Console role based access control and command completion

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Console role based access control and command completion

tomq42
If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.

Great.

However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.

Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
Reply | Threaded
Open this post in threaded view
|

Re: Console role based access control and command completion

jbonofre
Hi Tom,

We don't use the ACL in the completers, only on the action step. That's why you
can complete but not execute.

Regards
JB

On 08/31/2017 12:35 PM, [hidden email] wrote:
> If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
> So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
>
> Great.
>
> However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
>
> Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
>

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: Console role based access control and command completion

tomq42
Hmm, OK.
There's a comment somewhere that implies that someone had at least at some point tried doing that or thought that was what happened.

It leads to *slightly* odd behaviour, of being told that a command exists, but then being told, "oh wait, not it doesn't".

Thanks anyway.

> On 31 August 2017 at 13:02 Jean-Baptiste Onofré <[hidden email]> wrote:
>
>
> Hi Tom,
>
> We don't use the ACL in the completers, only on the action step. That's why you
> can complete but not execute.
>
> Regards
> JB
>
> On 08/31/2017 12:35 PM, [hidden email] wrote:
> > If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
> > So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
> >
> > Great.
> >
> > However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
> >
> > Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
> >
>
> --
> Jean-Baptiste Onofré
> [hidden email]
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: Console role based access control and command completion

jbonofre
Yeah, however, I think it could be painful to check the ACL for each completer.

Let me take a look anyway.

Regards
JB

On 08/31/2017 02:25 PM, [hidden email] wrote:

> Hmm, OK.
> There's a comment somewhere that implies that someone had at least at some point tried doing that or thought that was what happened.
>
> It leads to *slightly* odd behaviour, of being told that a command exists, but then being told, "oh wait, not it doesn't".
>
> Thanks anyway.
>
>> On 31 August 2017 at 13:02 Jean-Baptiste Onofré <[hidden email]> wrote:
>>
>>
>> Hi Tom,
>>
>> We don't use the ACL in the completers, only on the action step. That's why you
>> can complete but not execute.
>>
>> Regards
>> JB
>>
>> On 08/31/2017 12:35 PM, [hidden email] wrote:
>>> If I'm logged on to the console as user, the list of commands I can execute is controlled by access control lists.
>>> So, if I'm logged on as a user who has only got the "viewer" role, then I can't shut karaf down, the system:shutdown command requires the "admin" role.
>>>
>>> Great.
>>>
>>> However, I still appear to be able to get command completion that system:shutdown is a command, but when I try and invoke it I get "Command not found: system:shutdown", which seems confusing.
>>>
>>> Is this intentional? I saw a comment in the code somewhere (lost it now) that made me think that the intention was that only commands I can actually invoke are then put in the completion list, and indeed that would seem like reasonable behaviour.
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> [hidden email]
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com