-
Bug
-
Resolution: Done
-
Medium
-
Oxygen
-
None
Following scenario used to work fine in Oxygen-SR1 according to https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html#mdsal-based-dynamic-authorization :
1, create 2 users (user-ro, user-full)
2, create 2 roles (role-ro, role-full)
3, assign roles accordingly to users (role-ro => user-ro, role-full => user-full)
4, configure policy:
{{{}}
"aaa:policies": {
"aaa:policies": [
{
"aaa:resource": "/restconf/config/network-topology**",
"aaa:permissions": [
{
"aaa:role": "role-full",
"aaa:actions": [
"get",
"post",
"put",
"patch",
"delete"
]
},
{
"aaa:role": "role-ro",
"aaa:actions": [
"get"
]
{{ }}}
]
{{ }}}
]
{{ }}}
}
5, This used to return 401 in Oxygen-SR1, now it returns 200
curl -u user-ro:123456 -v -X DELETE http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology1
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8181 (#0)
* Server auth using Basic with user 'user-ro'
> DELETE /restconf/config/network-topology:network-topology/topology/topology1 HTTP/1.1
> Host: localhost:8181
> Authorization: Basic dXNlci1ybzoxMjM0NTY=
> User-Agent: curl/7.59.0
> Accept: /
{{> }}
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID=bqj10ho2znkj1u3qh9fgph6m8;Path=/restconf
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/restconf; Max-Age=0; Expires=Thu, 06-Sep-2018 05:30:51 GMT
< Content-Length: 0
{{< }}
* Connection #0 to host localhost left intact