Re: [controller-dev] [infrautils-dev] credentials for REST to jolokia/exec/org.opendaylight.infrautils.diagstatus


Ryan Goulding <ryandgoulding@...>
 

Did you restart ODL after installing odl-jolikia? The issue is you have jolikia installed from karaf without auth, then try to install odl-jolikia which lays down org.jolikia.osgi.cfg with authMode set to delegate. That managed service won’t actually recognize the update to authmode without a restart of Karaf. You want to ONLY ever install odl-jolokia!!

On Apr 7, 2018, at 12:19 PM, Jamo Luhrsen <jluhrsen@...> wrote:

ok, I verified that carbon sr3 is working as we expect, but the recent Fluorine
snapshot distro I have is not behaving like I expect.

I am able to hit this jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
endpoint after just installing features-aaa, nothing else. The user/password doesn't
seem to matter.

After installing odl-jolokia, it's the same behavior.

should I open a jira, or what other info can I gather?

Thanks,
JamO

On 4/5/18 3:45 PM, Ryan Goulding wrote:
for carbon-sr3 we still hadn't integrated jolokia with AAA; it was still backed by etc/org.jolokia.osgi.cfg, hencewhy you need to use admin/admin after changing the password in AAA.
How did you install jolokia in Fluorine? You must install using "odl-jolokia" feature from controller to get protection. Standard off the shelf "jolokia" has NO auth by default...
Regards,
Ryan Goulding
On Thu, Apr 5, 2018 at 6:23 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
I don't have access to my setup at the moment. I can later.
but, I think it's based on carbon sr3.
I do have a recent (2/27) snapshot distro from Fluorine though,
and that actually doesn't even need creds to access that
jolokia diagstatus endpoint. restconf still behaves like I
expect, but the diagstatus endpoint takes any (or no)
username/password combo.
JamO
On 4/5/18 12:06 PM, Ryan Goulding wrote:
Jamo, can you comment on code version? Thanks!
Regards,
Ryan Goulding
On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>
<mailto:ryandgoulding@... <mailto:ryandgoulding@...>>> wrote:
What version of code? This wasn’t tied to AAA until oxygen. Prior it was controlled by etc/or.jolokia.osgi.cfg.
Thanks,
Ryan
Sent from my iPhone
On Apr 5, 2018, at 12:32 AM, Michael Vorburger <vorburger@... <mailto:vorburger@...>
<mailto:vorburger@... <mailto:vorburger@...>>> wrote:
JamO, +aaa-dev and +controller-dev and Stephen FYI:
On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
<mailto:jluhrsen@... <mailto:jluhrsen@...>>>wrote:
Hi Utility folks,
I noticed in a local setup I have where I've changed the default username
and password for RESTCONF, that I still need to use the admin:admin creds
to hit the diagstatus endpoint.
I'm guessing that's just because this is not tied in to the magic of
AAA and/or RESTCONF creds.
Gotta just live with it, or would it be an easy thing to add, just to keep
things more intuitive?
This seems like a bug (bad one, security wise), but it's not for infrautils-dev - we don't actually do
anything
re. Jolokia in project infrautils, the diagstatus sub-module simply exposes a JMX bean... the code
related to the
Jolokia integration in ODL which then make makes this available via HTTP, and secures it with the AAA
creds (also
used by RESTCONF; there are no creds in RESTCONF itself FYI), is actually in controller and/or aaa (I'm
not 100%
sure myself what is where)... see https://jira.opendaylight.org/browse/AAA-147
<https://jira.opendaylight.org/browse/AAA-147>
<https://jira.opendaylight.org/browse/AAA-147 <https://jira.opendaylight.org/browse/AAA-147>> and
https://jira.opendaylight.org/browse/CONTROLLER-1324 <https://jira.opendaylight.org/browse/CONTROLLER-1324>
<https://jira.opendaylight.org/browse/CONTROLLER-1324
<https://jira.opendaylight.org/browse/CONTROLLER-1324>>.
If you are right, we have this problem (that when changing the default username and password you can
still use the
previous one) on *ALL* /jolokia/ URLs, I'm guessing.
Would you like to open a (Critical?) bug in JIRA against AAA about this?
Tx,
M.
--
Michael Vorburger, Red Hat
vorburger@... <mailto:vorburger@...> <mailto:vorburger@...
<mailto:vorburger@...>>| IRC: vorburger @freenode | ~ = http://vorburger.ch
<http://vorburger.ch/>
example curl:
curl -u "admin:admin"
http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>>
Thanks,
JamO
_______________________________________________
infrautils-dev mailing list
infrautils-dev@... <mailto:infrautils-dev@...>
<mailto:infrautils-dev@... <mailto:infrautils-dev@...>>
https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
<https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>
<https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
<https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>>
_______________________________________________
controller-dev mailing list
controller-dev@... <mailto:controller-dev@...>
<mailto:controller-dev@... <mailto:controller-dev@...>>
https://lists.opendaylight.org/mailman/listinfo/controller-dev
<https://lists.opendaylight.org/mailman/listinfo/controller-dev>
<https://lists.opendaylight.org/mailman/listinfo/controller-dev
<https://lists.opendaylight.org/mailman/listinfo/controller-dev>>

Join z.archive.aaa-dev@lists.opendaylight.org to automatically receive all group messages.