 2.3.x, it's a new feature from 3.0.0. > > The local roles are define in etc/system.properties: > > karaf.local.roles = admin,manager,viewer > > It's the roles used by the "local" console. When you use remote console (via > ssh), Karaf use the role of the user. > > If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can > see: > > uninstall[/.*[-][f].*/] = admin > uninstall = manager > > If you are manager, you can use uninstall for non system bundle (with start > level greater than 80, so without requiring the -f option). To uninstall > system bundle, you have to be admin (who can use the -f option for system > bundle). > > Regards > JB > > On 01/14/2014 10:34 PM, Paul Spencer wrote: >> JB, >> - The use case is successful in 2.3.x, to this sounds like a regression >> issue. >> >> - Per etc/system.properties, the local user has admin and manage roles. >> >> karaf@root()> jaas:realm-manage --index 1 >> karaf@root()> jaas:user-list >> User Name | Group | Role >> -------------------------------- >> karaf | admingroup | admin >> karaf | admingroup | manager >> karaf | admingroup | viewer >> karaf@root()> >> >> >> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user >> in the admin group can “install” a bundle and needs to be in the manager >> group to “uninstall” without the “-f” option. >> >> karaf@root()> bundle:uninstall 79 >> Error executing command: Insufficient credentials. >> karaf@root()> bundle:uninstall -f 79 >> karaf@root()> >> >> So why is the “bundle:uninstall” command failing when the local user has the >> manager role? >> >> Paul Spencer >> >> >> >> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: >> >>> Hi Paul, >>> >>> take a look in the documentation: >>> >>> http://karaf.apache.org/manual/latest/users-guide/security.html >>> >>> in the console section. >>> >>> You will the explanations about >>> etc/org.apache.karaf.command.acl.<scope>.cfg files. >>> >>> Regards >>> JB >>> >>> On 01/14/2014 07:14 PM, Paul Spencer wrote: >>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1) >>>> >>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” >>>> error when executing various commands on a newly installed Karaf 3.0.0. >>>> The use case below is for uninstalling a bundle. >>>> >>>> Is there a configuration change I need to make? >>>> >>>> *** >>>> * Use case >>>> *** >>>> 1) unzipped the distribution >>>> 2) Start the Karaf server with bin/start >>>> 3) Tail the log file until the JMX OSGi Agent is finished registering >>>> objects (about 30 seconds) >>>> 4) Start the Karaf client with bin/client >>>> 5) Install a bundle >>>> 6) Uninstall the newly installed bundle >>>> >>>> >>>> *** >>>> * Command output >>>> *** >>>> karaf@root()> install >>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>> Bundle ID: 79 >>>> karaf@root()> uninstall 79 >>>> Error executing command: Insufficient credentials. >>>> karaf@root()> >>>> >>>> >>>> *** >>>> * From karaf.log (I can post the full 28K log if necessary) >>>> *** >>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog >>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user >>>> does not have required roles ([manager]) for service >>>> [org.apache.karaf.shell.console.CompletableFunction, >>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>> org.apache.karaf.shell.commands.CommandWithAction, >>>> org.apache.felix.service.command.Function, >>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>> java.lang.Object >>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>> throws java.lang.Exception and/or arguments >>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil >>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception >>>> caught while executing command >>>> java.lang.SecurityException: Insufficient credentials. >>>> at >>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>> at >>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>> at >>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>> at >>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown >>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25] >>>> at >>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>> >>>> Paul Spencer >>>> >>>> >>> >>> -- >>> Jean-Baptiste Onofré >>> jbono...@apache.org >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >> > > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com