https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETCONF-476 netconf <p>Problem:<br/> Current implementation of NetConf south bound plugin uses single instance of kaypair for all connected netconf devices. User is able to set username/password per netconf device, but connection key is shared for all connections.</p> <p>Solution:<br/> When new netconf device configuration is created via in data store in netconf topology, this configuration must contain the username/password or keypair for the device. </p> <p>What needs to be done:</p> <ul class="alternate" type="square"> <li>netconf model (device configuration) must be adapted in order to contain username/password or keypair in base64 format</li> <li>org.opendaylight.netconf.topology.AbstractNetconfTopology</li> <li>privateKeyPath and privateKeyPassphrase must be removed (also from blueprint and configuration)</li> <li>method getClientConfig must be adapted accordingly</li> </ul> <p>Operating System: All<br/> Platform: All</p> NETCONF-476

NetConf SBP uses global privatekey for all connections

Bug Resolved Done Tomas Cere Juraj Veverka Tue, 10 Oct 2017 11:23:22 +0000 Fri, 9 Jul 2021 13:30:33 +0000 Fri, 9 Jul 2021 13:30:33 +0000 netconf 0 1 <p>I think the reason it was implemented like this was to prevent anybody being able to read the keypair from the datastore.<br/> However we should be able to create a store for the key-pairs which would be encrypted via AAA's EncryptionService.<br/> So it would look something liek this:<br/> 1. credentials store - restconf crud rpc's to store/remove key pairs, which would be encrypted inside the datastore<br/> 2. when the southbound plugin needs to retrieve these, they would be decrypted via the EncryptionService<br/> 3. each key pair would have its own unique credentialsId<br/> 4. when user adda a new device with key-pair authentication only the credentialsId would needed to be specified.</p> <p>The netconf model will need to be updated, we will need to prevent breaking api changes for now so we need to keep the<br/> old way credentials were configured, with the new cases being wrapped in a container to allow us to also specify whether we want<br/> encrypted username/pw.</p> <p>The new model would look like this:<br/> grouping netconf-node-credentials {<br/> choice credentials {<br/> config true;<br/> case login-password-deprecated {<br/> status deprecated;<br/> leaf username </p> { type string; }<br/> <br/> leaf password { type string; } <p> }<br/> case login-password {<br/> container login-password {<br/> leaf username </p> { type string; }<br/> <br/> leaf password { type string; } <p> }<br/> }<br/> case login-password-unencrypted {<br/> container login-password-unencrypted {<br/> leaf username </p> { type string; }<br/> <br/> leaf password { type string; } <p> }<br/> }<br/> case key-based {<br/> container key-pair {<br/> leaf pair-id </p> { type string; } <p> }<br/> }<br/> }<br/> }</p> <p><a href="https://git.opendaylight.org/gerrit/#/q/topic:keyauth-refactor" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/q/topic:keyauth-refactor</a></p> Development External issue ID 9261 External issue URL Rank 0|i01yrz: