JB, I have seen the error with other commands while developing a bundle, although I focused on the bundle:uninstall.
In addition to connecting to Karaf with ssh, the use case succeeds when connection with bin/karaf. Paul Spencer On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <[email protected]> wrote: > Let me try to reproduce the issue using bin/client. It's weird as bin/client > is a ssh client, so it's basically the same as ssh. > > Did you see the issue with other commands ? > > I think that the ACL can be enhanced: instead of checking the -f option, it > should check the bundle level. It's not so easy as bundle:uninstall accept > bundle ID, bundle name, etc. > > Regards > JB > > On 01/15/2014 12:45 PM, Paul Spencer wrote: >> JB, >> If is connect to Karaf vis SSH, the use case works, but if I connect via >> bin/client the use case fails. >> >> Why does the command uninstall without -f generate the log message “Current >> user does not have required roles ([manager]) for service” when connected to >> Karaf via bin/client? >> >> >> *** >> * Role definition in etc/system.properties >> *** >> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties >> # Roles to use when logging into a local Karaf console. >> karaf.local.roles = admin,manager,viewer >> sparrow-2:apache-karaf-3.0.0 paul$ >> >> *** >> * Log of connecting to Karaf via SSH then bin/client >> *** >> sparrow-2:apache-karaf-3.0.0 paul$ ssh [email protected] -p 8101 >> Authenticated with partial success. >> Authenticated with partial success. >> Password authentication >> Password: >> __ __ ____ >> / //_/____ __________ _/ __/ >> / ,< / __ `/ ___/ __ `/ /_ >> / /| |/ /_/ / / / /_/ / __/ >> /_/ |_|\__,_/_/ \__,_/_/ >> >> Apache Karaf (3.0.0) >> >> Hit '<tab>' for a list of available commands >> and '[cmd] --help' for help on a specific command. >> Hit 'system:shutdown' to shutdown Karaf. >> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >> >> karaf@root()> list >> START LEVEL 100 , List Threshold: 50 >> ID | State | Lvl | Version | Name >> ---------------------------------------------------------------------- >> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >> karaf@root()> uninstall 80 >> karaf@root()> install >> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >> Bundle ID: 81 >> karaf@root()> uninstall 81 >> karaf@root()> logout >> Connection to 127.0.0.1 closed. >> sparrow-2:apache-karaf-3.0.0 paul$ bin/client >> Logging in as karaf >> 566 [pool-2-thread-2] WARN >> org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at >> /0.0.0.0:8101 presented unverified key: >> __ __ ____ >> / //_/____ __________ _/ __/ >> / ,< / __ `/ ___/ __ `/ /_ >> / /| |/ /_/ / / / /_/ / __/ >> /_/ |_|\__,_/_/ \__,_/_/ >> >> Apache Karaf (3.0.0) >> >> Hit '<tab>' for a list of available commands >> and '[cmd] --help' for help on a specific command. >> Hit 'system:shutdown' to shutdown Karaf. >> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >> >> karaf@root()> install >> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >> Bundle ID: 82 >> karaf@root()> uninstall 82 >> Error executing command: Insufficient credentials. >> karaf@root()> list >> START LEVEL 100 , List Threshold: 50 >> ID | State | Lvl | Version | Name >> ---------------------------------------------------------------------- >> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >> karaf@root()> logout >> sparrow-2:apache-karaf-3.0.0 paul$ >> >> *** >> * From data/log/karaf.log >> *** >> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog >> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does >> not have required roles ([manager]) for service >> [org.apache.karaf.shell.console.CompletableFunction, >> org.apache.karaf.shell.console.commands.BlueprintCommand, >> org.apache.karaf.shell.commands.CommandWithAction, >> org.apache.felix.service.command.Function, >> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >> java.lang.Object >> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >> throws java.lang.Exception and/or arguments >> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil >> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught >> while executing command >> java.lang.SecurityException: Insufficient credentials. >> at >> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >> at >> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >> at >> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >> at >> org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown >> Source)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >> at >> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >> at >> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >> at >> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >> at >> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >> at java.security.AccessController.doPrivileged(Native >> Method)[:1.7.0_25] >> at >> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >> at >> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >> >> >> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <[email protected]> wrote: >> >>> Hi Pauln >>> >>> it's not a regression: command, services, and JMX security don't exist at >>> all in 2.3.x, it's a new feature from 3.0.0. >>> >>> The local roles are define in etc/system.properties: >>> >>> karaf.local.roles = admin,manager,viewer >>> >>> It's the roles used by the "local" console. When you use remote console >>> (via ssh), Karaf use the role of the user. >>> >>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can >>> see: >>> >>> uninstall[/.