karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: Limit access to (certain) system properties through JMX
Date Thu, 05 Jan 2017 11:39:01 GMT
Hi Zoran,

the answer is probably the RBAC/ACL but it's all or nothing in term of 
granularity.

As a workaround, you can create your own MBean filtering the properties 
and then security as you want using the RBAC.

Regards
JB

On 01/05/2017 12:30 PM, Zoran Regvart wrote:
> Hi Karafers,
> I'm trying to build support for masked or encrypted system properties
> for bundles running in Karaf. So for instance instead of specifying
> -Djavax.net.ssl.trustStorePassword=my_secret_password you could
> specify -Djavax.net.ssl.trustStorePassword=<something masked>.
>
> And the only way to make this work for unmodified bundles is to
> replace the <something masked> value with the clear text value. That
> part I think i nicked.
>
> Now I face another problem, if one connects via JMX the clear text
> value is present there, and I would like it not to be present, by
> either displaying it with original masked value or by eliminating it
> from the list of system properties.
>
> I've tried adding dynamic RBAC configuration that limits access to
> java.lang:type=Runtime getSystemProperties -- but that removes all
> system properties, bit of a overkill IMHO.
>
> Can you think of another way to achieve this? Perhaps add another
> layer to the RBAC mechanism, akin to @PostFilter in Spring Secuirty
> but as a plugin interface contributing bundles can implement?
>
> I also think it's a bit of an overkill to patch java.lang.System via
> bootclasspath
>
> zoran
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message