Re: [controller-dev] [infrautils-dev] credentials for REST to jolokia/exec/org.opendaylight.infrautils.diagstatus


Ryan Goulding <ryandgoulding@...>
 

for carbon-sr3 we still hadn't integrated jolokia with AAA;  it was still backed by etc/org.jolokia.osgi.cfg, hencewhy you need to use admin/admin after changing the password in AAA.

How did you install jolokia in Fluorine?  You must install using "odl-jolokia" feature from controller to get protection.  Standard off the shelf "jolokia" has NO auth by default...

Regards,

Ryan Goulding

On Thu, Apr 5, 2018 at 6:23 PM, Jamo Luhrsen <jluhrsen@...> wrote:
I don't have access to my setup at the moment. I can later.

but, I think it's based on carbon sr3.

I do have a recent (2/27) snapshot distro from Fluorine though,
and that actually doesn't even need creds to access that
jolokia diagstatus endpoint. restconf still behaves like I
expect, but the diagstatus endpoint takes any (or no)
username/password combo.

JamO

On 4/5/18 12:06 PM, Ryan Goulding wrote:
Jamo, can you comment on code version?  Thanks!

Regards,

Ryan Goulding

On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m>> wrote:

    What version of code? This wasn’t tied to AAA until oxygen. Prior it was controlled by etc/or.jolokia.osgi.cfg.

    Thanks,
    Ryan

    Sent from my iPhone

    On Apr 5, 2018, at 12:32 AM, Michael Vorburger <vorburger@... <mailto:vorburger@...>> wrote:

    JamO, +aaa-dev and +controller-dev and Stephen FYI:

    On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>wrote:

        Hi Utility folks,

        I noticed in a local setup I have where I've changed the default username
        and password for RESTCONF, that I still need to use the admin:admin creds
        to hit the diagstatus endpoint.

        I'm guessing that's just because this is not tied in to the magic of
        AAA and/or RESTCONF creds.

        Gotta just live with it, or would it be an easy thing to add, just to keep
        things more intuitive?


    This seems like a bug (bad one, security wise), but it's not for infrautils-dev - we don't actually do anything
    re. Jolokia in project infrautils, the diagstatus sub-module simply exposes a JMX bean... the code related to the
    Jolokia integration in ODL which then make makes this available via HTTP, and secures it with the AAA creds (also
    used by RESTCONF; there are no creds in RESTCONF itself FYI), is actually in controller and/or aaa (I'm not 100%
    sure myself what is where)... see https://jira.opendaylight.org/browse/AAA-147
    <https://jira.opendaylight.org/browse/AAA-147> and https://jira.opendaylight.org/browse/CONTROLLER-1324
    <https://jira.opendaylight.org/browse/CONTROLLER-1324>.

    If you are right, we have this problem (that when changing the default username and password you can still use the
    previous one) on *ALL* /jolokia/ URLs, I'm guessing.

    Would you like to open a (Critical?) bug in JIRA against AAA about this?

    Tx,
    M.
    --
    Michael Vorburger, Red Hat
    vorburger@... <mailto:vorburger@...>| IRC: vorburger @freenode | ~ = http://vorburger.ch
    <http://vorburger.ch/>

        example curl:

        curl -u "admin:admin"
        http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
        <http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>

        Thanks,
        JamO
        _______________________________________________
        infrautils-dev mailing list
        infrautils-dev@...ght.org <mailto:infrautils-dev@...pendaylight.org>
        https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
        <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>


    _______________________________________________
    controller-dev mailing list
    controller-dev@...ght.org <mailto:controller-dev@...pendaylight.org>
    https://lists.opendaylight.org/mailman/listinfo/controller-dev
    <https://lists.opendaylight.org/mailman/listinfo/controller-dev>



Join z.archive.aaa-dev@lists.opendaylight.org to automatically receive all group messages.