Loading...

Type: Improvement
Resolution: Unresolved
Priority: Medium
Fix Version/s: 8.0.0
Affects Version/s: None
Component/s: restconf-nb
Labels:
None

Our current implementation takes over the entire /.well-known namespace. This leads bad interaction with other HTTP endpoints discovery, as we end up leaking auth requirement. This is evidenced by:

opendaylight-user@root>web:context-list

Bundle ID │ Symbolic Name                                 │ Context Path │ Context Name      │ Rank │ Service ID │ Type        │ Scope     │ Registration Properties
──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────
164       │ org.jolokia.osgi                              │ /            │ context:534196305 │ MAX  │ 0          │ HttpService │ static*   │ httpContext.id=context:534196305
          │                                               │              │                   │      │            │             │           │ httpContext.path=/
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.httpservice=context:534196305
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.path=/
312       │ org.ops4j.pax.web.pax-web-extender-whiteboard │ /            │ default           │ 0    │ 0          │ Whiteboard  │ static*   │ osgi.http.whiteboard.context.name=default
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.path=/
256       │ org.opendaylight.netconf.restconf-nb          │ /.well-known │ /.well-known.id   │ 0    │ 286        │ Whiteboard  │ singleton │ osgi.http.whiteboard.context.name=/.well-known.id
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.path=/.well-known
342       │ org.opendaylight.netconf.sal-rest-docgen      │ /apidoc      │ /apidoc.id        │ 0    │ 291        │ Whiteboard  │ singleton │ osgi.http.whiteboard.context.name=/apidoc.id
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.path=/apidoc
174       │ org.opendaylight.aaa.shiro                    │ /auth        │ /auth.id          │ 0    │ 270        │ Whiteboard  │ singleton │ osgi.http.whiteboard.context.name=/auth.id
          │                                               │              │                   │      │            │             │           │ osgi.http.whiteboard.context.path=/auth
256       │ org.opendaylight.netconf.restconf-nb          │ /rests       │ /rests.id         │ 0    │ 279        │ Whiteboard  │ singleton │ osgi.http.whiteboard.context.name=/rests.id

This has interplay with other protocols, for example OpenAPI. As such we should only be contributing to resource discovery resources and not place auth requirements – those should be set by default handler policy, really.

Separate out the two resources we provide (/.well-known/host-meta and /.well-known/host-meta.json) and disable authentication on them.

Details

Description

Attachments

Activity

People

Dates