I know this does not help you at all but IMHO giving random users access to webconsole is terrible idea. I personally consider webconsole only useful for developers and eventually highly trusted, responsible and knowledgeable administrators.
On Fri, Dec 9, 2016 at 1:48 PM, Paul McCulloch <[email protected]> wrote: > Yes. Only admins can use webconsole, so the web console user can modify > the roles required for shell:exec to match themselves. > > I guess what I am really saying is that I want a non admin user to be able > to use web console. > > Even if I do stop a webconsole user from executing shell:exec, there is > nothing to stop them loading a bundle that does whatever they want. So it > would just be raising the bar for a malicious admin user. > > I think I may look at running karaf inside some sort of container (chroot, > Docker) to reduce the rick of granting Karaf adamin rights where I don't > want to give an OS login. > > Thanks. > > Paul > > On 9 December 2016 at 12:36, Jean-Baptiste Onofré <[email protected]> wrote: > >> By command, you mean shell:exec ? The acl should already prevent >> execution if the user doesn't have in the expected role. >> >> Regards >> JB >> >> On 12/09/2016 01:30 PM, Paul McCulloch wrote: >> >>> That would be ideal, but right now I'm looking for any way to prevent >>> access to these (very dangerous I think) commands. >>> >>> On 9 December 2016 at 12:08, Jean-Baptiste Onofré <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi Paul, >>> >>> So basically, you want RBAC on the webconsole. Correct ? >>> >>> It's not possible today without changing the webconsole. It's a good >>> idea to add such feature. >>> >>> Regards >>> JB >>> >>> >>> On 12/09/2016 12:52 PM, Paul McCulloch wrote: >>> >>> Hi, >>> >>> I'm trying to prevent access to shell:exec from the console to >>> try and >>> harden my karaf install. >>> >>> I can revoke access from an admin user with "config:property-set >>> -p >>> org.apache.karaf.command.acl.shell exec uberadmin". I can also >>> prevent >>> the user from using config:property-set from restoring the >>> permissions. >>> >>> What I can't seem to do is prevent an admin user from restoring >>> permissions via the web console's Configuration gui. >>> >>> I want to permit remote access to the web console, but I don't >>> want to >>> give users the ability to run arbitrary commands on the server. >>> >>> Thanks, >>> >>> Paul >>> >>> >>> -- >>> Jean-Baptiste Onofré >>> [email protected] <mailto:[email protected]> >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >>> >>> >>> >> -- >> Jean-Baptiste Onofré >> [email protected] >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> > > -- http://about.me/milen
