8.5. Configuring Access to OSGi Administrative Functions
Overview
This tutorial explains how to configure the OSGi administrative functions to use specific roles for authorization. By configuring each of the administrative functions to use a different role for access, you can provide fine grained control over who can monitor and manipulate running containers.
When LDAP is enabled, the OSGi container expects the user role data to be stored along with the user authentication data in the LDAP directory server. The LDAP search query to extract the role data is specified by the
role.*
properties in the jaas:module
element.
The JAAS LDAP login module used in this tutorial, shown in Example 8.1, “JAAS Realm for Standalone”, is configured to extract the role name from the
cn
property of all entries selected by the filter member=uid=%u
which is run on the tree selected using the base DN ou=roles,ou=system
. In the section called “Adding groups for the roles”, you added three groups to the ou=roles,ou=system
tree. The filter will match with any group that has a member specified by uid=%u
.
For example, when you attempted to connect to the remote console as user
jdoe
the filter searched for a group with a member uid=jdoe
and matched on the group cn=admin,ou=roles,ou=system
. The LDAP module extracted the cn
property's value of admin
and used it as the role for authorizing user jdoe
.
Note
The instructions in this section are applicable only to a standalone OSGi container. They do not apply to Fabric containers.
Goals
You will change the role used for each of the administrative functions:
Prerequisites
Before you can perfrom any of the following tutorials, you must ensure that the ApacheDS server is running.
Configure a role for the remote console
To configure a role for the remote console:
- Open
InstallDir/etc/org.apache.karaf.shell.cfg
in a text editor. - Add the following line:
sshRole=sshConsole
- Save the changes.
- Start Red Hat JBoss A-MQ by entering the following command in a terminal window:
amq
- Open a new command prompt.
- Change directory to the JBoss A-MQ
InstallDir/bin
directory. - Enter the following command to log on to the running container instance using the identity
janedoe
:client -u janedoe -p secret
You should successfully log into the container's remote console becausejanedoe
does have thesshConsole
role.
Configure a role for JMX access
To configure a role for JMX access:
- Open
InstallDir/etc/org.apache.karaf.management.cfg
in a text editor. - Add the following line:
jmxRole=jmxUser
- Save the changes.
- Start JBoss A-MQ by entering the following command in a terminal window:
amq
- Start JConsole or another JMX console.
- Connect to JBoss A-MQ's JMX server using the following settings:
- JMX URL:
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
- User:
jdoe
- Password:
secret
The connection will fail becausejdoe
user does not have thejmxUser
role.NoteTo test security, you must log on using the Remote process option (even though you are logging on to a JVM instance that is running on your local machine). If you log on using the Local process option, JConsole bypasses the authentication check. - Connect to JBoss A-MQ's JMX server as using the following settings:
- JMX URL:
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
- User:
crider
- Password:
secret
The connection will succeed becausecrider
user does have thejmxUser
role.
More information
For more information on configuring the JBoss A-MQ LDAP login module see Section 2.2, “Enabling LDAP Authentication”.
For more information on configuring the JBoss A-MQ administrative functions see Section 2.3, “Configuring Roles for the Administrative Protocols”.