1. KARAF-4889 <https://issues.apache.org/jira/browse/KARAF-4889> logged
On 9 December 2016 at 13:20, Jean-Baptiste Onofré <[email protected]> wrote: > I think it would be an interesting plugin to add. > > Do you mind to create a Jira about that ? > > Regards > JB > > On 12/09/2016 02:16 PM, Paul McCulloch wrote: > >> I think I've come to the same conclusion. It looks like some work on >> RBAC has been done in HawtIO >> (https://github.com/hawtio/hawtio/issues/465) so I'll see if that's any >> use. >> >> On 9 December 2016 at 12:57, Achim Nierbeck <[email protected] >> <mailto:[email protected]>> wrote: >> >> I fully agree with Milen on this. >> The WebConsole is just to "powerful" for an "ordinary" user. >> Just think of starting/stoping bundles by accident. This alone is >> already malicious enough, and hard to track ;) >> >> regards, Achim >> >> 2016-12-09 13:55 GMT+01:00 Milen Dyankov <[email protected] >> <mailto:[email protected]>>: >> >> I know this does not help you at all but IMHO giving random >> users access to webconsole is terrible idea. I personally >> consider webconsole only useful for developers and eventually >> highly trusted, responsible and knowledgeable administrators. >> >> On Fri, Dec 9, 2016 at 1:48 PM, Paul McCulloch >> <[email protected] <mailto:[email protected]>> wrote: >> >> Yes. Only admins can use webconsole, so the web console user >> can modify the roles required for shell:exec to match >> themselves. >> >> I guess what I am really saying is that I want a non admin >> user to be able to use web console. >> >> Even if I do stop a webconsole user from executing >> shell:exec, there is nothing to stop them loading a bundle >> that does whatever they want. So it would just be raising >> the bar for a malicious admin user. >> >> I think I may look at running karaf inside some sort of >> container (chroot, Docker) to reduce the rick of granting >> Karaf adamin rights where I don't want to give an OS login. >> >> Thanks. >> >> Paul >> >> On 9 December 2016 at 12:36, Jean-Baptiste Onofré >> <[email protected] <mailto:[email protected]>> wrote: >> >> By command, you mean shell:exec ? The acl should already >> prevent execution if the user doesn't have in the >> expected role. >> >> Regards >> JB >> >> On 12/09/2016 01:30 PM, Paul McCulloch wrote: >> >> That would be ideal, but right now I'm looking for >> any way to prevent >> access to these (very dangerous I think) commands. >> >> On 9 December 2016 at 12:08, Jean-Baptiste Onofré >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> >> wrote: >> >> Hi Paul, >> >> So basically, you want RBAC on the webconsole. >> Correct ? >> >> It's not possible today without changing the >> webconsole. It's a good >> idea to add such feature. >> >> Regards >> JB >> >> >> On 12/09/2016 12:52 PM, Paul McCulloch wrote: >> >> Hi, >> >> I'm trying to prevent access to shell:exec >> from the console to >> try and >> harden my karaf install. >> >> I can revoke access from an admin user with >> "config:property-set -p >> org.apache.karaf.command.acl.shell exec >> uberadmin". I can also >> prevent >> the user from using config:property-set from >> restoring the >> permissions. >> >> What I can't seem to do is prevent an admin >> user from restoring >> permissions via the web console's >> Configuration gui. >> >> I want to permit remote access to the web >> console, but I don't >> want to >> give users the ability to run arbitrary >> commands on the server. >> >> Thanks, >> >> Paul >> >> >> -- >> Jean-Baptiste Onofré >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> >> >> >> -- >> Jean-Baptiste Onofré >> [email protected] <mailto:[email protected]> >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> >> >> >> >> >> -- >> http://about.me/milen >> >> >> >> >> -- >> >> Apache Member >> Apache Karaf <http://karaf.apache.org/> Committer & PMC >> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/ >> <http://wiki.ops4j.org/display/paxweb/Pax+Web/>> Committer & Project >> Lead >> blog <http://notizblog.nierbeck.de/> >> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> >> >> Software Architect / Project Manager / Scrum Master >> >> >> > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com >
