[AAA-87] AAA sometimes falsely authorizes user to restricted endpoint Created: 20/Jan/16  Updated: 21/Mar/19  Resolved: 26/Jan/16

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Ryan Goulding Assignee: Ryan Goulding
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


External issue ID: 5033

 Description   

AAA Authorization may falsely authorize user to a Shiro-restricted endpoint. In the current design, there is a cached User since it was incorrectly assumed that "doGetAuthorizationInfo()" was called directly after "doGetAuthenticationInfo()" for a given request. However, since multiple threads may access the TokenAuthRealm, there is a case for interleaving. This should be fixed by modifying the Principal object returned by "doGetAuthenticationInfo()" to return appropriate information.

This is an unpolished script that shows this behavior:

[ryan@awesomeo ~]$ cat test.py
import Queue
import threading
import requests

url = 'http://localhost:8181/restconf/modules/'
class myThread (threading.Thread):
def _init_(self, user, password):
threading.Thread._init_(self)
self.user = user
self.password = password
def run(self):
self.doget()
def doget(self):
resp = requests.get(url, auth=(self.user,self.password))
if self.user=='admin':
if resp.status_code != 200:
print "error " + str(resp.status_code)
else:
if resp.status_code != 401:
print "error2 " + str(resp.status_code)

if _name=='main_':
threads = []
q = Queue.Queue()
for i in range(0,100):
thread = myThread( 'admin', 'admin' )
thread2 = myThread( 'user', 'user' )
thread3 = myThread('admin','admin')
thread.start()
thread2.start()
thread3.start()
threads.append(thread)
threads.append(thread2)
threads.append(thread3)
for t in threads:
t.join()
[ryan@awesomeo ~]$

In the future, this script should be added to CSIT, but due to time constraints was tested manually.



 Comments   
Comment by Ryan Goulding [ 20/Jan/16 ]

https://git.opendaylight.org/gerrit/#/c/33109/

Generated at Wed Feb 07 19:08:36 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.