KARAF-5014: consider first group role in users.properties and ignore empty roles #1863
Conversation
|
Hi @stataru8 , thank you for picking up this issue. Why do you propose "when a group is created using jaas commands, add an empty role by default"? Is this because there is no role which could be assigned during creation? Is it not possible to have an empty group? Regards |
|
I think @stataru8 meant add empty password for role (as a role doesn't have password). A group can be empty without problem though. |
| @@ -52,14 +52,13 @@ public void addUser(String username, String password) { | |||
| if (username.startsWith(GROUP_PREFIX)) | |||
| throw new IllegalArgumentException("Prefix not permitted: " + GROUP_PREFIX); | |||
|
|
|||
| addUserInternal(username, password); | |||
| addUserInternal(username, encryptionSupport.encrypt(password)); | |||
There was a problem hiding this comment.
Why forcing encryption here ? It's an optional feature.
There was a problem hiding this comment.
I just moved this call from its original location in addUserInternal:
The call is only needed when adding a user and shouldn't be made when adding a group:
"", which with the defaults, results in {CRYPT}ABC...{CRYPT}. After jaas:group-add karaf newGrup,jaas:user-list will return
User Name | Group | Role
----------+---------+-------------------------------------------------------------------------------
karaf | newGrup | {CRYPT}ABC...{CRYPT}
Maybe at this point, we should create another addUserInternal with just the username as an argument: private void addUserInternal(String username), or another function just for groups...
| if (role.equals(rp.getName())) { | ||
| return; | ||
|
|
||
| // groups don't have password and empty should be ignored |
There was a problem hiding this comment.
A group can be empty (no role, no group, no user).
There was a problem hiding this comment.
My original comment was a bit misleading, what I meant is:
- If a user info is empty, we shouldn't replace
""byrole, or elserolebecomes the user's password. - If a group info is empty, we should replace
""byrole.
stataru8
force-pushed
the
stataru/fix/KARAF-5014
branch
2 times, most recently
from
dac3692
to
c01d0bc
Compare
|
Hello @AndreVirtimo, as far as I know, we have two commands that allow us to create groups:
In both cases, there is no mandatory argument for the role. Today, the role/password |
stataru8
force-pushed
the
stataru/fix/KARAF-5014
branch
from
c01d0bc
to
a30ea9d
Compare
|
Sorry for the delay in the review/comment. I want to provide some context. The idea of the first "role" in a group definition, it's not actually a role but just a "prefix" ( That's why be default, in You can see that I agree it's confusing (including the documentation), but if we "change" to remove the prefix, it means that |
|
I just realized that Let me know if is that's too much for this PR or out of scope. If all these changes are too risky, just making the documentation clearer about the "prefix flag" is also an option... |
stataru8
force-pushed
the
stataru/fix/KARAF-5014
branch
from
a30ea9d
to
5bef795
Compare
|
@stataru8 yes, historically, we use this "flag" in all group/role definition (users, keys, ...). So, we can consider this as a breaking change for users (if we remove the group prefix).
|
https://issues.apache.org/jira/browse/KARAF-5014
This issue is quite old and only affects those who directly modify the
usersfile. I'm not sure if it is still relevant, or if the current behaviour should be considered acceptable.Current behaviour:
jaascommands, the password/rolegroupis added by defaultProposal:
jaascommands, add password/role""by default, leaving the group information empty