Hi Pauln
it's not a regression: command, services, and JMX security don't exist
at all in 2.3.x, it's a new feature from 3.0.0.
The local roles are define in etc/system.properties:
karaf.local.roles = admin,manager,viewer
It's the roles used by the "local" console. When you use remote console
(via ssh), Karaf use the role of the user.
If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you
can see:
uninstall[/.*[-][f].*/] = admin
uninstall = manager
If you are manager, you can use uninstall for non system bundle (with
start level greater than 80, so without requiring the -f option). To
uninstall system bundle, you have to be admin (who can use the -f option
for system bundle).
Regards
JB
On 01/14/2014 10:34 PM, Paul Spencer wrote:
JB,
- The use case is successful in 2.3.x, to this sounds like a regression issue.
- Per etc/system.properties, the local user has admin and manage roles.
karaf@root()> jaas:realm-manage --index 1
karaf@root()> jaas:user-list
User Name | Group | Role
--------------------------------
karaf | admingroup | admin
karaf | admingroup | manager
karaf | admingroup | viewer
karaf@root()>
- The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a user in
the admin group can “install” a bundle and needs to be in the manager group to
“uninstall” without the “-f” option.
karaf@root()> bundle:uninstall 79
Error executing command: Insufficient credentials.
karaf@root()> bundle:uninstall -f 79
karaf@root()>
So why is the “bundle:uninstall” command failing when the local user has the
manager role?
Paul Spencer
On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <[email protected]> wrote:
Hi Paul,
take a look in the documentation:
http://karaf.apache.org/manual/latest/users-guide/security.html
in the console section.
You will the explanations about etc/org.apache.karaf.command.acl.<scope>.cfg
files.
Regards
JB
On 01/14/2014 07:14 PM, Paul Spencer wrote:
Karaf 3.0.0 running on Apple OSX Maverick (10.9.1)
I am getting a "java.lang.SecurityException: Insufficient credentials.” error
when executing various commands on a newly installed Karaf 3.0.0. The use case
below is for uninstalling a bundle.
Is there a configuration change I need to make?
***
* Use case
***
1) unzipped the distribution
2) Start the Karaf server with bin/start
3) Tail the log file until the JMX OSGi Agent is finished registering objects
(about 30 seconds)
4) Start the Karaf client with bin/client
5) Install a bundle
6) Uninstall the newly installed bundle
***
* Command output
***
karaf@root()> install
mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT
Bundle ID: 79
karaf@root()> uninstall 79
Error executing command: Insufficient credentials.
karaf@root()>
***
* From karaf.log (I can post the full 28K log if necessary)
***
2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog
| 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does not
have required roles ([manager]) for service
[org.apache.karaf.shell.console.CompletableFunction,
org.apache.karaf.shell.console.commands.BlueprintCommand,
org.apache.karaf.shell.commands.CommandWithAction,
org.apache.felix.service.command.Function,
org.apache.karaf.shell.commands.basic.AbstractCommand] method public
java.lang.Object
org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List)
throws java.lang.Exception and/or arguments
2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil
| 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught while
executing command
java.lang.SecurityException: Insufficient credentials.
at
org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527)
at
org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52)
at
org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119)
at
org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown
Source)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89)
at
org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497)
at
org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198)
at java.lang.Thread.run(Thread.java:724)[:1.7.0_25]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109)
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_25]
at
org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0]
at
org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0]
Paul Spencer
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
