Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BFAF0200CE1 for ; Thu, 31 Aug 2017 14:25:11 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BE11A16B06D; Thu, 31 Aug 2017 12:25:11 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1049616B06B for ; Thu, 31 Aug 2017 14:25:10 +0200 (CEST) Received: (qmail 91539 invoked by uid 500); 31 Aug 2017 12:25:10 -0000 Mailing-List: contact user-help@karaf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@karaf.apache.org Delivered-To: mailing list user@karaf.apache.org Received: (qmail 91529 invoked by uid 99); 31 Aug 2017 12:25:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Aug 2017 12:25:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id AE923C7C09 for ; Thu, 31 Aug 2017 12:25:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.98 X-Spam-Level: X-Spam-Status: No, score=0.98 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id eUjbEbnQVXYN for ; Thu, 31 Aug 2017 12:25:09 +0000 (UTC) Received: from outbound-gw.openxchange.ahost.me (outbound-gw.openxchange.ahost.me [94.136.40.163]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id AE1C75F257 for ; Thu, 31 Aug 2017 12:25:08 +0000 (UTC) Received: from [127.0.0.1] (helo=outbound-gw.openxchange.ahost.me) by outbound-gw.openxchange.ahost.me with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.89) (envelope-from ) id 1dnOWx-0003wS-Qj for user@karaf.apache.org; Thu, 31 Aug 2017 13:25:07 +0100 Date: Thu, 31 Aug 2017 13:25:03 +0100 (BST) From: tom@quarendon.net Reply-To: tom@quarendon.net To: user@karaf.apache.org Message-ID: <1399712785.3006068.1504182307759@webmail.123-reg.co.uk> In-Reply-To: <59b2dec6-9d2f-7982-e857-ff6ad3aff8ab@nanthrax.net> References: <1758919573.2996844.1504175748666@webmail.123-reg.co.uk> <59b2dec6-9d2f-7982-e857-ff6ad3aff8ab@nanthrax.net> Subject: Re: Console role based access control and command completion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v7.8.3-Rev22 X-Originating-IP: 86.188.252.244 X-Originating-Client: com.openexchange.ox.gui.dhtml archived-at: Thu, 31 Aug 2017 12:25:11 -0000 Hmm, OK. There's a comment somewhere that implies that someone had at least at some = point tried doing that or thought that was what happened. It leads to *slightly* odd behaviour, of being told that a command exists, = but then being told, "oh wait, not it doesn't". Thanks anyway. > On 31 August 2017 at 13:02 Jean-Baptiste Onofr=C3=A9 wr= ote: >=20 >=20 > Hi Tom, >=20 > We don't use the ACL in the completers, only on the action step. That's w= hy you=20 > can complete but not execute. >=20 > Regards > JB >=20 > On 08/31/2017 12:35 PM, tom@quarendon.net wrote: > > If I'm logged on to the console as user, the list of commands I can exe= cute is controlled by access control lists. > > So, if I'm logged on as a user who has only got the "viewer" role, then= I can't shut karaf down, the system:shutdown command requires the "admin" = role. > >=20 > > Great. > >=20 > > However, I still appear to be able to get command completion that syste= m:shutdown is a command, but when I try and invoke it I get "Command not fo= und: system:shutdown", which seems confusing. > >=20 > > Is this intentional? I saw a comment in the code somewhere (lost it now= ) that made me think that the intention was that only commands I can actual= ly invoke are then put in the completion list, and indeed that would seem l= ike reasonable behaviour. > >=20 >=20 > --=20 > Jean-Baptiste Onofr=C3=A9 > jbonofre@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com