AAA using LDAP - Facing issues with authorization


Thiriloshini.ThoppeKrishnakumar@us.fujitsu.com <Thiriloshini.ThoppeKrishnakumar@...>
 

Hi all,

 

I’m using carbon-sr3 branch. I am trying to authenticate and authorize LDAP user.

 

Authentication works fine. But I’m facing issues with authorization. I have been struggling to get it working. Any help/pointer is much appreciated.

 

Please find the snapshot of LDAP below. All the users under ou=users belong to the group odlGroup

 

 

Below is the snapshot of odlUser

 

 

 

 

Please find my configuration below in the shiro.ini with respect to LDAP Realm.

Please note the highlighted one. I’m trying to assign admin role to the LDAP group. Please let me know if this is the right way doing it.

I also tried the below with no luck.

ldapRealm.groupRolesMap = "odlGroup":"admin"

 

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = cn={0},ou=users,dc=sdn,dc=org

ldapRealm.contextFactory.url = ldap://10.6.6.6:389

ldapRealm.searchBase = dc=sdn,dc=org

# Abstraction to map LDAP extracted groups to ODL roles

ldapRealm.groupRolesMap = "cn={0},ou=groups,dc=sdn,dc=org":"admin"   

ldapRealm.ldapAttributeForComparison = objectClass

 

securityManager.realms = $ldapRealm, $tokenAuthRealm

 

 

 

With the above information I am able to login to apidoc with odlUser.

 

But when I try to access the urls under aaa-cert-mdsal for which it has been assigned admin roles I see exception in karaf.log. (snapshot of exception has been provided below)

 

/config/aaa-cert-mdsal** = authcBasic, roles[admin]

 

I added print where I see exception in aaa/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/impl/shiro/realm/TokenAuthRealm.java (function doGetAuthorizationInfo),

 

            System.out.println("primaryPrincipal: "+primaryPrincipal.toString());

            odlPrincipal = (ODLPrincipal) primaryPrincipal;  à this is where I see exception

 

For the user that exists in ODL, below is what it returns

odlPrincipal: org.opendaylight.aaa.impl.shiro.principal.ODLPrincipalImpl@2e8d82e0

For the user that exists in LDAP, below is what it returns

primaryPrincipal: odlUser

 

Basically, ODL doesn’t understand the LDAP user.

 

Do you think we need to sync the LDAP user/group with ODL ?

Is there anything else that I am missing ?

 

Please find the exception below.

 

2018-05-17 10:53:30,874 | ERROR | tp2134027892-356 | TokenAuthRealm                   | 257 - org.opendaylight.aaa.shiro - 0.5.3.Carbon | Couldn't decode authorization request

java.lang.ClassCastException: java.lang.String cannot be cast to org.opendaylight.aaa.api.shiro.principal.ODLPrincipal

        at org.opendaylight.aaa.shiro.realm.TokenAuthRealm.doGetAuthorizationInfo(TokenAuthRealm.java:98)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)[258:org.apache.shiro.core:1.3.2]

        at org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter.isAccessAllowed(MDSALDynamicAuthorizationFilter.java:131)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter.isAccessAllowed(MDSALDynamicAuthorizationFilter.java:63)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]                                                            

        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.Server.handle(Server.java:370)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at java.lang.Thread.run(Thread.java:748)[:1.8.0_162]

                                                            

Thanks in advance for your time.

 

Regards,

Thiriloshini

Join z.archive.aaa-dev@lists.opendaylight.org to automatically receive all group messages.