Date   

Re: AuthN and netconf-tcp, netconf-ssh

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:



Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Re: AuthN and netconf-tcp, netconf-ssh

Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:



Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Re: AuthN and netconf-tcp, netconf-ssh

Ed Warnicke (eaw) <eaw@...>
 

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Re: AuthN and netconf-tcp, netconf-ssh

Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros

From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Re: AuthN and netconf-tcp, netconf-ssh

Ed Warnicke (eaw) <eaw@...>
 

Maros,
We’d need it in before code freeze next Monday…

Ed
On Aug 25, 2014, at 10:35 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros

From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Re: AuthN and netconf-tcp, netconf-ssh

Nguyen, Liem Manh <liem_m_nguyen@...>
 

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:



Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Documentation meeting for AAA

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi guys,
 
I am overbooked…  Moving to Thursday after our status meeting…  Sorry for the change.
 
Thanks,
Liem
 
 
 


Re: AuthN and netconf-tcp, netconf-ssh

Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:



Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Re: AuthN and netconf-tcp, netconf-ssh

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Re: AuthN and netconf-tcp, netconf-ssh

Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Hi Liem,

Moving AuthZ into ODL codebase sounds reasonable, but that needs to be addressed by Ed, Tony etc.

I have pushed 2 commits:
1. ODL: https://git.opendaylight.org/gerrit/#/c/10318/ Extracted AuthProvider SPI bundle, Extracted UserManager backed AuthProvider into separate bundle
2. AAA: https://git.opendaylight.org/gerrit/#/c/10356/ Implemented AuthProvider SPI interface backed by CredentialAuth service.

Please review

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, August 26, 2014 18:25
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter; Nguyen, Liem Manh
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Re: AuthN and netconf-tcp, netconf-ssh

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Maros,

 

I think we can worry about the md-sal authz piece later, since we don’t have it for Helium anyways.  So… let’s focus on AuthN. 

 

For AuthN, I really don’t want it to depend on other controller components, because let’s say if the netconf bundle fails to load for instance, then we won’t have AuthN.  Having direct dependency from netconf to AuthN would also keep things simpler too.

 

Thoughts, Ed/Tony?

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Wednesday, August 27, 2014 1:38 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Liem,

Moving AuthZ into ODL codebase sounds reasonable, but that needs to be addressed by Ed, Tony etc.

I have pushed 2 commits:
1. ODL: https://git.opendaylight.org/gerrit/#/c/10318/ Extracted AuthProvider SPI bundle, Extracted UserManager backed AuthProvider into separate bundle
2. AAA: https://git.opendaylight.org/gerrit/#/c/10356/ Implemented AuthProvider SPI interface backed by CredentialAuth service.

Please review

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, August 26, 2014 18:25
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter; Nguyen, Liem Manh
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


FW: Change in aaa[master]: Karaf integration

Nguyen, Liem Manh <liem_m_nguyen@...>
 

FYI... I have added a project for building a Karaf distro for AAA; so, testing stuff with AAA in Karaf should be a little bit easier than before:

1) build aaa (mvn clean install)
2) cd distribution-karaf/target/assembly
3) bin/karaf
4) feature:install odl-aaa-all

That's it!

Cheers,
Liem

-----Original Message-----
From: Gerrit Code Review [mailto:gerrit@...]
Sent: Wednesday, August 27, 2014 2:42 PM
To: Nguyen, Liem Manh
Subject: Change in aaa[master]: Karaf integration

From jenkins-aaa <jenkins-aaa@...>:

jenkins-aaa has posted comments on this change.

Change subject: Karaf integration
......................................................................


Patch Set 2:

Build Started https://jenkins.opendaylight.org/aaa/job/aaa-merge/5/

--
To view, visit https://git.opendaylight.org/gerrit/10396
To unsubscribe, visit https://git.opendaylight.org/gerrit/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I267cbb1a99c3e196f5dc069f9a23ce97b8b00d21
Gerrit-PatchSet: 2
Gerrit-Project: aaa
Gerrit-Branch: master
Gerrit-Owner: Liem Nguyen <liem_m_nguyen@...>
Gerrit-Reviewer: Liem Nguyen <liem_m_nguyen@...>
Gerrit-Reviewer: jenkins-aaa <jenkins-aaa@...>
Gerrit-HasComments: No


Documentation meeting for AAA

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Moving again till next week to give folks more time on integration, as this week is the last week before code freeze…  Sorry, Sujatha.
 
Thanks,
Liem
 
 
 


steps to verify karaf stuff...

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi everyone,

 

Here’re the steps I usually take to verify if some libraries/code I have added for AAA still works in Karaf:

 

1.       Run the local unit tests and feature tests:

a.       mvn clean install (root pom)

b.      Go to distribution-karaf:  bin/karaf

c.       In Karaf shell:  feature:install odl-aaa-all

d.      Do your testing (sorry still working on automated integration tests):  Example (create a token):  curl -s -d 'grant_type=password&username=admin&password=admin&scope=coke' http://localhost:8181/oauth2/token

2.        After merging (gerrit +2), you can also try running the latest AAA on the integration branch also (git clone ssh://${ODL_USERNAME}@git.opendaylight.org:29418/integration.git)

a.       rm –rf ~/.m2/repository/

b.       In integration project:  mvn clean install

 

Cheers,

Liem

 

PS:  In case, you are not aware, code freeze has been postponed to 9/4 in the TSC call this morning.


Re: [release] integration (temporarily) doesn't build

Tai, Hideyuki <hideyuki.tai@...>
 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin


Re: [release] integration (temporarily) doesn't build

Nguyen, Liem Manh <liem_m_nguyen@...>
 

Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin…  I will submit a patch…

 

Thanks,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Tai, Hideyuki
Sent: Tuesday, September 02, 2014 4:04 PM
To: Colin Dixon; release@...
Cc: aaa-dev@...
Subject: Re: [Aaa-dev] [release] integration (temporarily) doesn't build

 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin


Re: [release] integration (temporarily) doesn't build

Colin Dixon <colin@...>
 

Can you let me know when that happens?

Thanks!


On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin…  I will submit a patch…

 

Thanks,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Tai, Hideyuki
Sent: Tuesday, September 02, 2014 4:04 PM
To: Colin Dixon; release@...
Cc: aaa-dev@...
Subject: Re: [Aaa-dev] [release] integration (temporarily) doesn't build

 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin



Re: [release] integration (temporarily) doesn't build

Tai, Hideyuki <hideyuki.tai@...>
 

Hi Colin,

 

He has already pushed and merged the patch to AAA Git repository.

https://git.opendaylight.org/gerrit/#/c/10662/

 

On the other hand, the patch for features-netconf has not yet been merged.

https://git.opendaylight.org/gerrit/#/c/10653/

The verify job has not been completed yet.

A verify job of controller project usually takes one hour half, but that job has already took over two hours.

 

Regards,

Hideyuki Tai

 

From: Colin Dixon [mailto:colin@...]
Sent: Tuesday, September 02, 2014 17:35
To: Nguyen, Liem Manh
Cc: Tai, Hideyuki; release@...; aaa-dev@...
Subject: Re: [release] integration (temporarily) doesn't build

 

Can you let me know when that happens?

Thanks!

 

On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin…  I will submit a patch…

 

Thanks,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Tai, Hideyuki
Sent: Tuesday, September 02, 2014 4:04 PM
To: Colin Dixon; release@...
Cc: aaa-dev@...
Subject: Re: [Aaa-dev] [release] integration (temporarily) doesn't build

 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin

 


Re: [release] integration (temporarily) doesn't build

Nguyen, Liem Manh <liem_m_nguyen@...>
 

A “quick” pull and build on integration builds fine for me locally (after nuking .m2 repo for aaa).

 

Regards,

Liem

 

From: Tai, Hideyuki [mailto:hideyuki.tai@...]
Sent: Tuesday, September 02, 2014 5:44 PM
To: Colin Dixon
Cc: release@...; aaa-dev@...; Nguyen, Liem Manh
Subject: RE: [release] integration (temporarily) doesn't build

 

Hi Colin,

 

He has already pushed and merged the patch to AAA Git repository.

https://git.opendaylight.org/gerrit/#/c/10662/

 

On the other hand, the patch for features-netconf has not yet been merged.

https://git.opendaylight.org/gerrit/#/c/10653/

The verify job has not been completed yet.

A verify job of controller project usually takes one hour half, but that job has already took over two hours.

 

Regards,

Hideyuki Tai

 

From: Colin Dixon [mailto:colin@...]
Sent: Tuesday, September 02, 2014 17:35
To: Nguyen, Liem Manh
Cc: Tai, Hideyuki; release@...; aaa-dev@...
Subject: Re: [release] integration (temporarily) doesn't build

 

Can you let me know when that happens?

Thanks!

 

On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin…  I will submit a patch…

 

Thanks,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Tai, Hideyuki
Sent: Tuesday, September 02, 2014 4:04 PM
To: Colin Dixon; release@...
Cc: aaa-dev@...
Subject: Re: [Aaa-dev] [release] integration (temporarily) doesn't build

 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin

 


Re: [release] integration (temporarily) doesn't build

Colin Dixon <colin@...>
 

I was finally able to get it to build and push the TTP patch to integration. Thanks for all the help. :-)

--Colin


On Tue, Sep 2, 2014 at 7:54 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

A “quick” pull and build on integration builds fine for me locally (after nuking .m2 repo for aaa).

 

Regards,

Liem

 

From: Tai, Hideyuki [mailto:hideyuki.tai@...]
Sent: Tuesday, September 02, 2014 5:44 PM
To: Colin Dixon
Cc: release@...; aaa-dev@...; Nguyen, Liem Manh
Subject: RE: [release] integration (temporarily) doesn't build

 

Hi Colin,

 

He has already pushed and merged the patch to AAA Git repository.

https://git.opendaylight.org/gerrit/#/c/10662/

 

On the other hand, the patch for features-netconf has not yet been merged.

https://git.opendaylight.org/gerrit/#/c/10653/

The verify job has not been completed yet.

A verify job of controller project usually takes one hour half, but that job has already took over two hours.

 

Regards,

Hideyuki Tai

 

From: Colin Dixon [mailto:colin@...]
Sent: Tuesday, September 02, 2014 17:35
To: Nguyen, Liem Manh
Cc: Tai, Hideyuki; release@...; aaa-dev@...
Subject: Re: [release] integration (temporarily) doesn't build

 

Can you let me know when that happens?

Thanks!

 

On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin…  I will submit a patch…

 

Thanks,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Tai, Hideyuki
Sent: Tuesday, September 02, 2014 4:04 PM
To: Colin Dixon; release@...
Cc: aaa-dev@...
Subject: Re: [Aaa-dev] [release] integration (temporarily) doesn't build

 

Hi Colin,

 

FYI.

To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.

 

In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository.

I'm seeing this:

https://gist.github.com/anonymous/383c2ac0e9279021f99c

 

It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency.

Therefore, I've submitted the patch to controller project.

https://git.opendaylight.org/gerrit/#/c/10653/

 

I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin.

Please check the features.xml of aaa project.

 

[features/src/main/resources/features.xml of AAA Git repository]

76

77     <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin'

78         version='${project.version}'>

79         <feature version='${netconf.version}'>odl-netconf-api</feature>

80         <feature version='${project.version}'>odl-aaa-authn</feature>

81         <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle>

82     </feature>

83

 

Regards,

Hideyuki Tai

 

From: release-bounces@... [mailto:release-bounces@...] On Behalf Of Colin Dixon
Sent: Tuesday, September 02, 2014 15:46
To: release@...
Subject: [release] integration (temporarily) doesn't build

 

Just so people are aware and don't have to go through this again.

Ed tells me that the fix is here:
https://git.opendaylight.org/gerrit/#/c/10653/

The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that.

--Colin

 


81 - 100 of 1823