https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/AAA-85 aaa <p>Up to now, editing etc/org.opendaylight.aaa.authn.cfg file to contain authEnabled=false has lead to every request to be considered authorized.<br/> But in current Beryllium snapshots, the same edit leads to every request to be considered NOT authorized.</p> <p>This is either a regression in functionality, or a new feature which misses documentation (<a href="https://jira.opendaylight.org/browse/AAA-84" title="Document differences between Li and Be auth-related config files" class="issue-link" data-issue-key="AAA-84"><del>AAA-84</del></a>).</p> <p>Steps to reproduce:<br/> 0. Start ODL.<br/> 1. feature:install odl-restconf<br/> 2. curl -v 127.0.0.1:8181/restconf/modules</p> <p>It does not matter whether the edit was done just before step 2 or any other time before.<br/> It does not matter which restconf URI is used.<br/> When the line is edited to authEnabled=true at runtime, requests with correct credentials (admin:admin by default) work.</p> <p>Another reproduction, in Sandbox: <a href="https://jenkins.opendaylight.org/releng/job/aaa-csit-verify-1node-authn/10/robot/report/log.html#s1-s1-t6-k2-k11-k4" class="external-link" target="_blank" rel="nofollow noopener">https://jenkins.opendaylight.org/releng/job/aaa-csit-verify-1node-authn/10/robot/report/log.html#s1-s1-t6-k2-k11-k4</a></p> <p>Operating System: All<br/> Platform: All</p> AAA-85

authEnabled=false always leads to 401

Bug Resolved Won't Do Unassigned Vratko Polak Mon, 11 Jan 2016 12:01:03 +0000 Thu, 21 Mar 2019 11:56:45 +0000 Wed, 20 Jan 2016 14:22:24 +0000 General 0 2 <p>Pasting what the 401 verbose output looks like. Judging from WWW-Authenticate value, this is not from UnauthorizedException.<br/> The output always looks like that, no matter if it is caused by this Bug or by missing credentials.</p> <p>$ curl -v -u 'admin:admin' 127.0.0.1:8181/restconf/modules ;echo</p> <ul> <li>About to connect() to 127.0.0.1 port 8181 (#0)</li> <li>Trying 127.0.0.1...</li> <li>connected</li> <li>Connected to 127.0.0.1 (127.0.0.1) port 8181 (#0)</li> <li>Server auth using Basic with user 'admin'<br/> &gt; GET /restconf/modules HTTP/1.1<br/> &gt; Authorization: Basic YWRtaW46YWRtaW4=<br/> &gt; User-Agent: curl/7.27.0<br/> &gt; Host: 127.0.0.1:8181<br/> &gt; Accept: <b>/</b><br/> &gt;<br/> &lt; HTTP/1.1 401 Unauthorized<br/> &lt; Set-Cookie: rememberMe=deleteMe; Path=/restconf; Max-Age=0; Expires=Sun, 10-Jan-2016 11:55:24 GMT</li> <li>Authentication problem. Ignoring this.<br/> &lt; WWW-Authenticate: BASIC realm="application"<br/> &lt; Content-Length: 0<br/> &lt; Server: Jetty(8.1.15.v20140411)<br/> &lt;</li> <li>Connection #0 to host 127.0.0.1 left intact</li> <li>Closing connection #0</li> </ul> <p>This is what log looks like, attached segment where request without -u was sent at 09:30:51 and request with admin:admin at 09:30:54.</p> <p>Crucial reports seem to be these ones:</p> <p>2016-01-12 09:30:51,721 | DEBUG | restconf/modules | BasicHttpAuthenticationFilter | 233 - org.apache.shiro.web - 1.2.3 | Authentication required: sending 401 Authentication challenge response.</p> <p>2016-01-12 09:30:54,942 | INFO | restconf/modules | TokenAuthRealm | 236 - org.opendaylight.aaa.shiro - 0.3.0.SNAPSHOT | Unknown OAuth2 Token Access Request<br/> org.apache.shiro.authc.AuthenticationException: Could not validate the token admin<br/> at org.opendaylight.aaa.shiro.realm.TokenAuthRealm.validate(TokenAuthRealm.java:248)<span class="error">&#91;236:org.opendaylight.aaa.shiro:0.3.0.SNAPSHOT&#93;</span></p> <p>Common precondition seem to be this one:</p> <p>2016-01-12 09:30:51,719 | TRACE | restconf/modules | PathMatchingFilter | 233 - org.apache.shiro.web - 1.2.3 | Filter 'authcBasic' is enabled for the current request under path '/**' with config <span class="error">&#91;null&#93;</span>. Delegating to subclass implementation for 'onPreHandle' check.</p> <p>Attachment karaf_20160112.log has been added with description: Segment of karaf.log</p> <p>Some semantics have changed such that this config file may not work the same way anymore. An equivalent change should work;</p> <p>In shiro.ini (<a href="https://github.com/opendaylight/aaa/blob/99de61dde20da19d8ad050fea85ce31eb8d62b17/aaa-shiro/src/main/resources/shiro.ini" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opendaylight/aaa/blob/99de61dde20da19d8ad050fea85ce31eb8d62b17/aaa-shiro/src/main/resources/shiro.ini</a>) do the following:</p> <p>Change "/** = authcBasic" to "/** = anon"</p> <p>Sorry for not documenting this; I will dig deeper when I get the chance. This should help immediately and I'll push some documentation to describe this.</p> <p>Also, you can install odl-restconf-noauth which will not activate the AAA service.</p> <p>&gt; Change "/** = authcBasic" to "/** = anon"</p> <p>This works.</p> <p>With this information, I guess this can be marked as WONTFIX.</p> <p>Documentation related to how to turn AAA off is included in the wiki here now:<br/> <a href="https://wiki.opendaylight.org/view/AAA:Turn_aaa_off" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/AAA:Turn_aaa_off</a></p> Development External issue ID 4922 External issue URL Issue Type Rank 0|i02407: