JB,
If is connect to Karaf vis SSH, the use case works, but if I connect via
bin/client the use case fails.
Why does the command uninstall without -f generate the log message “Current
user does not have required roles ([manager]) for service” when connected to
Karaf via bin/client?
***
* Role definition in etc/system.properties
***
sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties
# Roles to use when logging into a local Karaf console.
karaf.local.roles = admin,manager,viewer
sparrow-2:apache-karaf-3.0.0 paul$
***
* Log of connecting to Karaf via SSH then bin/client
***
sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101
Authenticated with partial success.
Authenticated with partial success.
Password authentication
Password:
__ __ ____
/ //_/____ __________ _/ __/
/ ,< / __ `/ ___/ __ `/ /_
/ /| |/ /_/ / / / /_/ / __/
/_/ |_|\__,_/_/ \__,_/_/
Apache Karaf (3.0.0)
Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
karaf@root()> list
START LEVEL 100 , List Threshold: 50
ID | State | Lvl | Version | Name
----------------------------------------------------------------------
80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
karaf@root()> uninstall 80
karaf@root()> install
mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 81
karaf@root()> uninstall 81
karaf@root()> logout
Connection to 127.0.0.1 closed.
sparrow-2:apache-karaf-3.0.0 paul$ bin/client
Logging in as karaf
566 [pool-2-thread-2] WARN
org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at
/0.0.0.0:8101 presented unverified key:
__ __ ____
/ //_/____ __________ _/ __/
/ ,< / __ `/ ___/ __ `/ /_
/ /| |/ /_/ / / / /_/ / __/
/_/ |_|\__,_/_/ \__,_/_/
Apache Karaf (3.0.0)
Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.
karaf@root()> install
mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 82
karaf@root()> uninstall 82
Error executing command: Insufficient credentials.
karaf@root()> list
START LEVEL 100 , List Threshold: 50
ID | State | Lvl | Version | Name
----------------------------------------------------------------------
82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution
karaf@root()> logout
sparrow-2:apache-karaf-3.0.0 paul$
***
* From data/log/karaf.log
***
2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog
| 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not
have required roles ([manager]) for service
[org.apache.karaf.shell.console.CompletableFunction,
org.apache.karaf.shell.console.commands.BlueprintCommand,
org.apache.karaf.shell.commands.CommandWithAction,
org.apache.felix.service.command.Function,
org.apache.karaf.shell.commands.basic.AbstractCommand] method public
java.lang.Object
org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List)
throws java.lang.Exception and/or arguments
2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil
| 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while
executing command
java.lang.SecurityException: Insufficient credentials.
at
org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
at
org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
at
org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
at
org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown
Source)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
at
org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
at
org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
at
org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote:
> Hi Pauln
>
> it's not a regression: command, services, and JMX security don't exist at all
> in 2.3.x, it's a new feature from 3.0.0.
>
> The local roles are define in etc/system.properties:
>
> karaf.local.roles = admin,manager,viewer
>
> It's the roles used by the "local" console. When you use remote console (via
> ssh), Karaf use the role of the user.
>
> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can
> see:
>
> uninstall[/.*[-][f].*/] = admin
> uninstall = manager
>
> If you are manager, you can use uninstall for non system bundle (with start
> level greater than 80, so without requiring the -f option). To uninstall
> system bundle, you have to be admin (who can use the -f option for system
> bundle).
>
> Regards
> JB
>
> On 01/14/2014 10:34 PM, Paul Spencer wrote:
>> JB,
>> - The use case is successful in 2.3.x, to this sounds like a regression
>> issue.
>>
>> - Per etc/system.properties, the local user has admin and manage roles.
>>
>> karaf@root()> jaas:realm-manage --index 1
>> karaf@root()> jaas:user-list
>> User Name | Group | Role
>> --------------------------------
>> karaf | admingroup | admin
>> karaf | admingroup | manager
>> karaf | admingroup | viewer
>> karaf@root()>
>>
>>
>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user
>> in the admin group can “install” a bundle and needs to be in the manager
>> group to “uninstall” without the “-f” option.
>>
>> karaf@root()> bundle:uninstall 79
>> Error executing command: Insufficient credentials.
>> karaf@root()> bundle:uninstall -f 79
>> karaf@root()>
>>
>> So why is the “bundle:uninstall” command failing when the local user has the
>> manager role?
>>
>> Paul Spencer
>>
>>
>>
>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote:
>>
>>> Hi Paul,
>>>
>>> take a look in the documentation:
>>>
>>> http://karaf.apache.org/manual/latest/users-guide/security.html
>>>
>>> in the console section.
>>>
>>> You will the explanations about
>>> etc/org.apache.karaf.command.acl.<scope>.cfg files.
>>>
>>> Regards
>>> JB
>>>
>>> On 01/14/2014 07:14 PM, Paul Spencer wrote:
>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
>>>>
>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.”
>>>> error when executing various commands on a newly installed Karaf 3.0.0.
>>>> The use case below is for uninstalling a bundle.
>>>>
>>>> Is there a configuration change I need to make?
>>>>
>>>> ***
>>>> * Use case
>>>> ***
>>>> 1) unzipped the distribution
>>>> 2) Start the Karaf server with bin/start
>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering
>>>> objects (about 30 seconds)
>>>> 4) Start the Karaf client with bin/client
>>>> 5) Install a bundle
>>>> 6) Uninstall the newly installed bundle
>>>>
>>>>
>>>> ***
>>>> * Command output
>>>> ***
>>>> karaf@root()> install
>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
>>>> Bundle ID: 79
>>>> karaf@root()> uninstall 79
>>>> Error executing command: Insufficient credentials.
>>>> karaf@root()>
>>>>
>>>>
>>>> ***
>>>> * From karaf.log (I can post the full 28K log if necessary)
>>>> ***
>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog
>>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user
>>>> does not have required roles ([manager]) for service
>>>> [org.apache.karaf.shell.console.CompletableFunction,
>>>> org.apache.karaf.shell.console.commands.BlueprintCommand,
>>>> org.apache.karaf.shell.commands.CommandWithAction,
>>>> org.apache.felix.service.command.Function,
>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public
>>>> java.lang.Object
>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List)
>>>> throws java.lang.Exception and/or arguments
>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil
>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception
>>>> caught while executing command
>>>> java.lang.SecurityException: Insufficient credentials.
>>>> at
>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
>>>> at
>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
>>>> at
>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
>>>> at
>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown
>>>> Source)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
>>>> at
>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
>>>> at
>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
>>>> at
>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
>>>> at
>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
>>>> at
>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
>>>> at
>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
>>>>
>>>> Paul Spencer
>>>>
>>>>
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbono...@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>
>
> --
> Jean-Baptiste Onofré
> jbono...@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
