-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KARAF-5014: consider first group role in users.properties and ignore empty roles #1863
base: main
Are you sure you want to change the base?
Conversation
Hi @stataru8 , thank you for picking up this issue. Why do you propose "when a group is created using jaas commands, add an empty role by default"? Is this because there is no role which could be assigned during creation? Is it not possible to have an empty group? Regards |
I think @stataru8 meant add empty password for role (as a role doesn't have password). A group can be empty without problem though. |
@@ -52,14 +52,13 @@ public void addUser(String username, String password) { | |||
if (username.startsWith(GROUP_PREFIX)) | |||
throw new IllegalArgumentException("Prefix not permitted: " + GROUP_PREFIX); | |||
|
|||
addUserInternal(username, password); | |||
addUserInternal(username, encryptionSupport.encrypt(password)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why forcing encryption here ? It's an optional feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just moved this call from its original location in addUserInternal
:
Line 62 in e9b9c97
String encPassword = encryptionSupport.encrypt(password); |
The call is only needed when adding a user and shouldn't be made when adding a group:
Line 262 in c01d0bc
addUserInternal(groupName, ""); // groups don't have password |
""
, which with the defaults, results in {CRYPT}ABC...{CRYPT}
. After jaas:group-add karaf newGrup
,jaas:user-list
will return
User Name | Group | Role
----------+---------+-------------------------------------------------------------------------------
karaf | newGrup | {CRYPT}ABC...{CRYPT}
Maybe at this point, we should create another addUserInternal
with just the username
as an argument: private void addUserInternal(String username)
, or another function just for groups...
if (role.equals(rp.getName())) { | ||
return; | ||
|
||
// groups don't have password and empty should be ignored |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A group can be empty (no role, no group, no user).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My original comment was a bit misleading, what I meant is:
- If a user info is empty, we shouldn't replace
""
byrole
, or elserole
becomes the user's password. - If a group info is empty, we should replace
""
byrole
.
dac3692
to
c01d0bc
Compare
Hello @AndreVirtimo, as far as I know, we have two commands that allow us to create groups:
In both cases, there is no mandatory argument for the role. Today, the role/password |
c01d0bc
to
a30ea9d
Compare
Sorry for the delay in the review/comment. I want to provide some context. The idea of the first "role" in a group definition, it's not actually a role but just a "prefix" ( That's why be default, in
You can see that I agree it's confusing (including the documentation), but if we "change" to remove the prefix, it means that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please update default etc/users.properties
to remove group
as it's not actually a role ?
I just realized that karaf/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/publickey/PublickeyBackingEngine.java Line 273 in a8d9901
Let me know if is that's too much for this PR or out of scope. If all these changes are too risky, just making the documentation clearer about the "prefix flag" is also an option... |
a30ea9d
to
5bef795
Compare
@stataru8 yes, historically, we use this "flag" in all group/role definition (users, keys, ...). So, we can consider this as a breaking change for users (if we remove the group prefix).
|
I don't think we need a flag in the value. Because we already have g in the key. So I am in favor of a change. I think the risk is low. If users don't migrate their configuration, they get an additional role “group”, which shouldn't hurt. |
@AndreVirtimo i agree. However this PR should be completed to keys file. |
I'll try to commit the changes for |
https://issues.apache.org/jira/browse/KARAF-5014
This issue is quite old and only affects those who directly modify the
users
file. I'm not sure if it is still relevant, or if the current behaviour should be considered acceptable.Current behaviour:
jaas
commands, the password/rolegroup
is added by defaultProposal:
jaas
commands, add password/role""
by default, leaving the group information empty