Re: [controller-dev] [infrautils-dev] credentials for REST to jolokia/exec/org.opendaylight.infrautils.diagstatus

Ryan Goulding <ryandgoulding@...>

What version of code? This wasn’t tied to AAA until oxygen. Prior it was controlled by etc/or.jolokia.osgi.cfg.


On Apr 5, 2018, at 12:32 AM, Michael Vorburger <vorburger@...> wrote:

JamO, +aaa-dev and +controller-dev and Stephen FYI:

On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen <jluhrsen@...> wrote:
Hi Utility folks,

I noticed in a local setup I have where I've changed the default username
and password for RESTCONF, that I still need to use the admin:admin creds
to hit the diagstatus endpoint.

I'm guessing that's just because this is not tied in to the magic of
AAA and/or RESTCONF creds.

Gotta just live with it, or would it be an easy thing to add, just to keep
things more intuitive?

This seems like a bug (bad one, security wise), but it's not for infrautils-dev - we don't actually do anything re. Jolokia in project infrautils, the diagstatus sub-module simply exposes a JMX bean... the code related to the Jolokia integration in ODL which then make makes this available via HTTP, and secures it with the AAA creds (also used by RESTCONF; there are no creds in RESTCONF itself FYI), is actually in controller and/or aaa (I'm not 100% sure myself what is where)... see and

If you are right, we have this problem (that when changing the default username and password you can still use the previous one) on *ALL* /jolokia/ URLs, I'm guessing.

Would you like to open a (Critical?) bug in JIRA against AAA about this?

Michael Vorburger, Red Hat
vorburger@... | IRC: vorburger @freenode | ~ =
example curl:

curl -u "admin:admin"

infrautils-dev mailing list

controller-dev mailing list

Join to automatically receive all group messages.