[NETCONF-476] NetConf SBP uses global privatekey for all connections Created: 10/Oct/17  Updated: 09/Jul/21  Resolved: 09/Jul/21

Status: Resolved
Project: netconf
Component/s: netconf
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Juraj Veverka Assignee: Tomas Cere
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 9261

 Description   

Problem:
Current implementation of NetConf south bound plugin uses single instance of kaypair for all connected netconf devices. User is able to set username/password per netconf device, but connection key is shared for all connections.

Solution:
When new netconf device configuration is created via in data store in netconf topology, this configuration must contain the username/password or keypair for the device.

What needs to be done:

  • netconf model (device configuration) must be adapted in order to contain username/password or keypair in base64 format
  • org.opendaylight.netconf.topology.AbstractNetconfTopology
  • privateKeyPath and privateKeyPassphrase must be removed (also from blueprint and configuration)
  • method getClientConfig must be adapted accordingly

 Comments   
Comment by Tomas Cere [ 12/Oct/17 ]

I think the reason it was implemented like this was to prevent anybody being able to read the keypair from the datastore.
However we should be able to create a store for the key-pairs which would be encrypted via AAA's EncryptionService.
So it would look something liek this:
1. credentials store - restconf crud rpc's to store/remove key pairs, which would be encrypted inside the datastore
2. when the southbound plugin needs to retrieve these, they would be decrypted via the EncryptionService
3. each key pair would have its own unique credentialsId
4. when user adda a new device with key-pair authentication only the credentialsId would needed to be specified.

The netconf model will need to be updated, we will need to prevent breaking api changes for now so we need to keep the
old way credentials were configured, with the new cases being wrapped in a container to allow us to also specify whether we want
encrypted username/pw.

The new model would look like this:
grouping netconf-node-credentials {
choice credentials {
config true;
case login-password-deprecated {
status deprecated;
leaf username

{ type string; }

leaf password { type string; }

}
case login-password {
container login-password {
leaf username

{ type string; }

leaf password { type string; }

}
}
case login-password-unencrypted {
container login-password-unencrypted {
leaf username

{ type string; }

leaf password { type string; }

}
}
case key-based {
container key-pair {
leaf pair-id

{ type string; }

}
}
}
}

Comment by Tomas Cere [ 24/Oct/17 ]

https://git.opendaylight.org/gerrit/#/q/topic:keyauth-refactor

Generated at Wed Feb 07 20:15:08 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.