[AAA-11] odl-aaa-authn-plugin and odl-aaa-authn are configured to block restconf connections by default. Created: 16/Sep/14  Updated: 21/Mar/19  Resolved: 01/Oct/14

Status: Verified
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: RichardHill Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Zip Archive karaf-debug.zip    
External issue ID: 1913

 Description   

Steps

I installed the karaf distribution from

https://jenkins.opendaylight.org/integration/view/Integration%20jobs/job/integration-master-project-centralized-integration/lastSuccessfulBuild/artifact/distributions/extra/karaf/target/distribution-karaf-0.2.0-SNAPSHOT.zip

It was either build #2402 or #2401 from Sep 16. Not sure which because version.properties doesnt set a timestamp.

I deployed the artifact and booted using <odl-home-dir>/bin/karaf

when the console was open I installed features

feature:install odl-restconf odl-bgpcep-all odl-netconf-connector-ssh

After waiting a few minutes I tried GET request to

<localhost>restconf/operational/network-topology:network-topology/ this was a succesful, a 200 HTTP stus code and the expected payload was sent.

I logged out of the karaf container using "logout"waited for all the processes to terminate , confirmed using ps aux | grep java and restarted the karaf container using <odl-home-dir>/bin/karaf

After a fewm minutes wait for the system to come up
accessing the URI at
<localhost>:8181/restconf/operational/network-topology:network-topology/ now resulted in a 401 error.

It's also interesting that while the system was coming up a 404 status code and then a 500 status code was received. they were finally replaced with 401 code after odl-netconf-connector-ssh feature was loaded.

The stack trace for the 500 error showed that odl-aaa-authn and odl-aaa-authn-plugin was thowing an exception so we wondered what would happen if we uninstlled this.

feature:uninstall odl-aaa-authn
feature:uninstall odl-aaa-authn-plugin

I didnt expect it to work because odl-netconf-connector-ssh is dependent on these features but we could uninstall them, which maybe a bug also. We still couldn't access resfconf on port 8181 but rather than not being authorised , I think the reason is that we had broken odl-netconf-connector-ssh by removing its dependencies.

In summary I think this is a bug because odl-aaa-authn-plugin and odl-aaa-authn are configured to block restconf connections by default.

 Comments   
Comment by RichardHill [ 16/Sep/14 ]

Attachment karaf-debug.zip has been added with description: log files from the test.

Comment by Liem Nguyen [ 16/Sep/14 ]

odl-restconf works fine without aaa. Hence, you get a 200 before. However, with aaa installed, aaa will check for authentication and fail with 401 (unauthorized) if there is no token given or basic auth (like in Hydrogen). So, the 401 you see is expected behavior.

Also, note that odl-restconf is currently using a static web.xml and hence cannot listen for OSGi dynamic changes and will not be able to react to aaa AuthN filter coming and going. So, a restart of the odl-restconf bundle is required if aaa is added/removed dynamically. Alternatively, you can install aaa first:

feature:install odl-aaa-all odl-restconf odl-bgpcep-all odl-netconf-connector-ssh

Comment by RichardHill [ 17/Sep/14 ]

Hi Liem, thank you for the information.

Ive a few questions:

How can I configure ODL not to use aaa on the restconf interface.

The README here https://github.com/opendaylight/aaa/blob/master/README.md
describes how to set it up.

The section "Authorization & Access Control" contains the statement

"Default authorization are loaded from the configuration subsystem (TODO: Provide a default set) They are accessible and editable via the restconf interface at:

172.29.50.236:8181/restconf/configuration/authorization-schema:simple-authorization/"

1) Could you point me towards the default set mentioned in the TODO please

2) The URI is restconf so blocked by a 401, I expect there is a another way of configuring this, its just not clear to me from the wiki.

Comment by RichardHill [ 17/Sep/14 ]

This bug (lack of documentation how to configure AAA to allow restconf client) means we are unable to use ODL when AA is present so Ive changed the status to a blocker.

Comment by Vratko Polak [ 17/Sep/14 ]

Experimentation shows that upon the first start with an aaa feature, ${karaf.home}/etc/org.opendaylight.aaa.authn.cfg is created. After editing its second line to
authEnabled=false
(after graceful shutdown of karaf), subsequent start sees ODL allowing unrestricted access via RESTCONF.

Perhaps this is the information missing from current AAA documentation?

Comment by Liem Nguyen [ 17/Sep/14 ]

Hi Vratko & Polak,

That is correct. Setting authEnabled=false will bypass AAA completely. This can be done by editing the config file as you did, or by using the OSGi Admin console (either via the config command in CLI or webconsole). BTW, AAA configurations are dynamic and do not need bundle/container restart.

We are actively working on the Developers Guide to include this information. Apologies for the doc lag.

Thanks,
Liem

Comment by Liem Nguyen [ 18/Sep/14 ]

Please let me know if disabling aaa via configuration would solve your testing issues.

In production, Restconf APIs should be authenticated by design.

Comment by Liem Nguyen [ 19/Sep/14 ]

I don't hear back from the submitter; so will mark this as resolved for now, as this is expected behavior from AAA (enforce authentication on Restconf by default).

Generated at Wed Feb 07 19:08:24 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.