https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/AAA-11 aaa <p>Steps</p> <p>I installed the karaf distribution from </p> <p><a href="https://jenkins.opendaylight.org/integration/view/Integration%20jobs/job/integration-master-project-centralized-integration/lastSuccessfulBuild/artifact/distributions/extra/karaf/target/distribution-karaf-0.2.0-SNAPSHOT.zip" class="external-link" target="_blank" rel="nofollow noopener">https://jenkins.opendaylight.org/integration/view/Integration%20jobs/job/integration-master-project-centralized-integration/lastSuccessfulBuild/artifact/distributions/extra/karaf/target/distribution-karaf-0.2.0-SNAPSHOT.zip</a></p> <p>It was either build #2402 or #2401 from Sep 16. Not sure which because version.properties doesnt set a timestamp.</p> <p>I deployed the artifact and booted using &lt;odl-home-dir&gt;/bin/karaf </p> <p>when the console was open I installed features</p> <p>feature:install odl-restconf odl-bgpcep-all odl-netconf-connector-ssh</p> <p>After waiting a few minutes I tried GET request to </p> <p>&lt;localhost&gt;restconf/operational/network-topology:network-topology/ this was a succesful, a 200 HTTP stus code and the expected payload was sent.</p> <p>I logged out of the karaf container using "logout"waited for all the processes to terminate , confirmed using ps aux | grep java and restarted the karaf container using &lt;odl-home-dir&gt;/bin/karaf </p> <p>After a fewm minutes wait for the system to come up<br/> accessing the URI at <br/> &lt;localhost&gt;:8181/restconf/operational/network-topology:network-topology/ now resulted in a 401 error.</p> <p>It's also interesting that while the system was coming up a 404 status code and then a 500 status code was received. they were finally replaced with 401 code after odl-netconf-connector-ssh feature was loaded.</p> <p>The stack trace for the 500 error showed that odl-aaa-authn and odl-aaa-authn-plugin was thowing an exception so we wondered what would happen if we uninstlled this.</p> <p>feature:uninstall odl-aaa-authn<br/> feature:uninstall odl-aaa-authn-plugin</p> <p>I didnt expect it to work because odl-netconf-connector-ssh is dependent on these features but we could uninstall them, which maybe a bug also. We still couldn't access resfconf on port 8181 but rather than not being authorised , I think the reason is that we had broken odl-netconf-connector-ssh by removing its dependencies.</p> <p>In summary I think this is a bug because odl-aaa-authn-plugin and odl-aaa-authn are configured to block restconf connections by default.</p> <p>Operating System: All<br/> Platform: All</p> AAA-11

odl-aaa-authn-plugin and odl-aaa-authn are configured to block restconf connections by default.

Bug Verified Done Unassigned RichardHill Tue, 16 Sep 2014 18:51:16 +0000 Thu, 21 Mar 2019 11:56:50 +0000 Wed, 1 Oct 2014 14:13:46 +0000 General 0 3 <p>Attachment karaf-debug.zip has been added with description: log files from the test.</p> <p>odl-restconf works fine without aaa. Hence, you get a 200 before. However, with aaa installed, aaa will check for authentication and fail with 401 (unauthorized) if there is no token given or basic auth (like in Hydrogen). So, the 401 you see is expected behavior.</p> <p>Also, note that odl-restconf is currently using a static web.xml and hence cannot listen for OSGi dynamic changes and will not be able to react to aaa AuthN filter coming and going. So, a restart of the odl-restconf bundle is required if aaa is added/removed dynamically. Alternatively, you can install aaa first:</p> <p>feature:install odl-aaa-all odl-restconf odl-bgpcep-all odl-netconf-connector-ssh</p> <p>Hi Liem, thank you for the information.</p> <p>Ive a few questions:</p> <p>How can I configure ODL not to use aaa on the restconf interface.</p> <p>The README here <a href="https://github.com/opendaylight/aaa/blob/master/README.md" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opendaylight/aaa/blob/master/README.md</a><br/> describes how to set it up.</p> <p>The section "Authorization &amp; Access Control" contains the statement</p> <p> "Default authorization are loaded from the configuration subsystem (TODO: Provide a default set) They are accessible and editable via the restconf interface at: </p> <p>172.29.50.236:8181/restconf/configuration/authorization-schema:simple-authorization/"</p> <p>1) Could you point me towards the default set mentioned in the TODO please</p> <p>2) The URI is restconf so blocked by a 401, I expect there is a another way of configuring this, its just not clear to me from the wiki.</p> <p>This bug (lack of documentation how to configure AAA to allow restconf client) means we are unable to use ODL when AA is present so Ive changed the status to a blocker.</p> <p>Experimentation shows that upon the first start with an aaa feature, ${karaf.home}/etc/org.opendaylight.aaa.authn.cfg is created. After editing its second line to<br/> authEnabled=false<br/> (after graceful shutdown of karaf), subsequent start sees ODL allowing unrestricted access via RESTCONF.</p> <p>Perhaps this is the information missing from current AAA documentation?</p> <p>Hi Vratko &amp; Polak,</p> <p>That is correct. Setting authEnabled=false will bypass AAA completely. This can be done by editing the config file as you did, or by using the OSGi Admin console (either via the config command in CLI or webconsole). BTW, AAA configurations are dynamic and do not need bundle/container restart.</p> <p>We are actively working on the Developers Guide to include this information. Apologies for the doc lag.</p> <p>Thanks,<br/> Liem</p> <p>Please let me know if disabling aaa via configuration would solve your testing issues.</p> <p>In production, Restconf APIs should be authenticated by design.</p> <p>I don't hear back from the submitter; so will mark this as resolved for now, as this is expected behavior from AAA (enforce authentication on Restconf by default).</p> Development External issue ID 1913 External issue URL Rank 0|i023jr: