I think I've come to the same conclusion. It looks like some work on RBAC has been done in HawtIO (https://github.com/hawtio/hawtio/issues/465) so I'll see if that's any use.
On 9 December 2016 at 12:57, Achim Nierbeck <[email protected]> wrote: > I fully agree with Milen on this. > The WebConsole is just to "powerful" for an "ordinary" user. > Just think of starting/stoping bundles by accident. This alone is already > malicious enough, and hard to track ;) > > regards, Achim > > 2016-12-09 13:55 GMT+01:00 Milen Dyankov <[email protected]>: > >> I know this does not help you at all but IMHO giving random users access >> to webconsole is terrible idea. I personally consider webconsole only >> useful for developers and eventually highly trusted, responsible and >> knowledgeable administrators. >> >> On Fri, Dec 9, 2016 at 1:48 PM, Paul McCulloch <[email protected]> >> wrote: >> >>> Yes. Only admins can use webconsole, so the web console user can modify >>> the roles required for shell:exec to match themselves. >>> >>> I guess what I am really saying is that I want a non admin user to be >>> able to use web console. >>> >>> Even if I do stop a webconsole user from executing shell:exec, there is >>> nothing to stop them loading a bundle that does whatever they want. So it >>> would just be raising the bar for a malicious admin user. >>> >>> I think I may look at running karaf inside some sort of container >>> (chroot, Docker) to reduce the rick of granting Karaf adamin rights where I >>> don't want to give an OS login. >>> >>> Thanks. >>> >>> Paul >>> >>> On 9 December 2016 at 12:36, Jean-Baptiste Onofré <[email protected]> >>> wrote: >>> >>>> By command, you mean shell:exec ? The acl should already prevent >>>> execution if the user doesn't have in the expected role. >>>> >>>> Regards >>>> JB >>>> >>>> On 12/09/2016 01:30 PM, Paul McCulloch wrote: >>>> >>>>> That would be ideal, but right now I'm looking for any way to prevent >>>>> access to these (very dangerous I think) commands. >>>>> >>>>> On 9 December 2016 at 12:08, Jean-Baptiste Onofré <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hi Paul, >>>>> >>>>> So basically, you want RBAC on the webconsole. Correct ? >>>>> >>>>> It's not possible today without changing the webconsole. It's a >>>>> good >>>>> idea to add such feature. >>>>> >>>>> Regards >>>>> JB >>>>> >>>>> >>>>> On 12/09/2016 12:52 PM, Paul McCulloch wrote: >>>>> >>>>> Hi, >>>>> >>>>> I'm trying to prevent access to shell:exec from the console to >>>>> try and >>>>> harden my karaf install. >>>>> >>>>> I can revoke access from an admin user with >>>>> "config:property-set -p >>>>> org.apache.karaf.command.acl.shell exec uberadmin". I can also >>>>> prevent >>>>> the user from using config:property-set from restoring the >>>>> permissions. >>>>> >>>>> What I can't seem to do is prevent an admin user from restoring >>>>> permissions via the web console's Configuration gui. >>>>> >>>>> I want to permit remote access to the web console, but I don't >>>>> want to >>>>> give users the ability to run arbitrary commands on the server. >>>>> >>>>> Thanks, >>>>> >>>>> Paul >>>>> >>>>> >>>>> -- >>>>> Jean-Baptiste Onofré >>>>> [email protected] <mailto:[email protected]> >>>>> http://blog.nanthrax.net >>>>> Talend - http://www.talend.com >>>>> >>>>> >>>>> >>>> -- >>>> Jean-Baptiste Onofré >>>> [email protected] >>>> http://blog.nanthrax.net >>>> Talend - http://www.talend.com >>>> >>> >>> >> >> >> -- >> http://about.me/milen >> > > > > -- > > Apache Member > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > blog <http://notizblog.nierbeck.de/> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > > Software Architect / Project Manager / Scrum Master > >
