Details
-
Bug
-
Status: Resolved
-
Resolution: Done
-
Helium
-
None
-
None
-
Operating System: All
Platform: All
-
2798
-
Highest
Description
Flavio Fernandes reported:
Today on Helium (including SR1.1 and SR2) the neutron northbound uses basicAuth.
While the rest server (port 8080) will reject an http w/out the auth header, it does not
really check if the username:password provided are valid.
Quick way of demonstrating this:
curl http://192.168.50.1:8080/controller/nb/v2/neutron/networks <== 401, correct
curl -u wrong:bad http://192.168.50.1:8080/controller/nb/v2/neutron/networks <== 200, bad!
Please make sure that security issue is taken care of.
Note this is not an issue in Lithium codebase, once we changed to jetty. I did not try Hydrogen.
David Jorm investigated and found the offending code:
This will accept any username/password combination. If I change line 40 to "return null;" and recompile, then no username/password combination is accepted. It appears that the "opendaylight" realm (which uses this custom realm class) is widely used by several interfaces. I think a patch should drop the custom realm class and use UserDatabaseRealm or similar instead.
Colin Dixon is now working on a patch, targeting the SR3 release.
