I do not see a JIRA entry for this bug. 1) Has this bug been resolved? 2) What is the JIRA Entry?
Paul Spencer On Jan 16, 2014, at 8:34 PM, Paul Spencer <[email protected]> wrote: > David, > > 1) I see JB will file a bug for this issue. > > 2) The workaround is working for me. > > Paul Spencer > > On Jan 16, 2014, at 3:43 AM, David Bosschaert <[email protected]> > wrote: > >> Hi Paul, >> >> This could be an omission on my part. When I worked on the command >> security I didn't really focus at the client command, but mainly >> worked with the bin/karaf command and SSH access. >> >> I can look into this. Would you like to file a bug for it? >> >> In the mean time, if you need the bin/client command to access Karaf, >> you can use it with the shell commands RBAC disabled. You can disable >> it by commenting out the following line in etc/system.properties: >> karaf.secured.services = (&(osgi.command.scope=*)(osgi.command.function=*)) >> >> Cheers, >> >> David >> >> On 15 January 2014 12:54, Paul Spencer <[email protected]> wrote: >>> JB, >>> I have seen the error with other commands while developing a bundle, >>> although I focused on the bundle:uninstall. >>> >>> In addition to connecting to Karaf with ssh, the use case succeeds when >>> connection with bin/karaf. >>> >>> Paul Spencer >>> On Jan 15, 2014, at 7:15 AM, Jean-Baptiste Onofré <[email protected]> wrote: >>> >>>> Let me try to reproduce the issue using bin/client. It's weird as >>>> bin/client is a ssh client, so it's basically the same as ssh. >>>> >>>> Did you see the issue with other commands ? >>>> >>>> I think that the ACL can be enhanced: instead of checking the -f option, >>>> it should check the bundle level. It's not so easy as bundle:uninstall >>>> accept bundle ID, bundle name, etc. >>>> >>>> Regards >>>> JB >>>> >>>> On 01/15/2014 12:45 PM, Paul Spencer wrote: >>>>> JB, >>>>> If is connect to Karaf vis SSH, the use case works, but if I connect via >>>>> bin/client the use case fails. >>>>> >>>>> Why does the command uninstall without -f generate the log message >>>>> “Current user does not have required roles ([manager]) for service” when >>>>> connected to Karaf via bin/client? >>>>> >>>>> >>>>> *** >>>>> * Role definition in etc/system.properties >>>>> *** >>>>> sparrow-2:apache-karaf-3.0.0 paul$ grep local etc/system.properties >>>>> # Roles to use when logging into a local Karaf console. >>>>> karaf.local.roles = admin,manager,viewer >>>>> sparrow-2:apache-karaf-3.0.0 paul$ >>>>> >>>>> *** >>>>> * Log of connecting to Karaf via SSH then bin/client >>>>> *** >>>>> sparrow-2:apache-karaf-3.0.0 paul$ ssh [email protected] -p 8101 >>>>> Authenticated with partial success. >>>>> Authenticated with partial success. >>>>> Password authentication >>>>> Password: >>>>> __ __ ____ >>>>> / //_/____ __________ _/ __/ >>>>> / ,< / __ `/ ___/ __ `/ /_ >>>>> / /| |/ /_/ / / / /_/ / __/ >>>>> /_/ |_|\__,_/_/ \__,_/_/ >>>>> >>>>> Apache Karaf (3.0.0) >>>>> >>>>> Hit '<tab>' for a list of available commands >>>>> and '[cmd] --help' for help on a specific command. >>>>> Hit 'system:shutdown' to shutdown Karaf. >>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>>>> >>>>> karaf@root()> list >>>>> START LEVEL 100 , List Threshold: 50 >>>>> ID | State | Lvl | Version | Name >>>>> ---------------------------------------------------------------------- >>>>> 80 | Installed | 100 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>>>> karaf@root()> uninstall 80 >>>>> karaf@root()> install >>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>> Bundle ID: 81 >>>>> karaf@root()> uninstall 81 >>>>> karaf@root()> logout >>>>> Connection to 127.0.0.1 closed. >>>>> sparrow-2:apache-karaf-3.0.0 paul$ bin/client >>>>> Logging in as karaf >>>>> 566 [pool-2-thread-2] WARN >>>>> org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at >>>>> /0.0.0.0:8101 presented unverified key: >>>>> __ __ ____ >>>>> / //_/____ __________ _/ __/ >>>>> / ,< / __ `/ ___/ __ `/ /_ >>>>> / /| |/ /_/ / / / /_/ / __/ >>>>> /_/ |_|\__,_/_/ \__,_/_/ >>>>> >>>>> Apache Karaf (3.0.0) >>>>> >>>>> Hit '<tab>' for a list of available commands >>>>> and '[cmd] --help' for help on a specific command. >>>>> Hit 'system:shutdown' to shutdown Karaf. >>>>> Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session. >>>>> >>>>> karaf@root()> install >>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>> Bundle ID: 82 >>>>> karaf@root()> uninstall 82 >>>>> Error executing command: Insufficient credentials. >>>>> karaf@root()> list >>>>> START LEVEL 100 , List Threshold: 50 >>>>> ID | State | Lvl | Version | Name >>>>> ---------------------------------------------------------------------- >>>>> 82 | Installed | 80 | 1.0.0.SNAPSHOT | APMS/EWM SAP File Distribution >>>>> karaf@root()> logout >>>>> sparrow-2:apache-karaf-3.0.0 paul$ >>>>> >>>>> *** >>>>> * From data/log/karaf.log >>>>> *** >>>>> 2014-01-15 06:34:25,902 | INFO | e ssh user karaf | GuardProxyCatalog >>>>> | 42 - org.apache.karaf.service.guard - 3.0.0 | Current user >>>>> does not have required roles ([manager]) for service >>>>> [org.apache.karaf.shell.console.CompletableFunction, >>>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>>> org.apache.karaf.shell.commands.CommandWithAction, >>>>> org.apache.felix.service.command.Function, >>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>>> java.lang.Object >>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>>> throws java.lang.Exception and/or arguments >>>>> 2014-01-15 06:34:25,902 | ERROR | e ssh user karaf | ShellUtil >>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | Exception >>>>> caught while executing command >>>>> java.lang.SecurityException: Insufficient credentials. >>>>> at >>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>>> at >>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>>> at >>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>>> at >>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand1069614474.execute(Unknown >>>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>>> at >>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>>> at >>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>>> at >>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>>> at >>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>>> at java.security.AccessController.doPrivileged(Native >>>>> Method)[:1.7.0_25] >>>>> at >>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>>> at >>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>>> >>>>> >>>>> On Jan 15, 2014, at 12:37 AM, Jean-Baptiste Onofré <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Pauln >>>>>> >>>>>> it's not a regression: command, services, and JMX security don't exist >>>>>> at all in 2.3.x, it's a new feature from 3.0.0. >>>>>> >>>>>> The local roles are define in etc/system.properties: >>>>>> >>>>>> karaf.local.roles = admin,manager,viewer >>>>>> >>>>>> It's the roles used by the "local" console. When you use remote console >>>>>> (via ssh), Karaf use the role of the user. >>>>>> >>>>>> If you take a look on etc/org.apache.karaf.command.acl.bundle.cfg, you >>>>>> can see: >>>>>> >>>>>> uninstall[/.*[-][f].*/] = admin >>>>>> uninstall = manager >>>>>> >>>>>> If you are manager, you can use uninstall for non system bundle (with >>>>>> start level greater than 80, so without requiring the -f option). To >>>>>> uninstall system bundle, you have to be admin (who can use the -f option >>>>>> for system bundle). >>>>>> >>>>>> Regards >>>>>> JB >>>>>> >>>>>> On 01/14/2014 10:34 PM, Paul Spencer wrote: >>>>>>> JB, >>>>>>> - The use case is successful in 2.3.x, to this sounds like a regression >>>>>>> issue. >>>>>>> >>>>>>> - Per etc/system.properties, the local user has admin and manage roles. >>>>>>> >>>>>>> karaf@root()> jaas:realm-manage --index 1 >>>>>>> karaf@root()> jaas:user-list >>>>>>> User Name | Group | Role >>>>>>> -------------------------------- >>>>>>> karaf | admingroup | admin >>>>>>> karaf | admingroup | manager >>>>>>> karaf | admingroup | viewer >>>>>>> karaf@root()> >>>>>>> >>>>>>> >>>>>>> - The way I am reading etc/org.apache.karaf.command.acl.bundle.cfg, a >>>>>>> user in the admin group can “install” a bundle and needs to be in the >>>>>>> manager group to “uninstall” without the “-f” option. >>>>>>> >>>>>>> karaf@root()> bundle:uninstall 79 >>>>>>> Error executing command: Insufficient credentials. >>>>>>> karaf@root()> bundle:uninstall -f 79 >>>>>>> karaf@root()> >>>>>>> >>>>>>> So why is the “bundle:uninstall” command failing when the local user >>>>>>> has the manager role? >>>>>>> >>>>>>> Paul Spencer >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Jan 14, 2014, at 2:29 PM, Jean-Baptiste Onofré <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Paul, >>>>>>>> >>>>>>>> take a look in the documentation: >>>>>>>> >>>>>>>> http://karaf.apache.org/manual/latest/users-guide/security.html >>>>>>>> >>>>>>>> in the console section. >>>>>>>> >>>>>>>> You will the explanations about >>>>>>>> etc/org.apache.karaf.command.acl.<scope>.cfg files. >>>>>>>> >>>>>>>> Regards >>>>>>>> JB >>>>>>>> >>>>>>>> On 01/14/2014 07:14 PM, Paul Spencer wrote: >>>>>>>>> Karaf 3.0.0 running on Apple OSX Maverick (10.9.1) >>>>>>>>> >>>>>>>>> I am getting a "java.lang.SecurityException: Insufficient >>>>>>>>> credentials.” error when executing various commands on a newly >>>>>>>>> installed Karaf 3.0.0. The use case below is for uninstalling a >>>>>>>>> bundle. >>>>>>>>> >>>>>>>>> Is there a configuration change I need to make? >>>>>>>>> >>>>>>>>> *** >>>>>>>>> * Use case >>>>>>>>> *** >>>>>>>>> 1) unzipped the distribution >>>>>>>>> 2) Start the Karaf server with bin/start >>>>>>>>> 3) Tail the log file until the JMX OSGi Agent is finished registering >>>>>>>>> objects (about 30 seconds) >>>>>>>>> 4) Start the Karaf client with bin/client >>>>>>>>> 5) Install a bundle >>>>>>>>> 6) Uninstall the newly installed bundle >>>>>>>>> >>>>>>>>> >>>>>>>>> *** >>>>>>>>> * Command output >>>>>>>>> *** >>>>>>>>> karaf@root()> install >>>>>>>>> mvn:com.intekon.customer.kc.ewm.web-service/ewm-sap-dist/1.0-SNAPSHOT >>>>>>>>> Bundle ID: 79 >>>>>>>>> karaf@root()> uninstall 79 >>>>>>>>> Error executing command: Insufficient credentials. >>>>>>>>> karaf@root()> >>>>>>>>> >>>>>>>>> >>>>>>>>> *** >>>>>>>>> * From karaf.log (I can post the full 28K log if necessary) >>>>>>>>> *** >>>>>>>>> 2014-01-14 12:50:07,960 | INFO | e ssh user karaf | >>>>>>>>> GuardProxyCatalog | 42 - >>>>>>>>> org.apache.karaf.service.guard - 3.0.0 | Current user does not have >>>>>>>>> required roles ([manager]) for service >>>>>>>>> [org.apache.karaf.shell.console.CompletableFunction, >>>>>>>>> org.apache.karaf.shell.console.commands.BlueprintCommand, >>>>>>>>> org.apache.karaf.shell.commands.CommandWithAction, >>>>>>>>> org.apache.felix.service.command.Function, >>>>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand] method public >>>>>>>>> java.lang.Object >>>>>>>>> org.apache.karaf.shell.commands.basic.AbstractCommand.execute(org.apache.felix.service.command.CommandSession,java.util.List) >>>>>>>>> throws java.lang.Exception and/or arguments >>>>>>>>> 2014-01-14 12:50:07,960 | ERROR | e ssh user karaf | ShellUtil >>>>>>>>> | 47 - org.apache.karaf.shell.console - 3.0.0 | >>>>>>>>> Exception caught while executing command >>>>>>>>> java.lang.SecurityException: Insufficient credentials. >>>>>>>>> at >>>>>>>>> org.apache.karaf.service.guard.impl.GuardProxyCatalog$ProxyInvocationListener.preInvoke(GuardProxyCatalog.java:527) >>>>>>>>> at >>>>>>>>> org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:52) >>>>>>>>> at >>>>>>>>> org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.commands.$BlueprintCommand474733692.execute(Unknown >>>>>>>>> Source)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.CommandProxy.execute(CommandProxy.java:78)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:477)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:403)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.Pipe.run(Pipe.java:108)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:183)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.Closure.execute(Closure.java:120)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.felix.gogo.runtime.CommandSessionImpl.execute(CommandSessionImpl.java:89) >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl$DelegateSession.execute(ConsoleImpl.java:497) >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleImpl.run(ConsoleImpl.java:198) >>>>>>>>> at java.lang.Thread.run(Thread.java:724)[:1.7.0_25] >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.doRun(ConsoleFactoryService.java:118)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3$1.run(ConsoleFactoryService.java:109) >>>>>>>>> at java.security.AccessController.doPrivileged(Native >>>>>>>>> Method)[:1.7.0_25] >>>>>>>>> at >>>>>>>>> org.apache.karaf.jaas.modules.JaasHelper.doAs(JaasHelper.java:47)[48:org.apache.karaf.jaas.modules:3.0.0] >>>>>>>>> at >>>>>>>>> org.apache.karaf.shell.console.impl.jline.ConsoleFactoryService$3.run(ConsoleFactoryService.java:107)[47:org.apache.karaf.shell.console:3.0.0] >>>>>>>>> >>>>>>>>> Paul Spencer >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Jean-Baptiste Onofré >>>>>>>> [email protected] >>>>>>>> http://blog.nanthrax.net >>>>>>>> Talend - http://www.talend.com >>>>>>> >>>>>> >>>>>> -- >>>>>> Jean-Baptiste Onofré >>>>>> [email protected] >>>>>> http://blog.nanthrax.net >>>>>> Talend - http://www.talend.com >>>>> >>>> >>>> -- >>>> Jean-Baptiste Onofré >>>> [email protected] >>>> http://blog.nanthrax.net >>>> Talend - http://www.talend.com >>> >
