April 18, 2020
Estimated Post Reading Time ~

OSGi (/system/console) Permissions

In the past, I've had several clients requesting access to the OSGi console, or /system/console, for users other than the built-in "admin" user. This is a fairly straightforward configuration but there is limited information about it online. Out of the box CQ permissions, unfortunately, do not handle the OSGi / Felix stack. Because of this, assigning a user to the "administrators" group in CQ is not enough to grant them access to the OSGi console. This has its upside, though, as typically the configurations found in the OSGi Console can greatly affect how the server runs/operates it is a best practice to limit access to a handful of knowledgable users.

The bundle that we need to configure has the package name of org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider. In the OSGi console, you can set the users by doing the following:
  1. Navigate to /system/console/configMgr
  2. Click the "edit" button next to "Apache Sling Web Console Security Provider"
  3. Add users/groups to the appropriate field. It expects a comma-separated list (i.e admin,testuser, ...)
  4. Click save
However, the best practice for configuring CQ Bundles is by creating a file within your CQ repository under /apps/system/config. Given that the bundle we are configuring has the name "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider", the file we must create under /apps/system/config must be named "org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider.config" (this is assuming a global configuration, use config.<runmode> to do runmode specific configurations - i.e. config.author.)

The content of this file must specify the values for the allowed users and groups for the OSGi console. Here is a sample content of the config file, allowing the user "admin" and the group "administrators" to have access:

groups=["administrators"]
users=["admin"]

If you wanted to allow several users/groups, again this is a comma-separated list. For example, if you wanted to allow both the "admin" user and "test" user, it would look like the following:


By aem4beginner
Posted by at
Labels:

No comments:

Post a Comment

If you have any doubts or questions, please let us know.