|
Re: Karaf bundle load Error
Wojciech Dec
and yangtools-dev ...
On 4 September 2014 12:48, Wojciech Dec <wdec.ietf@...> wrote:
|
|
|
|
Re: Karaf bundle load Error
Wojciech Dec
adding aaa-dev
On 4 September 2014 12:47, Wojciech Dec <wdec.ietf@...> wrote:
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Colin Dixon <colin@...>
For whatever reason, I'm intermittently seeing the build hang (I've waited ~10 minutes twice and given up) here: https://gist.github.com/anonymous/a3ee54946ef1c75ba90f The good news is that it's not happening frequently enough to keep me from getting things done. I just wanted to toss it out there to see if anyone knew of an easy fix and to make sure people don't beat their heads against it for too long thinking it's just them. It's happened to me twice so far, both times on the odl-integration-compatible-with-ovs-openstack feature. --Colin
On Wed, Sep 3, 2014 at 10:27 AM, Colin Dixon <colin@...> wrote:
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Colin Dixon <colin@...>
I was finally able to get it to build and push the TTP patch to integration. Thanks for all the help. :-) --Colin
On Tue, Sep 2, 2014 at 7:54 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Nguyen, Liem Manh <liem_m_nguyen@...>
A “quick” pull and build on integration builds fine for me locally (after nuking .m2 repo for aaa).
Regards, Liem
From: Tai, Hideyuki [mailto:hideyuki.tai@...]
Hi Colin,
He has already pushed and merged the patch to AAA Git repository. https://git.opendaylight.org/gerrit/#/c/10662/
On the other hand, the patch for features-netconf has not yet been merged. https://git.opendaylight.org/gerrit/#/c/10653/ The verify job has not been completed yet. A verify job of controller project usually takes one hour half, but that job has already took over two hours.
Regards, Hideyuki Tai
From: Colin Dixon [mailto:colin@...]
Can you let me know when that happens?
On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin… I will submit a patch…
Thanks, Liem
From:
aaa-dev-bounces@... [mailto:aaa-dev-bounces@...]
On Behalf Of Tai, Hideyuki
Hi Colin,
FYI. To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.
In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository. I'm seeing this: https://gist.github.com/anonymous/383c2ac0e9279021f99c
It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency. Therefore, I've submitted the patch to controller project. https://git.opendaylight.org/gerrit/#/c/10653/
I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin. Please check the features.xml of aaa project.
[features/src/main/resources/features.xml of AAA Git repository] 76 77 <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin' 78 version='${project.version}'> 79 <feature version='${netconf.version}'>odl-netconf-api</feature> 80 <feature version='${project.version}'>odl-aaa-authn</feature> 81 <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle> 82 </feature> 83
Regards, Hideyuki Tai
From:
release-bounces@... [mailto:release-bounces@...]
On Behalf Of Colin Dixon
Just so people are aware and don't have to go through this again.
Ed tells me that the fix is here: The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that. --Colin
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Tai, Hideyuki <hideyuki.tai@...>
Hi Colin,
He has already pushed and merged the patch to AAA Git repository. https://git.opendaylight.org/gerrit/#/c/10662/
On the other hand, the patch for features-netconf has not yet been merged. https://git.opendaylight.org/gerrit/#/c/10653/ The verify job has not been completed yet. A verify job of controller project usually takes one hour half, but that job has already took over two hours.
Regards, Hideyuki Tai
From: Colin Dixon [mailto:colin@...]
Can you let me know when that happens?
On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin… I will submit a patch…
Thanks, Liem
From:
aaa-dev-bounces@... [mailto:aaa-dev-bounces@...]
On Behalf Of Tai, Hideyuki
Hi Colin,
FYI. To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.
In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository. I'm seeing this: https://gist.github.com/anonymous/383c2ac0e9279021f99c
It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency. Therefore, I've submitted the patch to controller project. https://git.opendaylight.org/gerrit/#/c/10653/
I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin. Please check the features.xml of aaa project.
[features/src/main/resources/features.xml of AAA Git repository] 76 77 <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin' 78 version='${project.version}'> 79 <feature version='${netconf.version}'>odl-netconf-api</feature> 80 <feature version='${project.version}'>odl-aaa-authn</feature> 81 <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle> 82 </feature> 83
Regards, Hideyuki Tai
From:
release-bounces@... [mailto:release-bounces@...]
On Behalf Of Colin Dixon
Just so people are aware and don't have to go through this again.
Ed tells me that the fix is here: The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that. --Colin
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Colin Dixon <colin@...>
Can you let me know when that happens? Thanks!
On Tue, Sep 2, 2014 at 6:19 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Nguyen, Liem Manh <liem_m_nguyen@...>
Yep… The pom.xml in the AAA features lacks a dependency on aaa-authn-odl-plugin… I will submit a patch…
Thanks, Liem
From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...]
On Behalf Of Tai, Hideyuki
Hi Colin,
FYI. To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.
In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository. I'm seeing this: https://gist.github.com/anonymous/383c2ac0e9279021f99c
It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency. Therefore, I've submitted the patch to controller project. https://git.opendaylight.org/gerrit/#/c/10653/
I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin. Please check the features.xml of aaa project.
[features/src/main/resources/features.xml of AAA Git repository] 76 77 <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin' 78 version='${project.version}'> 79 <feature version='${netconf.version}'>odl-netconf-api</feature> 80 <feature version='${project.version}'>odl-aaa-authn</feature> 81 <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle> 82 </feature> 83
Regards, Hideyuki Tai
From:
release-bounces@... [mailto:release-bounces@...]
On Behalf Of Colin Dixon
Just so people are aware and don't have to go through this again.
Ed tells me that the fix is here: The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that. --Colin
|
|
|
|
Re: [release] integration (temporarily) doesn't build
Tai, Hideyuki <hideyuki.tai@...>
Hi Colin,
FYI. To be honest, I'm not sure if my patch (Gerrit 10653) solve the problem you mentioned.
In the first place, I failed to execute "mvn clean install" for pom.xml of features directory of Integration Git repository. I'm seeing this: https://gist.github.com/anonymous/383c2ac0e9279021f99c
It seems to me that the root cause of this issue is that pom.xml of features-netconf of controller project lacks a dependency. Therefore, I've submitted the patch to controller project. https://git.opendaylight.org/gerrit/#/c/10653/
I think the root cause of the problem what you saw is that pom.xml of features-aaa of aaa project lacks a dependency to aaa-authn-odl-plugin, although odl-aaa-authn-plugin feature depends on aaa-authn-odl-plugin. Please check the features.xml of aaa project.
[features/src/main/resources/features.xml of AAA Git repository] 76 77 <feature name='odl-aaa-authn-plugin' description='OpenDaylight :: AAA :: ODL NETCONF Plugin' 78 version='${project.version}'> 79 <feature version='${netconf.version}'>odl-netconf-api</feature> 80 <feature version='${project.version}'>odl-aaa-authn</feature> 81 <bundle>mvn:org.opendaylight.aaa/aaa-authn-odl-plugin/${project.version}</bundle> 82 </feature> 83
Regards, Hideyuki Tai
From: release-bounces@... [mailto:release-bounces@...]
On Behalf Of Colin Dixon
Just so people are aware and don't have to go through this again.
Ed tells me that the fix is here: The verify job for it got wedged and has now hopefully been unwedged and we'll be back somewhere happy after that. --Colin
|
|
|
|
steps to verify karaf stuff...
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi everyone,
Here’re the steps I usually take to verify if some libraries/code I have added for AAA still works in Karaf:
1. Run the local unit tests and feature tests: a. mvn clean install (root pom) b. Go to distribution-karaf: bin/karaf c. In Karaf shell: feature:install odl-aaa-all d. Do your testing (sorry still working on automated integration tests): Example (create a token): curl -s -d 'grant_type=password&username=admin&password=admin&scope=coke' http://localhost:8181/oauth2/token 2. After merging (gerrit +2), you can also try running the latest AAA on the integration branch also (git clone ssh://${ODL_USERNAME}@git.opendaylight.org:29418/integration.git) a. rm –rf ~/.m2/repository/ b. In integration project: mvn clean install
Cheers, Liem
PS: In case, you are not aware, code freeze has been postponed to 9/4 in the TSC call this morning.
|
|
|
|
Documentation meeting for AAA
Nguyen, Liem Manh <liem_m_nguyen@...>
Moving again till next week to give folks more time on integration, as this week is the last week before code freeze… Sorry, Sujatha.
Thanks,
Liem
|
|
|
|
FW: Change in aaa[master]: Karaf integration
Nguyen, Liem Manh <liem_m_nguyen@...>
FYI... I have added a project for building a Karaf distro for AAA; so, testing stuff with AAA in Karaf should be a little bit easier than before:
toggle quoted messageShow quoted text
1) build aaa (mvn clean install) 2) cd distribution-karaf/target/assembly 3) bin/karaf 4) feature:install odl-aaa-all That's it! Cheers, Liem
-----Original Message-----
From: Gerrit Code Review [mailto:gerrit@...] Sent: Wednesday, August 27, 2014 2:42 PM To: Nguyen, Liem Manh Subject: Change in aaa[master]: Karaf integration From jenkins-aaa <jenkins-aaa@...>: jenkins-aaa has posted comments on this change. Change subject: Karaf integration ...................................................................... Patch Set 2: Build Started https://jenkins.opendaylight.org/aaa/job/aaa-merge/5/ -- To view, visit https://git.opendaylight.org/gerrit/10396 To unsubscribe, visit https://git.opendaylight.org/gerrit/settings Gerrit-MessageType: comment Gerrit-Change-Id: I267cbb1a99c3e196f5dc069f9a23ce97b8b00d21 Gerrit-PatchSet: 2 Gerrit-Project: aaa Gerrit-Branch: master Gerrit-Owner: Liem Nguyen <liem_m_nguyen@...> Gerrit-Reviewer: Liem Nguyen <liem_m_nguyen@...> Gerrit-Reviewer: jenkins-aaa <jenkins-aaa@...> Gerrit-HasComments: No
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi Maros,
I think we can worry about the md-sal authz piece later, since we don’t have it for Helium anyways. So… let’s focus on AuthN.
For AuthN, I really don’t want it to depend on other controller components, because let’s say if the netconf bundle fails to load for instance, then we won’t have AuthN. Having direct dependency from netconf to AuthN would also keep things simpler too.
Thoughts, Ed/Tony?
Thanks, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Hi Liem, From: Nguyen, Liem Manh [liem_m_nguyen@...] Hi Maros,
Sounds good… Just a clarification: only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not. So, an alternative is we could have the AuthZ reside with the ODL codebase… AuthZ, of course, would depend on AuthN. Thoughts on the 2 different approaches? I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.
Thanks, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
[mailto:mmarsale@...]
Talked to Tony, He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface
between ODL netconf and Authentication Service implementations. Then there would be 2 implementations: From: Nguyen, Liem Manh [liem_m_nguyen@...] >> what shape is your service in ?
The snapshot is available in Nexus… The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week. For testing, you can just use the canned user (admin/odl).
Regards, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
[mailto:mmarsale@...]
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. From: Ed Warnicke (eaw) Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
Hi Liem, From: Nguyen,
Liem Manh [liem_m_nguyen@...] Hi Ed,
So… the bundle would:
1. Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi. 2. Call the authenticate() method on the service, passing in the user credentials (username/password) 3. The call will return back a Claim object, consisting of: a. Client id (if known) b. User id c. User name d. Domain name e. User roles If the credentials are not valid, a runtime AuthenticationException will be thrown.
Regards, Liem
From: Ed
Warnicke (eaw) [mailto:eaw@...]
Liem, Think of it this way: We have a bundle. The bundle gets user credentials. It needs to via a java service ask the AuthN to whether those credentials are valid or not (and what roles they correspond to).
How would we do that?
Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Hi Robert,
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
Regards, Liem
From: Robert
Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Hey Liem,
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
Thanks, Robert
From: Nguyen,
Liem Manh [mailto:liem_m_nguyen@...]
Hi Robert,
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password: PasswordCredentials.
Please let me know if you have any questions…
Regards, Liem
-----Original Message-----
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.
Regards, Liem
-----Original Message----- From: Ed Warnicke (eaw) [mailto:eaw@...] Sent: Tuesday, August 19, 2014 12:24 PM To: Nguyen, Liem Manh Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@... Subject: Re: AuthN and netconf-tcp, netconf-ssh
Liem, We would need a direct Java binding… do you have DOCs on how to do that?
Ed On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
> Hi Robert, > > AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service. > > More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet): > > > This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)... > > Regards, > Liem > > -----Original Message----- > From: Ed Warnicke (eaw) [mailto:eaw@...] > Sent: Tuesday, August 19, 2014 7:48 AM > To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh > Subject: AuthN and netconf-tcp, netconf-ssh > > Liem, > Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium. > As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work? > > Ed
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
Hi Liem, Moving AuthZ into ODL codebase sounds reasonable, but that needs to be addressed by Ed, Tony etc. I have pushed 2 commits: 1. ODL: https://git.opendaylight.org/gerrit/#/c/10318/ Extracted AuthProvider SPI bundle, Extracted UserManager backed AuthProvider into separate bundle 2. AAA: https://git.opendaylight.org/gerrit/#/c/10356/ Implemented AuthProvider SPI interface backed by CredentialAuth service. Please review Maros From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, August 26, 2014 18:25 To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco) Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter; Nguyen, Liem Manh Subject: RE: AuthN and netconf-tcp, netconf-ssh Hi Maros,
Sounds good… Just a clarification: only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not. So, an alternative is we could have the AuthZ reside with the ODL codebase… AuthZ, of course, would depend on AuthN. Thoughts on the 2 different approaches? I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.
Thanks, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Talked to Tony, He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface
between ODL netconf and Authentication Service implementations. Then there would be 2 implementations: From: Nguyen, Liem Manh [liem_m_nguyen@...] >> what shape is your service in ?
The snapshot is available in Nexus… The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week. For testing, you can just use the canned user (admin/odl).
Regards, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at
Cisco) [mailto:mmarsale@...]
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. From: Ed Warnicke (eaw) Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
Hi Liem, From: Nguyen,
Liem Manh [liem_m_nguyen@...] Hi Ed,
So… the bundle would:
1. Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi. 2. Call the authenticate() method on the service, passing in the user credentials (username/password) 3. The call will return back a Claim object, consisting of: a. Client id (if known) b. User id c. User name d. Domain name e. User roles If the credentials are not valid, a runtime AuthenticationException will be thrown.
Regards, Liem
From: Ed
Warnicke (eaw) [mailto:eaw@...]
Liem, Think of it this way: We have a bundle. The bundle gets user credentials. It needs to via a java service ask the AuthN to whether those credentials are valid or not (and what roles they correspond to).
How would we do that?
Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Hi Robert,
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
Regards, Liem
From: Robert
Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Hey Liem,
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
Thanks, Robert
From: Nguyen,
Liem Manh [mailto:liem_m_nguyen@...]
Hi Robert,
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password: PasswordCredentials.
Please let me know if you have any questions…
Regards, Liem
-----Original Message-----
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.
Regards, Liem
-----Original Message----- From: Ed Warnicke (eaw) [mailto:eaw@...] Sent: Tuesday, August 19, 2014 12:24 PM To: Nguyen, Liem Manh Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@... Subject: Re: AuthN and netconf-tcp, netconf-ssh
Liem, We would need a direct Java binding… do you have DOCs on how to do that?
