KARAF-5014: consider first group role in users.properties and ignore empty roles

[stataru8]

https://issues.apache.org/jira/browse/KARAF-5014

This issue is quite old and only affects those who directly modify the users file. I'm not sure if it is still relevant, or if the current behaviour should be considered acceptable.

Current behaviour:

• the first role in a group is ignored
• when a group is created via jaas commands, the password/role group is added by default

Proposal:

• consider the first role in a group
• when a group is created using jaas commands, add password/role "" by default, leaving the group information empty
• ignore empty roles in both users and groups

[AndreVirtimo]

Hi @stataru8 , thank you for picking up this issue.

Why do you propose "when a group is created using jaas commands, add an empty role by default"? Is this because there is no role which could be assigned during creation? Is it not possible to have an empty group?

Regards
Andre

[jbonofre]

I think @stataru8 meant add empty password for role (as a role doesn't have password).

A group can be empty without problem though.

[jbonofre]

Why forcing encryption here ? It's an optional feature.

[stataru8]

I just moved this call from its original location in addUserInternal:

karaf/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesBackingEngine.java

Line 62 in e9b9c97

String encPassword = encryptionSupport.encrypt(password);

The call is only needed when adding a user and shouldn't be made when adding a group:

karaf/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesBackingEngine.java

Line 262 in c01d0bc

addUserInternal(groupName, ""); // groups don't have password

There is the risk of encrypting "", which with the defaults, results in {CRYPT}ABC...{CRYPT}. After jaas:group-add karaf newGrup,
jaas:user-list will return

User Name | Group   | Role
----------+---------+-------------------------------------------------------------------------------
karaf     | newGrup | {CRYPT}ABC...{CRYPT}

Maybe at this point, we should create another addUserInternal with just the username as an argument: private void addUserInternal(String username), or another function just for groups...

[jbonofre]

A group can be empty (no role, no group, no user).

[stataru8]

My original comment was a bit misleading, what I meant is:

• If a user info is empty, we shouldn't replace "" by role, or else role becomes the user's password.
• If a group info is empty, we should replace "" by role.

[stataru8]

Hello @AndreVirtimo, as far as I know, we have two commands that allow us to create groups:

• jaas:group-add user myGroup1
• jaas:group-create myGroup2

In both cases, there is no mandatory argument for the role. Today, the role/password group is added by default. The proposal is to add "" instead, leaving the group information empty.