David, 1) I see JB will file a bug for this issue.
2) The workaround is working for me. Paul Spencer On Jan 16, 2014, at 3:43 AM, David Bosschaert <[email protected]> wrote: > Hi Paul, > > This could be an omission on my part. When I worked on the command > security I didn't really focus at the client command, but mainly > worked with the bin/karaf command and SSH access. > > I can look into this. Would you like to file a bug for it? > > In the mean time, if you need the bin/client command to access Karaf, > you can use it with the shell commands RBAC disabled. You can disable > it by commenting out the following line in etc/system.properties: > karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*)) > > Cheers, > > David > > On 15 January 2014 12:54, Paul Spencer <[email protected]> wrote: >> JB, >> I have seen the error with other commands while developing a bundle, >> although I focused on the bundle:uninstall. >> >> In addition to connecting to Karaf with ssh, the use case succeeds when >> connection with bin/karaf. >> >> Paul Spencer >> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <[email protected]> wrote: >> >>> Let me try to reproduce the issue using bin/client. It's weird as >>> bin/client is a ssh client, so it's basically the same as ssh. >>> >>> Did you see the issue with other commands ? >>> >>> I think that the ACL can be enhanced: instead of checking the -f option, it >>> should check the bundle level. It's not so easy as bundle:uninstall accept >>> bundle ID, bundle name, etc. >>> >>> Regards >>> JB >>> >>> On 01/15/2014 12:45 PM, Paul Spencer wrote: >>>> JB, >>>> If is connect to Karaf vis SSH, the use case works, but if I connect via >>>> bin/client the use case fails. >>>> >>>> Why does the command uninstall without -f generate the log message >>>> “Current user does not have required roles ([manager]) for service” when >>>> connected to Karaf via bin/client? >>>> >>>> >>>> *** >>>> * Role definition in etc/system.properties >>>> *** >>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties >>>> # Roles to use when logging into a local Karaf console. >>>> karaf.local.roles = admin,manager,viewer >>>> sparrow-2:apache-karaf-3.0.0 paul$ >>>> >>>> *** >>>> * Log of connecting to Karaf via SSH then bin/client >>>> *** >>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh [email protected] -p 8101 >>>> Authenticated with partial success. >>>> Authenticated with partial success. >>>> Password authentication >>>> Password: >>>> __ __ ____ >>>> / //_/____ __________ _/ __/ >>>> / ,< / __ `/ ___/ __ `/ /_ >>>> / /| |/ /_/ / / / /_/ / __/ >>>> /_/ |_|\__,_/_/ \__,_/_/ >>>> >>>> Apache Karaf (3.0.0) >>>> >>>> Hit '<tab>' for a list of available commands >>>> and '[cmd] --help' for help on a specific command. >>>> Hit 'system:shutdown' to shutdown Karaf. >>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>>> >>>> karaf@root()> list >>>> START LEVEL 100 , List Threshold: 50 >>>> ID | State | Lvl | Version | Name >>>> ---------------------------------------------------------------------- >>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>>> karaf@root()> uninstall 80 >>>> karaf@root()> install >>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>> Bundle ID: 81 >>>> karaf@root()> uninstall 81 >>>> karaf@root()> logout >>>> Connection to 127.0.0.1 closed. >>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client >>>> Logging in as karaf >>>> 566 [pool-2-thread-2] WARN >>>> org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at >>>> /0.0.0.0:8101 presented unverified key: >>>> __ __ ____ >>>> / //_/____ __________ _/ __/ >>>> / ,< / __ `/ ___/ __ `/ /_ >>>> / /| |/ /_/ / / / /_/ / __/ >>>> /_/ |_|\__,_/_/ \__,_/_/ >>>> >>>> Apache Karaf (3.0.0) >>>> >>>> Hit '<tab>' for a list of available commands >>>> and '[cmd] --help' for help on a specific command. >>>> Hit 'system:shutdown' to shutdown Karaf. >>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>>> >>>> karaf@root()> install >>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>> Bundle ID: 82 >>>> karaf@root()> uninstall 82 >>>> Error executing command: Insufficient credentials. >>>> karaf@root()> list >>>> START LEVEL 100 , List Threshold: 50 >>>> ID | State | Lvl | Version | Name >>>> ---------------------------------------------------------------------- >>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>>> karaf@root()> logout >>>> sparrow-2:apache-karaf-3.0.0 paul$ >>>> >>>> *** >>>> * From data/log/karaf.log >>>> *** >>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog >>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user >>>> does not have required roles ([manager]) for service >>>> [org.apache.karaf.shell.console.CompletableFunction, >>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>> org.apache.karaf.shell.commands.CommandWithAction, >>>> org.apache.felix.service.command.Function, >>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>> java.lang.Object >>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>> throws java.lang.Exception and/or arguments >>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil >>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception >>>> caught while executing command >>>> java.lang.SecurityException: Insufficient credentials. >>>> at >>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>> at >>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>> at >>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>> at >>>> org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown >>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>> at java.security.AccessController.doPrivileged(Native >>>> Method)[:1.7.0_25] >>>> at >>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>> at >>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>> >>>> >>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <[email protected]> >>>> wrote: >>>> >>>>> Hi Pauln >>>>> >>>>> it's not a regression: command, services, and JMX security don't exist at >>>>> all in 2.3.x, it's a new feature from 3.0.0. >>>>> >>>>> The local roles are define in etc/system.properties: >>>>> >>>>> karaf.local.roles = admin,manager,viewer >>>>> >>>>> It's the roles used by the "local" console. When you use remote console >>>>> (via ssh), Karaf use the role of the user. >>>>> >>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you >>>>> can see: >>>>> >>>>> uninstall[/.