Re: Overriding the default realm for SSH, WebConsole, ...
> Cedric Jonas : > Hi, > We currently distribute new versions via tar-ball / ZIPs. > It is intended to be distributed as a Maven dependency which could then be > used as a "template" / platform distribution to be customized again via the > karaf-maven-plugin. But we weren't able to get that done so far. > Docker could be a topic in future. Hm... then I don't know if this helps: I have created a debian package for karaf: https://steinar.bang.priv.no/2018/01/23/installing-apache-karaf-on-debian/ And then I just edit the files I need to in /etc/karaf/ and apt upgrades leaves that config alone and/or tells me if there is a conflict. Alternatively I've done a, shall we say, non-standard docker image thing... (sort of breaking/subverting the docker ideal of packing everything into containers). I do all of my karaf apps as "install with maven", meaning that I deploy/release to maven karaf features that can be loaded via maven. For the applications running on my debian packaged karaf, I have created a master feature to load them all: https://github.com/steinarb/myapps (so when I "apt upgrade" the karaf and all installed apps are wiped I can ssh into karaf and install all apps with a single maven-loaded feature) But anyway: I have leveraged the install-from-maven bit when creating docker images, e.g. like this one: https://github.com/steinarb/sonar-collector/tree/master/docker/docker Basically what I do is start with the standard karaf docker image and then replace the org.karaf.features.cfg file with a file that adds the application's feature to the boot set (version LATEST) and add a datasource config file that uses environment variables to set the JDBC URL, the username and the password. Both config files are dropped into the etc directory of the karaf in the docker image and the end result is the LATEST version of the app, pulled from maven central, running inside the docker container after startup.
Re: Overriding the default realm for SSH, WebConsole, ...
Hi, We currently distribute new versions via tar-ball / ZIPs. It is intended to be distributed as a Maven dependency which could then be used as a "template" / platform distribution to be customized again via the karaf-maven-plugin. But we weren't able to get that done so far. Docker could be a topic in future. Regards, Cédric From: Steinar Bang Sent: Tuesday, April 30, 2024 6:30 PM To: user@karaf.apache.org Subject: Re: Overriding the default realm for SSH, WebConsole, ... !! External !! This email was sent from outside the organization. Do not click on links or open attachments unless you can identify the sender and trust that the content is safe. >>>>> Cedric Jonas : > Our goal was to customize the existing Karaf configuration files so that we > do not have to spend additional sync efforts each time we update to a new > version of Karaf (at least, we need to check if the default configuration > file didn't change). > Is there any good way to do that? How do you distribute new versions? As a docker image? As a tar-ball/zip to be unpacked and started? Other? Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
Re: Overriding the default realm for SSH, WebConsole, ...
Hi, We decided to override the karaf realm instead of adding a new one and have to modify all configurations. Works perfectly so far, thanks! But it would still be nice if we could also replace config key values via e.g. Assembly Property Edits. The following allows only to replace the whole configuration with this or multiple key-value pairs, not to replace one single value: org.apache.karaf.webconsole.cfg put realm kisters-water Something similar could perhaps also be supported by the config element in feature.xml, which is currently limited the same way: test=value Thanks! Regards, Cédric From: Jean-Baptiste Onofré Sent: Tuesday, April 30, 2024 2:22 PM To: user@karaf.apache.org Subject: Re: Overriding the default realm for SSH, WebConsole, ... !! External !! This email was sent from outside the organization. Do not click on links or open attachments unless you can identify the sender and trust that the content is safe. Hi Cédric You can provide the security schema via blueprint or programmatically, overriding the karaf realm. Or you can create a new realm and update all services (ssh, etc) with this realm (more changes to do). I would go more with the overriding karaf realm, probably easier (the overriding bundle would be part of your distribution). Regards JB On Tue, Apr 30, 2024 at 9:35 AM Cedric Jonas wrote: > > Hi, > > We provide a custom Karaf distribution for other developers within our > company. As part of that, we also provide a custom authentication realm using > OpenID Connect. > > Now we would like to ensure that this new realm is configured by default for > SSH, WebConsole, etc. I could not find any nice way to do that - whenever I > tried to override property values in e.g. > etc/org.apache.karaf.webconsole.cfg, I end up with a completely new file > which is not what we want. Either the property replacement abilities of the > Karaf Maven plugin / features.xml did replace the whole existing > configuration file with my one customized value ("realm" key) or it created > the file before the WebConsole feature was installed, and the WebConsole > feature install obviously doesn't merge both. > > Our goal was to customize the existing Karaf configuration files so that we > do not have to spend additional sync efforts each time we update to a new > version of Karaf (at least, we need to check if the default configuration > file didn't change). > > Is there any good way to do that? > > In the documentation > (https://karaf.apache.org/manual/latest/#_schema_and_deployer<https://karaf.apache.org/manual/latest/#_schema_and_deployer>) > I found there's a way to override the default realm ("karaf") configuration > using Blueprint and ranks - meaning I would probably replace the existing > karaf realm with a new configuration but using the same realm name. > Is that the only way? Isn't it possible to simply configure a new realm name > for SSH, WebConsole etc. when building a new custom distribution? Without > being forced to rewrite the whole configuration file and sync the configs > each time we update? > > Thanks! > > Regards, > Cédric > > Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE > | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters > | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) please > notify the sender immediately and destroy this e-mail. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet. Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers This e-mail may contain confidential and/or privileged information. If you are not the intended reci
Re: Overriding the default realm for SSH, WebConsole, ...
> Cedric Jonas : > Our goal was to customize the existing Karaf configuration files so that we > do not have to spend additional sync efforts each time we update to a new > version of Karaf (at least, we need to check if the default configuration > file didn't change). > Is there any good way to do that? How do you distribute new versions? As a docker image? As a tar-ball/zip to be unpacked and started? Other?
Re: Overriding the default realm for SSH, WebConsole, ...
Hi Cédric You can provide the security schema via blueprint or programmatically, overriding the karaf realm. Or you can create a new realm and update all services (ssh, etc) with this realm (more changes to do). I would go more with the overriding karaf realm, probably easier (the overriding bundle would be part of your distribution). Regards JB On Tue, Apr 30, 2024 at 9:35 AM Cedric Jonas wrote: > > Hi, > > We provide a custom Karaf distribution for other developers within our > company. As part of that, we also provide a custom authentication realm using > OpenID Connect. > > Now we would like to ensure that this new realm is configured by default for > SSH, WebConsole, etc. I could not find any nice way to do that - whenever I > tried to override property values in e.g. > etc/org.apache.karaf.webconsole.cfg, I end up with a completely new file > which is not what we want. Either the property replacement abilities of the > Karaf Maven plugin / features.xml did replace the whole existing > configuration file with my one customized value ("realm" key) or it created > the file before the WebConsole feature was installed, and the WebConsole > feature install obviously doesn't merge both. > > Our goal was to customize the existing Karaf configuration files so that we > do not have to spend additional sync efforts each time we update to a new > version of Karaf (at least, we need to check if the default configuration > file didn't change). > > Is there any good way to do that? > > In the documentation > (https://karaf.apache.org/manual/latest/#_schema_and_deployer) I found > there's a way to override the default realm ("karaf") configuration using > Blueprint and ranks - meaning I would probably replace the existing karaf > realm with a new configuration but using the same realm name. > Is that the only way? Isn't it possible to simply configure a new realm name > for SSH, WebConsole etc. when building a new custom distribution? Without > being forced to rewrite the whole configuration file and sync the configs > each time we update? > > Thanks! > > Regards, > Cédric > > Cédric Jonas - HydroMet - KISTERS AG - Pascalstraße 8+10 - 52076 Aachen - DE > | +49 2408 9385 -453 | cedric.jo...@kisters.de | www.kisters.de | > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters > | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) please > notify the sender immediately and destroy this e-mail. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet.