|
Tech meeting today?
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi guys,
I don’t see a meeting for AAA on my calendar today… Are we having a tech meeting?
I think from last time, the agenda is going to include intro to MD-SAL and a presentation of current MD-SAL AuthZ work--if you are ready, Wojciech…
Anyone else has anything else to talk about?
Thanks, Liem
|
|
|
|
Re: Tech meeting today?
Ed Warnicke (eaw) <eaw@...>
What time today? The MD-SAL meeting is at 9am PST... I'd be happy to help in intro-ing the MD-SAL to
the AAA team though :)
Ed
From: aaa-dev-bounces@... [aaa-dev-bounces@...] on behalf of Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, June 24, 2014 8:48 AM To: aaa-dev@... Cc: Lenrow, Dave Subject: [Aaa-dev] Tech meeting today? Hi guys,
I don’t see a meeting for AAA on my calendar today… Are we having a tech meeting?
I think from last time, the agenda is going to include intro to MD-SAL and a presentation of current MD-SAL AuthZ work--if you are ready, Wojciech…
Anyone else has anything else to talk about?
Thanks, Liem
|
|
|
|
Re: Tech meeting today?
Nguyen, Liem Manh <liem_m_nguyen@...>
We occasionally have AAA tech meetings at 9PST on Tuesdays… Guess that conflicts with MD-SAL meeting :\.
I will move this topic for this Thursday then… and we need a new date/time for tech meeting. Mondays from 8:30AM PST – 9:30AM PST ok with folks?
Liem
From: Ed Warnicke (eaw) [mailto:eaw@...]
What time today? The MD-SAL meeting is at 9am PST... I'd be happy to help in intro-ing the MD-SAL to the AAA team though :)
Ed From:
aaa-dev-bounces@... [aaa-dev-bounces@...] on behalf of Nguyen, Liem Manh [liem_m_nguyen@...] Hi guys,
I don’t see a meeting for AAA on my calendar today… Are we having a tech meeting?
I think from last time, the agenda is going to include intro to MD-SAL and a presentation of current MD-SAL AuthZ work--if you are ready, Wojciech…
Anyone else has anything else to talk about?
Thanks, Liem
|
|
|
|
time change for AAA meetings on Thursdays
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi guys,
My kid’s summer camp schedule throws me for a loop, and I need to move the AAA status meetings on Thursdays 1/2 hour early (8:30AM PST instead of 9AM), at least for the next couple of months. Is that ok with folks?
Thanks, Liem
|
|
|
|
Re: time change for AAA meetings on Thursdays
Ed Warnicke (eaw) <eaw@...>
I would be :)
Ed
From: aaa-dev-bounces@... [aaa-dev-bounces@...] on behalf of Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, June 24, 2014 10:34 AM To: aaa-dev@... Subject: [Aaa-dev] time change for AAA meetings on Thursdays Hi guys,
My kid’s summer camp schedule throws me for a loop, and I need to move the AAA status meetings on Thursdays 1/2 hour early (8:30AM PST instead of 9AM), at least for the next couple of months. Is that ok with folks?
Thanks, Liem
|
|
|
|
Re: Tech meeting today?
John Dennis
On 06/24/2014 11:31 AM, Nguyen, Liem
Manh wrote:
works for me -- John
|
|
|
|
Re: time change for AAA meetings on Thursdays
John Dennis
On 06/24/2014 11:34 AM, Nguyen, Liem
Manh wrote:
Ok for me -- John
|
|
|
|
ODL - Weekly AAA Project meeting
Wojciech Dec (wdec) <wdec@...>
When: Thursday, June 26, 2014 5:30 PM-6:30 PM. (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna *~*~*~*~*~*~*~*~*~* Agenda:
+---+---+---+---+---+---+---+---+---+---+---+ Please do not edit text below this line. You are invited to an online meeting using WebEx.
Meeting Number: 201443156 Meeting Password: 111111
------------------------------------------------------- To join this meeting (Now from mobile devices!) ------------------------------------------------------- 1. Go to https://cisco.webex.com/cisco/j.php?MTID=ma8f5719854a94b9f05d5c96c64eede08
2. Enter the meeting password: 111111 3. Click 'Join Now'. 4. Follow the instructions that appear on your screen.
---------------------------------------------------------------- ALERT:Toll-Free Dial Restrictions for (408) and (919) Area Codes ----------------------------------------------------------------
The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.
Please dial the local access number for your area from the list below: - San Jose/Milpitas (408) area: 525-6800 - RTP (919) area: 392-3330
------------------------------------------------------- To join the teleconference only ------------------------------------------------------- 1. Dial into Cisco WebEx (view all Global Access Numbers at http://cisco.com/en/US/about/doing_business/conferencing/index.html) 2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.
San Jose, CA: +1.408.525.6800 RTP: +1.919.392.3330
US/Canada: +1.866.432.9903 United Kingdom: +44.20.8824.0117
India: +91.80.4350.1111 Germany: +49.619.6773.9002
Japan: +81.3.5763.9394 China: +86.10.8515.5666
CCP:+14085256800x201443156#
IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.
|
|
|
|
Re: time change for AAA meetings on Thursdays
Wojciech Dec
Just sent out an updated invite...
On 24 June 2014 17:34, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
|
|
|
|
Re: ODL - Weekly AAA Project meeting
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi guys,
Proposed agenda (in addition to status) for tomorrow:
Cheers,
Liem
-----Original Appointment-----
From: Wojciech Dec (wdec) [mailto:wdec@...] Sent: Wednesday, June 25, 2014 7:21 AM To: Wojciech Dec (wdec); Nguyen, Liem Manh; Abhishek Kumar (abhishk2); 'Arash Eghtesadi'; John Dennis; Lakshman Mukkamalla (lmukkama); Lenrow, Dave; Mellquist, Peter; aaa-dev@... Subject: ODL - Weekly AAA Project meeting When: Thursday, June 26, 2014 5:30 PM-6:30 PM (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna. Where: When: Thursday, June 26, 2014 5:30 PM-6:30 PM. (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
*~*~*~*~*~*~*~*~*~* Agenda:
+---+---+---+---+---+---+---+---+---+---+---+
Please do not edit text below this line.
You are invited to an online meeting using WebEx.
Meeting Number: 201443156
Meeting Password: 111111
-------------------------------------------------------
To join this meeting (Now from mobile devices!)
-------------------------------------------------------
2. Enter the meeting password: 111111
3. Click 'Join Now'.
4. Follow the instructions that appear on your screen.
----------------------------------------------------------------
ALERT:Toll-Free Dial Restrictions for (408) and (919) Area Codes
----------------------------------------------------------------
The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.
Please dial the local access number for your area from the list below:
- San Jose/Milpitas (408) area: 525-6800
- RTP (919) area: 392-3330
-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
1. Dial into Cisco WebEx (view all Global Access Numbers at http://cisco.com/en/US/about/doing_business/conferencing/index.html)
2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.
San Jose, CA: +1.408.525.6800
RTP: +1.919.392.3330
US/Canada: +1.866.432.9903
United Kingdom: +44.20.8824.0117
India: +91.80.4350.1111
Germany: +49.619.6773.9002
Japan: +81.3.5763.9394
China: +86.10.8515.5666
CCP:+14085256800x201443156#
IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this
session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to
discovery in the event of litigation.
|
|
|
|
Re: time change for AAA meetings on Thursdays
John Dennis
The meeting was moved up 1/2 hour but the webex link in the meeting
invite still thinks the meeting is at the original time and is not allowing me to connect early. -- John
|
|
|
|
Re: time change for AAA meetings on Thursdays
Nguyen, Liem Manh <liem_m_nguyen@...>
Yep, same issue here... Wojciech needs to change it, since I am not the host.
toggle quoted messageShow quoted text
Liem
-----Original Message-----
From: John Dennis [mailto:jdennis@...] Sent: Thursday, June 26, 2014 8:34 AM To: Wojciech Dec; Nguyen, Liem Manh Cc: aaa-dev@... Subject: Re: [Aaa-dev] time change for AAA meetings on Thursdays The meeting was moved up 1/2 hour but the webex link in the meeting invite still thinks the meeting is at the original time and is not allowing me to connect early. -- John
|
|
|
|
Re: time change for AAA meetings on Thursdays
Nguyen, Liem Manh <liem_m_nguyen@...>
Looks like it's working now...
toggle quoted messageShow quoted text
Liem
-----Original Message-----
From: Nguyen, Liem Manh Sent: Thursday, June 26, 2014 8:35 AM To: 'John Dennis'; Wojciech Dec Cc: aaa-dev@... Subject: RE: [Aaa-dev] time change for AAA meetings on Thursdays Yep, same issue here... Wojciech needs to change it, since I am not the host. Liem -----Original Message----- From: John Dennis [mailto:jdennis@...] Sent: Thursday, June 26, 2014 8:34 AM To: Wojciech Dec; Nguyen, Liem Manh Cc: aaa-dev@... Subject: Re: [Aaa-dev] time change for AAA meetings on Thursdays The meeting was moved up 1/2 hour but the webex link in the meeting invite still thinks the meeting is at the original time and is not allowing me to connect early. -- John
|
|
|
|
Re: Change in aaa[master]: Added IdmLight place-holder and OSGi proxy for IdmLight inte...
Nguyen, Liem Manh <liem_m_nguyen@...>
FYI... Some minor refactoring so we are consistent in terms of naming (no more "tenant"). This has been pushed into master.
toggle quoted messageShow quoted text
Cheers, Liem
-----Original Message-----
From: Gerrit Code Review [mailto:gerrit@...] Sent: Wednesday, July 02, 2014 11:09 AM To: Nguyen, Liem Manh Subject: Change in aaa[master]: Added IdmLight place-holder and OSGi proxy for IdmLight inte... From jenkins-aaa <jenkins-aaa@...>: jenkins-aaa has posted comments on this change. Change subject: Added IdmLight place-holder and OSGi proxy for IdmLight integration. Refactored renaming tenant -> domain. ...................................................................... Patch Set 1: Verified+1 Build Successful https://jenkins.opendaylight.org/aaa/job/aaa-verify/11/ : SUCCESS -- To view, visit https://git.opendaylight.org/gerrit/8567 To unsubscribe, visit https://git.opendaylight.org/gerrit/settings Gerrit-MessageType: comment Gerrit-Change-Id: I148963affe684bb9510ff1bcebf22d8e3d836a71 Gerrit-PatchSet: 1 Gerrit-Project: aaa Gerrit-Branch: master Gerrit-Owner: Liem Nguyen <liem_m_nguyen@...> Gerrit-Reviewer: jenkins-aaa <jenkins-aaa@...> Gerrit-HasComments: No
|
|
|
|
Authorization model
Wojciech Dec
Hi Folks, here's the initial authorization model, that I would like to propose for starters. Key inputs exected to be provided by the AuthN sub-system are: role and domain-name.module: authorization-data-schema +--rw domain-authorizations | +--rw domains* [domain-name] | +--rw domain-name domain-type | +--rw policies* [service action] | | +--rw service service-type | | +--rw action action-type | | +--rw resources resource-type | | +--rw role role-type | +--rw authz-domain-chain* [domain-name] | +--rw domain-name leafref +--rw simple-authorization +--rw policies* [service action] +--rw service service-type +--rw action action-type +--rw resources resource-type +--rw role role-type Yang file attached. Regards, Wojciech.
|
|
|
|
AuthZ service - REST(Conf) accessible or not?
Wojciech Dec
Hi Folks, while working through the config sub-system wiring, I came to a question that calls for some wider input. As far as I understand, there are two types of wiring API ends that can be used a) Yang RPC derived b) manually defined. (The Toaster model exemplifies only the former)Now, the advantage of the former is that the wiring automatically gets made with other services, eg RestConf. But it occured to me, is this necessary for the AuthZ service, i.e. would we want to expose the AuthZ service to external queries arriving over REST of the type: Can user X perform Y on Z? Cheers,
|
|
|
|
Re: Authorization model
Wojciech Dec
Hi All, given that this is an initial model, I'm collecting your feedback on, and mindful of the fact that Yang syntax might be new to some, here's some additional description.The API to the AuthZ service engine is not captured by the above model, but that will be a next step if we agree that the above is a decent base. Conceptually the data model does not deal with conflict resolution, leaving such processing to the service engine. Alternatively policy conflict resolution checks could be be applied upon policy insertion. The data model is neutral to which of these methods is chosen.
On 3 July 2014 17:02, Wojciech Dec <wdec.ietf@...> wrote:
|
|
|
|
Re: AuthZ service - REST(Conf) accessible or not?
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi Wojciech,
I don’t really see a use-case for exposing AuthZ via REST… In fact, I think it might be a security issue, since it exposes too much of the inner workings of the AAA system for a potential hacker if they get a hold of this information. From the resource owner’s perspective, they should already know what kind of accesses they should get with the given role(s).
From the AAA admin’s perspective, however, I think CRUD APIs over the access policies would be beneficial.
Thoughts?
Regards, Liem
From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...]
On Behalf Of Wojciech Dec
Hi Folks, while working through the config sub-system wiring, I came to a question that calls for some wider input. As far as I understand, there are two types of wiring API ends that can be used a) Yang RPC derived b)
manually defined. (The Toaster model exemplifies only the former) Thoughts? Wojciech.
|
|
|
|
How to authenticate
Wojciech Dec
Hi Liem, after updating my repo to the latest, I noticed that the authentication "curl" instructions no longer work, and I cannot get past the auth stage. Looking at the code the new IdMService now seems to have the 1234 user.Regards, Wojciech.
|
|
|
|
Re: [controller-dev] How to prevent the use of RESTconf from certain generated models?
Colin Dixon <colin@...>
The AAA project is planning to deliver access control on top of the MD-SAL, and they have the current status listed as PoC on their release page: I'm cc'ing their dev list to see if there's a better answer than that. You could also just check out their code so far:https://wiki.opendaylight.org/view/AAA:Helium git clone https://git.opendaylight.org/gerrit/aaa
On Mon, Jul 14, 2014 at 12:40 PM, Rob Adams <readams@...> wrote:
|
|
|