Hi Paul, This could be an omission on my part. When I worked on the command security I didn't really focus at the client command, but mainly worked with the bin/karaf command and SSH access.
I can look into this. Would you like to file a bug for it? In the mean time, if you need the bin/client command to access Karaf, you can use it with the shell commands RBAC disabled. You can disable it by commenting out the following line in etc/system.properties: karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*)) Cheers, David On 15 January 2014 12:54, Paul Spencer <pau...@apache.org> wrote: > JB, > I have seen the error with other commands while developing a bundle, although > I focused on the bundle:uninstall. > > In addition to connecting to Karaf with ssh, the use case succeeds when > connection with bin/karaf. > > Paul Spencer > On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > >> Let me try to reproduce the issue using bin/client. It's weird as bin/client >> is a ssh client, so it's basically the same as ssh. >> >> Did you see the issue with other commands ? >> >> I think that the ACL can be enhanced: instead of checking the -f option, it >> should check the bundle level. It's not so easy as bundle:uninstall accept >> bundle ID, bundle name, etc. >> >> Regards >> JB >> >> On 01/15/2014 12:45 PM, Paul Spencer wrote: >>> JB, >>> If is connect to Karaf vis SSH, the use case works, but if I connect via >>> bin/client the use case fails. >>> >>> Why does the command uninstall without -f generate the log message “Current >>> user does not have required roles ([manager]) for service” when connected >>> to Karaf via bin/client? >>> >>> >>> *** >>> * Role definition in etc/system.properties >>> *** >>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties >>> # Roles to use when logging into a local Karaf console. >>> karaf.local.roles = admin,manager,viewer >>> sparrow-2:apache-karaf-3.0.0 paul$ >>> >>> *** >>> * Log of connecting to Karaf via SSH then bin/client >>> *** >>> sparrow-2:apache-karaf-3.0.0 paul$ ssh karaf@127.0.0.1 -p 8101 >>> Authenticated with partial success. >>> Authenticated with partial success. >>> Password authentication >>> Password: >>> __ __ ____ >>> / //_/____ __________ _/ __/ >>> / ,< / __ `/ ___/ __ `/ /_ >>> / /| |/ /_/ / / / /_/ / __/ >>> /_/ |_|\__,_/_/ \__,_/_/ >>> >>> Apache Karaf (3.0.0) >>> >>> Hit '<tab>' for a list of available commands >>> and '[cmd] --help' for help on a specific command. >>> Hit 'system:shutdown' to shutdown Karaf. >>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>> >>> karaf@root()> list >>> START LEVEL 100 , List Threshold: 50 >>> ID | State | Lvl | Version | Name >>> ---------------------------------------------------------------------- >>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>> karaf@root()> uninstall 80 >>> karaf@root()> install >>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>> Bundle ID: 81 >>> karaf@root()> uninstall 81 >>> karaf@root()> logout >>> Connection to 127.0.0.1 closed. >>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client >>> Logging in as karaf >>> 566 [pool-2-thread-2] WARN >>> org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at >>> /0.0.0.0:8101 presented unverified key: >>> __ __ ____ >>> / //_/____ __________ _/ __/ >>> / ,< / __ `/ ___/ __ `/ /_ >>> / /| |/ /_/ / / / /_/ / __/ >>> /_/ |_|\__,_/_/ \__,_/_/ >>> >>> Apache Karaf (3.0.0) >>> >>> Hit '<tab>' for a list of available commands >>> and '[cmd] --help' for help on a specific command. >>> Hit 'system:shutdown' to shutdown Karaf. >>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>> >>> karaf@root()> install >>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>> Bundle ID: 82 >>> karaf@root()> uninstall 82 >>> Error executing command: Insufficient credentials. >>> karaf@root()> list >>> START LEVEL 100 , List Threshold: 50 >>> ID | State | Lvl | Version | Name >>> ---------------------------------------------------------------------- >>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>> karaf@root()> logout >>> sparrow-2:apache-karaf-3.0.0 paul$ >>> >>> *** >>> * From data/log/karaf.log >>> *** >>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog >>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user does >>> not have required roles ([manager]) for service >>> [org.apache.karaf.shell.console.CompletableFunction, >>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>> org.apache.karaf.shell.commands.CommandWithAction, >>> org.apache.felix.service.command.Function, >>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>> java.lang.Object >>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>> throws java.lang.Exception and/or arguments >>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil >>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception caught >>> while executing command >>> java.lang.SecurityException: Insufficient credentials. >>> at >>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>> at >>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>> at >>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>> at >>> org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown >>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>> at >>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>> at >>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>> at >>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>> at >>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>> at java.security.AccessController.doPrivileged(Native >>> Method)[:1.7.0_25] >>> at >>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>> at >>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>> >>> >>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <j...