OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [NETCONF-1114] Incorrect operational state of device configuration with Invalid encrypted password https://jira.opendaylight.org/browse/NETCONF-1114 netconf <p>Some device configuration with invalid encrypted password causes failure while processing the device configuration and creates incorrect operational state for the device.</p> <p>For example, the following request which directly creates/updates device configuration with unencrypted password:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>PUT /rests/data/network-topology:network-topology/topology=topology-netconf/node=netconf-mdsal { "network-topology:node": [ { "node-id": "netconf-mdsal", "netconf-node-topology:concurrent-rpc-limit": 0, "netconf-node-topology:schema-cache-directory": "netconf-mdsal", "netconf-node-topology:login-password": { "username": "admin", "password": "admin" }, "netconf-node-topology:default-request-timeout-millis": 1800000, "netconf-node-topology:port": 2830, "netconf-node-topology:tcp-only": false, "netconf-node-topology:host": "127.0.0.1", "netconf-node-topology:actor-response-wait-time": 600, "netconf-node-topology:keepalive-delay": 600 } ] } </pre> </div></div> <p>triggers this exception:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>00:51:16.260 ERROR [opendaylight-cluster-data-notification-dispatcher-46] member-1-shard-topology-config: Error notifying listener org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataTreeChangeListenerAdapter@4abd7f00 java.lang.IllegalArgumentException: Last unit does not have enough valid bits at java.util.Base64$Decoder.decode0(Base64.java:867) ~[?:?] at java.util.Base64$Decoder.decode(Base64.java:566) ~[?:?] at java.util.Base64$Decoder.decode(Base64.java:589) ~[?:?] at org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:151) ~[?:?] at org.opendaylight.netconf.topology.spi.DefaultNetconfClientConfigurationBuilderFactory.getHandlerFromCredentials(DefaultNetconfClientConfigurationBuilderFactory.java:96) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.DefaultNetconfClientConfigurationBuilderFactory.createClientConfigurationBuilder(DefaultNetconfClientConfigurationBuilderFactory.java:68) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.NetconfNodeHandler.&lt;init&gt;(NetconfNodeHandler.java:143) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.setupConnection(AbstractNetconfTopology.java:142) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.lockedEnsureNode(AbstractNetconfTopology.java:108) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.ensureNode(AbstractNetconfTopology.java:96) ~[bundleFile:?] at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.onDataTreeChanged(NetconfTopologyImpl.java:145) ~[?:?] at org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataTreeChangeListenerAdapter.onDataTreeChanged(BindingDOMDataTreeChangeListenerAdapter.java:44) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.dataTreeChanged(DataTreeChangeListenerActor.java:90) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.handleReceive(DataTreeChangeListenerActor.java:45) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:24) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:20) ~[bundleFile:?] at scala.PartialFunction.applyOrElse(PartialFunction.scala:214) ~[bundleFile:?] at scala.PartialFunction.applyOrElse$(PartialFunction.scala:213) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.applyOrElse(CaseStatements.scala:20) ~[bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:269) ~[bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:270) ~[bundleFile:?] at akka.actor.Actor.aroundReceive(Actor.scala:537) ~[bundleFile:?] at akka.actor.Actor.aroundReceive$(Actor.scala:535) ~[bundleFile:?] at akka.actor.AbstractActor.aroundReceive(AbstractActor.scala:220) ~[bundleFile:?] at akka.actor.ActorCell.receiveMessage(ActorCell.scala:579) ~[bundleFile:?] at akka.actor.ActorCell.invoke(ActorCell.scala:547) ~[bundleFile:?] at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270) ~[bundleFile:?] at akka.dispatch.Mailbox.run(Mailbox.scala:231) ~[bundleFile:?] at akka.dispatch.Mailbox.exec(Mailbox.scala:243) ~[bundleFile:?] at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373) ~[?:?] at java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182) ~[?:?] at java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655) ~[?:?] at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622) ~[?:?] at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165) ~[?:?] </pre> </div></div> <p>The exception thrown from <tt>Base64$Decoder.decode</tt> while attempting to decrypt the password is not handled while processing the device configuration, hence the process is abruptly aborted and premature operational state is created with <tt>connection-status</tt> of <tt>connecting</tt> even though there is no connection attempt:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>GET /rests/data/network-topology:network-topology/topology=topology-netconf/node=netconf-mdsal?content=nonconfig { "network-topology:node": [ { "node-id": "netconf-mdsal", "netconf-node-topology:port": 2830, "netconf-node-topology:connection-status": "connecting", "netconf-node-topology:host": "127.0.0.1" } ] } </pre> </div></div> <p>Also, the operational data is not cleaned up even after the device configuration is removed.</p> <p>Another side effect of this issue is that if there are multiple devices created/updated together, e.g. when controller is restarted with multiple devices configured, then several of them may not be activated even if there just one device with the configuration issue because processing is aborted for the rest once this error is encountered.</p> NETCONF-1114 Incorrect operational state of device configuration with Invalid encrypted password Bug Medium In Progress Unresolved Peter Suna Sangwook Ha Thu, 3 Aug 2023 01:03:22 +0000 Fri, 3 Nov 2023 13:59:30 +0000 6.0.0 5.0.7 4.0.8 7.0.0 netconf 0 4 <p>Root cause description – see <a href="https://github.com/opendaylight/netconf/blob/master/apps/netconf-topology/src/main/java/org/opendaylight/netconf/topology/spi/AbstractNetconfTopology.java#L132" class="external-link" target="_blank" rel="nofollow noopener">AbstractNetconfTopology#setupConnection(...)</a></p> <ul> <li>on initialization of <em>deviceSalFacade</em> variable the instance of NetconfDeviceTopologyAdapter is created which immediately (out of constructor) writes device connection status "connecting" to operational datastore.</li> <li>on next variable <em>nodeHandler</em> initialization the instance of NetconfNodeHandler is created, however building a client configuration (within constructor) RuntimeException occurs</li> <li>as result <em>nodeHandler</em> variable is not created and no handler being mapped to <em>nodeId</em> within <em>activeConnectors</em> map</li> <li>when node deletion is requested no associated handler is found; due to operational data cleanup is performed via <em>nodeHandler</em>.close() – which is transferred to <a href="https://github.com/opendaylight/netconf/blob/master/apps/netconf-topology/src/main/java/org/opendaylight/netconf/topology/spi/NetconfDeviceTopologyAdapter.java#L201" class="external-link" target="_blank" rel="nofollow noopener">NetconfDeviceTopologyAdapter#close()</a> – then handler absence causes node data remaining in operational data store as garbage</li> </ul> <p>So the problem is that the password is allowed to be stored through the PUT request. As the expectation is to have if Base64-encoded, this should by expressed in the YANG model (via a pattern) and the datastore would reject it.</p> <p>the password encryption is out of scope for current task, the issue to be solved via <a href="https://jira.opendaylight.org/browse/NETCONF-1115" title="Handle unencrypted password in login-password for topology node" class="issue-link" data-issue-key="NETCONF-1115">NETCONF-1115</a></p> <p>The issue with client configuration build failure can be also caused by missing credentials (NPE on building clientConfig). This also lead garbage data remain on node removal</p> <p>Yes, we have handled any possible exception that can occur. Fix is working but maybe in the future our logic would need more refactoring and better layering to avoid catching plain java's Exception class.</p> Development Rank 0|i0462f: