This tutorial explains how to configure the OSGi administrative functions to use specific roles for authorization. By configuring each of the administrative functions to use a different role for access, you can provide fine grained control over who can monitor and manipulate running containers.
When LDAP is enabled, the OSGi container expects the user role data to be stored along
with the user authentication data in the LDAP directory server. The LDAP search query to
extract the role data is specified by the role.* properties in the
jaas:module element.
The JAAS LDAP login module used in this tutorial, shown in
Example 8.1, is configured to extract the role
name from the cn property of all entries selected by the filter
member=uid=%u which is run on the tree selected using the base DN
uo=roles,ou=system. In Adding groups for the roles, you
added three groups to the uo=roles,ou=system tree. The filter will match with
any group that has a member specified by uid=%u.
For example, when you attempted to connect to the remote console as user
jdoe the filter searched for a group with a member
uid=jdoe and matched on the group cn=admin,uo=roles,ou=system.
The LDAP module extracted the cn property's value of admin
and used it as the role for authorizing user jdoe.
You will change the role used for each of the administrative functions:
Before you can perfrom any of the following tutorials, you must ensure that the ApacheDS server is running.
To configure a role for the remote console:
Open
ESBInstallDir/etc/org.apache.karaf.shell.cfgAdd the following line:
sshRole=sshConsole
Save the changes.
Start Fuse ESB by entering the following command in a terminal window:
>servicemixOpen a new command prompt.
Change directory to the Fuse ESB install directory.
Enter the following command to log on to the running container instance using the identity
janedoe:client -u janedoe -p secretYou should successfully log into the container's remote console because
janedoedoes have thesshConsolerole.
To configure a role for JMX access:
Open
ESBInstallDir/etc/org.apache.karaf.management.cfgAdd the following line:
jmxRole=jmxUser
Save the changes.
Start Fuse ESB by entering the following command in a terminal window:
>servicemixStart JConsole or another JMX console.
Connect to Fuse ESB's JMX server using the following settings:
JMX URL:
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-rootUser:
jdoePassword:
secret
The connection will fail because
jdoeuser does not have thejmxUserrole.Connect to Fuse ESB's JMX server as using the following settings:
JMX URL:
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-rootUser:
criderPassword:
secret
The connection will succeed because
crideruser does have thejmxUserrole.
To configure a role for the Web console:
If the file
ESBInstallDir/etc/org.apache.karaf.webconsole.cfgIf the file does exist, open in a text editor.
Edit the line containing
role=to readrole=webconsole.The configuration should resemble Example 8.2.
Example 8.2. Web console configuration for a specific realm
<config name="org.apache.karaf.webconsole"> realm=karaf role=webconsole </config>
Start Fuse ESB by entering the following command in a terminal window:
>servicemixEnable the Web console feature by entering the following command at the Fuse ESB console prompt:
karaf@root>features:install webconsoleOpen a Web browser.
Navigate to http://localhost:8181/system/console.
You will be prompted to enter user credentials.
Log in using the following credentials:
User:
janedoePassword:
secret
You will be logged into the Web console because
janedoehas the rolewebconsole.
For more information on configuring the Fuse ESB LDAP login module see Enabling LDAP Authentication.
For more information on configuring the Fuse ESB administrative functions see Configuring Roles for the Administrative Protocols.
 |  |  |
 |