@nanthrax.net> >>> wrote: >>> >>>> Hi Pauln >>>> >>>> it's not a regression: command, services, and JMX security don't exist at >>>> all in 2.3.x, it's a new feature from 3.0.0. >>>> >>>> The local roles are define in etc/system.properties: >>>> >>>> karaf.local.roles = admin,manager,viewer >>>> >>>> It's the roles used by the "local" console. When you use remote console >>>> (via ssh), Karaf use the role of the user. >>>> >>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you can >>>> see: >>>> >>>> uninstall[/.*[-][f].*/] = admin >>>> uninstall = manager >>>> >>>> If you are manager, you can use uninstall for non system bundle (with >>>> start level greater than 80, so without requiring the -f option). To >>>> uninstall system bundle, you have to be admin (who can use the -f option >>>> for system bundle). >>>> >>>> Regards >>>> JB >>>> >>>> On 01/14/2014 10:34 PM, Paul Spencer wrote: >>>>> JB, >>>>> - The use case is successful in 2.3.x, to this sounds like a regression >>>>> issue. >>>>> >>>>> - Per etc/system.properties, the local user has admin and manage roles. >>>>> >>>>> karaf@root()> jaas:realm-manage --index 1 >>>>> karaf@root()> jaas:user-list >>>>> User Name | Group | Role >>>>> -------------------------------- >>>>> karaf | admingroup | admin >>>>> karaf | admingroup | manager >>>>> karaf | admingroup | viewer >>>>> karaf@root()> >>>>> >>>>> >>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a >>>>> user in the admin group can “install” a bundle and needs to be in the >>>>> manager group to “uninstall” without the “-f” option. >>>>> >>>>> karaf@root()> bundle:uninstall 79 >>>>> Error executing command: Insufficient credentials. >>>>> karaf@root()> bundle:uninstall -f 79 >>>>> karaf@root()> >>>>> >>>>> So why is the “bundle:uninstall” command failing when the local user has >>>>> the manager role? >>>>> >>>>> Paul Spencer >>>>> >>>>> >>>>> >>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <j...@nanthrax.net> >>>>> wrote: >>>>> >>>>>> Hi Paul, >>>>>> >>>>>> take a look in the documentation: >>>>>> >>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html >>>>>> >>>>>> in the console section. >>>>>> >>>>>> You will the explanations about >>>>>> etc/org.apache.karaf.command.acl.<scope>.cfg files. >>>>>> >>>>>> Regards >>>>>> JB >>>>>> >>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote: >>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1) >>>>>>> >>>>>>> I am getting a "java.lang.SecurityException: Insufficient credentials.” >>>>>>> error when executing various commands on a newly installed Karaf 3.0.0. >>>>>>> The use case below is for uninstalling a bundle. >>>>>>> >>>>>>> Is there a configuration change I need to make? >>>>>>> >>>>>>> *** >>>>>>> * Use case >>>>>>> *** >>>>>>> 1) unzipped the distribution >>>>>>> 2) Start the Karaf server with bin/start >>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering >>>>>>> objects (about 30 seconds) >>>>>>> 4) Start the Karaf client with bin/client >>>>>>> 5) Install a bundle >>>>>>> 6) Uninstall the newly installed bundle >>>>>>> >>>>>>> >>>>>>> *** >>>>>>> * Command output >>>>>>> *** >>>>>>> karaf@root()> install >>>>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>>>> Bundle ID: 79 >>>>>>> karaf@root()> uninstall 79 >>>>>>> Error executing command: Insufficient credentials. >>>>>>> karaf@root()> >>>>>>> >>>>>>> >>>>>>> *** >>>>>>> * From karaf.log (I can post the full 28K log if necessary) >>>>>>> *** >>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog >>>>>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current >>>>>>> user does not have required roles ([manager]) for service >>>>>>> [org.apache.karaf.shell.console.CompletableFunction, >>>>>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>>>>> org.apache.karaf.shell.commands.CommandWithAction, >>>>>>> org.apache.felix.service.command.Function, >>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>>>>> java.lang.Object >>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>>>>> throws java.lang.Exception and/or arguments >>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil >>>>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception >>>>>>> caught while executing command >>>>>>> java.lang.SecurityException: Insufficient credentials. >>>>>>> at >>>>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>>>>> at >>>>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>>>>> at >>>>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>>>>> at >>>>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown >>>>>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>>>>> at >>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>>>>> at >>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>>>>> at >>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> at >>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>>>>> at java.security.AccessController.doPrivileged(Native >>>>>>> Method)[:1.7.0_25] >>>>>>> at >>>>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>>>>> at >>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>> >>>>>>> Paul Spencer >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Jean-Baptiste Onofré >>>>>> jbono...@apache.org >>>>>> http://blog.nanthrax.net >>>>>> Talend - http://www.talend.com >>>>> >>>> >>>> -- >>>> Jean-Baptiste Onofré >>>> jbono...@apache.org >>>> http://blog.nanthrax.net >>>> Talend - http://www.talend.com >>> >> >> -- >> Jean-Baptiste Onofré >> jbono...@apache.org >> http://blog.nanthrax.net >> Talend - http://www.talend.com >