*[-][f].*/] = admin >>> uninstall = manager >>> >>> If you are manager, you can use uninstall for non system bundle (with start >>> level greater than 80, so without requiring the -f option). To uninstall >>> system bundle, you have to be admin (who can use the -f option for system >>> bundle). >>> >>> Regards >>> JB >>> >>> On 01/14/2014 10:34 PM, Paul Spencer wrote: >>>> JB, >>>> - The use case is successful in 2.3.x, to this sounds like a regression >>>> issue. >>>> >>>> - Per etc/system.properties, the local user has admin and manage roles. >>>> >>>> karaf@root()> jaas:realm-manage --index 1 >>>> karaf@root()> jaas:user-list >>>> User Name | Group | Role >>>> -------------------------------- >>>> karaf | admingroup | admin >>>> karaf | admingroup | manager >>>> karaf | admingroup | viewer >>>> karaf@root()> >>>> >>>> >>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user >>>> in the admin group can “install” a bundle and needs to be in the manager >>>> group to “uninstall” without the “-f” option. >>>> >>>> karaf@root()> bundle:uninstall 79 >>>> Error executing command: Insufficient credentials. >>>> karaf@root()> bundle:uninstall -f 79 >>>> karaf@root()> >>>> >>>> So why is the “bundle:uninstall” command failing when the local user has >>>> the manager role? >>>> >>>> Paul Spencer >>>> >>>> >>>> >>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <[email protected]> >>>> wrote: >>>> >>>>> Hi Paul, >>>>> >>>>> take a look in the documentation: >>>>> >>>>> http://karaf.apache.org/manual/latest/users-guide/security.html >>>>> >>>>> in the console section. >>>>> >>>>> You will the explanations about >>>>> etc/org.apache.karaf.command.acl.<scope>.cfg files. >>>>> >>>>> Regards >>>>> JB >>>>> >>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote: >>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1) >>>>>> >>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” >>>>>> error when executing various commands on a newly installed Karaf 3.0.0. >>>>>> The use case below is for uninstalling a bundle. >>>>>> >>>>>> Is there a configuration change I need to make? >>>>>> >>>>>> *** >>>>>> * Use case >>>>>> *** >>>>>> 1) unzipped the distribution >>>>>> 2) Start the Karaf server with bin/start >>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering >>>>>> objects (about 30 seconds) >>>>>> 4) Start the Karaf client with bin/client >>>>>> 5) Install a bundle >>>>>> 6) Uninstall the newly installed bundle >>>>>> >>>>>> >>>>>> *** >>>>>> * Command output >>>>>> *** >>>>>> karaf@root()> install >>>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>>> Bundle ID: 79 >>>>>> karaf@root()> uninstall 79 >>>>>> Error executing command: Insufficient credentials. >>>>>> karaf@root()> >>>>>> >>>>>> >>>>>> *** >>>>>> * From karaf.log (I can post the full 28K log if necessary) >>>>>> *** >>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog >>>>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current >>>>>> user does not have required roles ([manager]) for service >>>>>> [org.apache.karaf.shell.console.CompletableFunction, >>>>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>>>> org.apache.karaf.shell.commands.CommandWithAction, >>>>>> org.apache.felix.service.command.Function, >>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>>>> java.lang.Object >>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>>>> throws java.lang.Exception and/or arguments >>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil >>>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception >>>>>> caught while executing command >>>>>> java.lang.SecurityException: Insufficient credentials. >>>>>> at >>>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>>>> at >>>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>>>> at >>>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>>>> at >>>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown >>>>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>>>> at >>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>>>> at >>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>>>> at >>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> at >>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>>>> at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25] >>>>>> at >>>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>>>> at >>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>>>> >>>>>> Paul Spencer >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Jean-Baptiste Onofré >>>>> [email protected] >>>>> http://blog.nanthrax.net >>>>> Talend - http://www.talend.com >>>> >>> >>> -- >>> Jean-Baptiste Onofré >>> [email protected] >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com
