[AAA-85] authEnabled=false always leads to 401 Created: 11/Jan/16  Updated: 21/Mar/19  Resolved: 20/Jan/16

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Vratko Polak Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Text File karaf_20160112.log    
External issue ID: 4922

 Description   

Up to now, editing etc/org.opendaylight.aaa.authn.cfg file to contain authEnabled=false has lead to every request to be considered authorized.
But in current Beryllium snapshots, the same edit leads to every request to be considered NOT authorized.

This is either a regression in functionality, or a new feature which misses documentation (AAA-84).

Steps to reproduce:
0. Start ODL.
1. feature:install odl-restconf
2. curl -v 127.0.0.1:8181/restconf/modules

It does not matter whether the edit was done just before step 2 or any other time before.
It does not matter which restconf URI is used.
When the line is edited to authEnabled=true at runtime, requests with correct credentials (admin:admin by default) work.

Another reproduction, in Sandbox: https://jenkins.opendaylight.org/releng/job/aaa-csit-verify-1node-authn/10/robot/report/log.html#s1-s1-t6-k2-k11-k4

 Comments   
Comment by Vratko Polak [ 11/Jan/16 ]

Pasting what the 401 verbose output looks like. Judging from WWW-Authenticate value, this is not from UnauthorizedException.
The output always looks like that, no matter if it is caused by this Bug or by missing credentials.

$ curl -v -u 'admin:admin' 127.0.0.1:8181/restconf/modules ;echo

  • About to connect() to 127.0.0.1 port 8181 (#0)
  • Trying 127.0.0.1...
  • connected
  • Connected to 127.0.0.1 (127.0.0.1) port 8181 (#0)
  • Server auth using Basic with user 'admin'
    > GET /restconf/modules HTTP/1.1
    > Authorization: Basic YWRtaW46YWRtaW4=
    > User-Agent: curl/7.27.0
    > Host: 127.0.0.1:8181
    > Accept: /
    >
    < HTTP/1.1 401 Unauthorized
    < Set-Cookie: rememberMe=deleteMe; Path=/restconf; Max-Age=0; Expires=Sun, 10-Jan-2016 11:55:24 GMT
  • Authentication problem. Ignoring this.
    < WWW-Authenticate: BASIC realm="application"
    < Content-Length: 0
    < Server: Jetty(8.1.15.v20140411)
    <
  • Connection #0 to host 127.0.0.1 left intact
  • Closing connection #0
Comment by Vratko Polak [ 12/Jan/16 ]

This is what log looks like, attached segment where request without -u was sent at 09:30:51 and request with admin:admin at 09:30:54.

Crucial reports seem to be these ones:

2016-01-12 09:30:51,721 | DEBUG | restconf/modules | BasicHttpAuthenticationFilter | 233 - org.apache.shiro.web - 1.2.3 | Authentication required: sending 401 Authentication challenge response.

2016-01-12 09:30:54,942 | INFO | restconf/modules | TokenAuthRealm | 236 - org.opendaylight.aaa.shiro - 0.3.0.SNAPSHOT | Unknown OAuth2 Token Access Request
org.apache.shiro.authc.AuthenticationException: Could not validate the token admin
at org.opendaylight.aaa.shiro.realm.TokenAuthRealm.validate(TokenAuthRealm.java:248)[236:org.opendaylight.aaa.shiro:0.3.0.SNAPSHOT]

Common precondition seem to be this one:

2016-01-12 09:30:51,719 | TRACE | restconf/modules | PathMatchingFilter | 233 - org.apache.shiro.web - 1.2.3 | Filter 'authcBasic' is enabled for the current request under path '/**' with config [null]. Delegating to subclass implementation for 'onPreHandle' check.

Comment by Vratko Polak [ 12/Jan/16 ]

Attachment karaf_20160112.log has been added with description: Segment of karaf.log

Comment by Ryan Goulding [ 12/Jan/16 ]

Some semantics have changed such that this config file may not work the same way anymore. An equivalent change should work;

In shiro.ini (https://github.com/opendaylight/aaa/blob/99de61dde20da19d8ad050fea85ce31eb8d62b17/aaa-shiro/src/main/resources/shiro.ini) do the following:

Change "/** = authcBasic" to "/** = anon"

Sorry for not documenting this; I will dig deeper when I get the chance. This should help immediately and I'll push some documentation to describe this.

Comment by Ryan Goulding [ 12/Jan/16 ]

Also, you can install odl-restconf-noauth which will not activate the AAA service.

Comment by Vratko Polak [ 14/Jan/16 ]

> Change "/** = authcBasic" to "/** = anon"

This works.

With this information, I guess this can be marked as WONTFIX.

Comment by Ryan Goulding [ 20/Jan/16 ]

Documentation related to how to turn AAA off is included in the wiki here now:
https://wiki.opendaylight.org/view/AAA:Turn_aaa_off

Generated at Wed Feb 07 19:08:35 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.