*[-][f].*/] = admin >>>>> uninstall = manager >>>>> >>>>> If you are manager, you can use uninstall for non system bundle (with >>>>> start level greater than 80, so without requiring the -f option). To >>>>> uninstall system bundle, you have to be admin (who can use the -f option >>>>> for system bundle). >>>>> >>>>> Regards >>>>> JB >>>>> >>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote: >>>>>> JB, >>>>>> - The use case is successful in 2.3.x, to this sounds like a regression >>>>>> issue. >>>>>> >>>>>> - Per etc/system.properties, the local user has admin and manage roles. >>>>>> >>>>>> karaf@root()> jaas:realm-manage --index 1 >>>>>> karaf@root()> jaas:user-list >>>>>> User Name | Group | Role >>>>>> -------------------------------- >>>>>> karaf | admingroup | admin >>>>>> karaf | admingroup | manager >>>>>> karaf | admingroup | viewer >>>>>> karaf@root()> >>>>>> >>>>>> >>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a >>>>>> user in the admin group can “install” a bundle and needs to be in the >>>>>> manager group to “uninstall” without the “-f” option. >>>>>> >>>>>> karaf@root()> bundle:uninstall 79 >>>>>> Error executing command: Insufficient credentials. >>>>>> karaf@root()> bundle:uninstall -f 79 >>>>>> karaf@root()> >>>>>> >>>>>> So why is the “bundle:uninstall” command failing when the local user has >>>>>> the manager role? >>>>>> >>>>>> Paul Spencer >>>>>> >>>>>> >>>>>> >>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Paul, >>>>>>> >>>>>>> take a look in the documentation: >>>>>>> >>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html >>>>>>> >>>>>>> in the console section. >>>>>>> >>>>>>> You will the explanations about >>>>>>> etc/org.apache.karaf.command.acl.<scope>.cfg files. >>>>>>> >>>>>>> Regards >>>>>>> JB >>>>>>> >>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote: >>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1) >>>>>>>> >>>>>>>> I am getting a "java.lang.SecurityException: Insufficient >>>>>>>> credentials.” error when executing various commands on a newly >>>>>>>> installed Karaf 3.0.0. The use case below is for uninstalling a >>>>>>>> bundle. >>>>>>>> >>>>>>>> Is there a configuration change I need to make? >>>>>>>> >>>>>>>> *** >>>>>>>> * Use case >>>>>>>> *** >>>>>>>> 1) unzipped the distribution >>>>>>>> 2) Start the Karaf server with bin/start >>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering >>>>>>>> objects (about 30 seconds) >>>>>>>> 4) Start the Karaf client with bin/client >>>>>>>> 5) Install a bundle >>>>>>>> 6) Uninstall the newly installed bundle >>>>>>>> >>>>>>>> >>>>>>>> *** >>>>>>>> * Command output >>>>>>>> *** >>>>>>>> karaf@root()> install >>>>>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>>>>> Bundle ID: 79 >>>>>>>> karaf@root()> uninstall 79 >>>>>>>> Error executing command: Insufficient credentials. >>>>>>>> karaf@root()> >>>>>>>> >>>>>>>> >>>>>>>> *** >>>>>>>> * From karaf.log (I can post the full 28K log if necessary) >>>>>>>> *** >>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | GuardProxyCatalog >>>>>>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current >>>>>>>> user does not have required roles ([manager]) for service >>>>>>>> [org.apache.karaf.shell.console.CompletableFunction, >>>>>>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>>>>>> org.apache.karaf.shell.commands.CommandWithAction, >>>>>>>> org.apache.felix.service.command.Function, >>>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>>>>>> java.lang.Object >>>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>>>>>> throws java.lang.Exception and/or arguments >>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil >>>>>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | >>>>>>>> Exception caught while executing command >>>>>>>> java.lang.SecurityException: Insufficient credentials. >>>>>>>> at >>>>>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>>>>>> at >>>>>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>>>>>> at >>>>>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown >>>>>>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>>>>>> at java.security.AccessController.doPrivileged(Native >>>>>>>> Method)[:1.7.0_25] >>>>>>>> at >>>>>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>>>>>> at >>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>> >>>>>>>> Paul Spencer >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jean-Baptiste Onofré >>>>>>> [email protected] >>>>>>> http://blog.nanthrax.net >>>>>>> Talend - http://www.talend.com >>>>>> >>>>> >>>>> -- >>>>> Jean-Baptiste Onofré >>>>> [email protected] >>>>> http://blog.nanthrax.net >>>>> Talend - http://www.talend.com >>>> >>> >>> -- >>> Jean-Baptiste Onofré >>> [email protected] >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >>