Ed On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
> Hi Robert, > > AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service. > > More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet): > > > This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)... > > Regards, > Liem > > -----Original Message----- > From: Ed Warnicke (eaw) [mailto:eaw@...] > Sent: Tuesday, August 19, 2014 7:48 AM > To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh > Subject: AuthN and netconf-tcp, netconf-ssh > > Liem, > Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium. > As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work? > > Ed
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi Maros,
Sounds good… Just a clarification: only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not. So, an alternative is we could have the AuthZ reside with the ODL codebase… AuthZ, of course, would depend on AuthN. Thoughts on the 2 different approaches? I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.
Thanks, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Talked to Tony, He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface
between ODL netconf and Authentication Service implementations. Then there would be 2 implementations: From: Nguyen, Liem Manh [liem_m_nguyen@...] >> what shape is your service in ?
The snapshot is available in Nexus… The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week. For testing, you can just use the canned user (admin/odl).
Regards, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
[mailto:mmarsale@...]
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. From: Ed Warnicke (eaw) Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
Hi Liem, From: Nguyen,
Liem Manh [liem_m_nguyen@...] Hi Ed,
So… the bundle would:
1. Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi. 2. Call the authenticate() method on the service, passing in the user credentials (username/password) 3. The call will return back a Claim object, consisting of: a. Client id (if known) b. User id c. User name d. Domain name e. User roles If the credentials are not valid, a runtime AuthenticationException will be thrown.
Regards, Liem
From: Ed
Warnicke (eaw) [mailto:eaw@...]
Liem, Think of it this way: We have a bundle. The bundle gets user credentials. It needs to via a java service ask the AuthN to whether those credentials are valid or not (and what roles they correspond to).
How would we do that?
Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Hi Robert,
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
Regards, Liem
From: Robert
Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Hey Liem,
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
Thanks, Robert
From: Nguyen,
Liem Manh [mailto:liem_m_nguyen@...]
Hi Robert,
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password: PasswordCredentials.
Please let me know if you have any questions…
Regards, Liem
-----Original Message-----
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.
Regards, Liem
-----Original Message----- From: Ed Warnicke (eaw) [mailto:eaw@...] Sent: Tuesday, August 19, 2014 12:24 PM To: Nguyen, Liem Manh Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@... Subject: Re: AuthN and netconf-tcp, netconf-ssh
Liem, We would need a direct Java binding… do you have DOCs on how to do that?
Ed On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
> Hi Robert, > > AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service. > > More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet): > > > This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)... > > Regards, > Liem > > -----Original Message----- > From: Ed Warnicke (eaw) [mailto:eaw@...] > Sent: Tuesday, August 19, 2014 7:48 AM > To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh > Subject: AuthN and netconf-tcp, netconf-ssh > > Liem, > Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium. > As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work? > > Ed
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
Talked to Tony, He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository). He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations: - AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable) - Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions) So what do you say to that approach ? We would have to introduce new interface to ODL (only SPI but still, its API freeze) Liem would still have to bump the version of ODL they use and release their bundles. Maros From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44 To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw) Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter Subject: RE: AuthN and netconf-tcp, netconf-ssh >> what shape is your service in ?
The snapshot is available in Nexus… The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week. For testing, you can just use the canned user (admin/odl).
Regards, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. From: Ed Warnicke (eaw) Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
Hi Liem, From: Nguyen,
Liem Manh [liem_m_nguyen@...] Hi Ed,
So… the bundle would:
1. Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi. 2. Call the authenticate() method on the service, passing in the user credentials (username/password) 3. The call will return back a Claim object, consisting of: a. Client id (if known) b. User id c. User name d. Domain name e. User roles If the credentials are not valid, a runtime AuthenticationException will be thrown.
Regards, Liem
From: Ed
Warnicke (eaw) [mailto:eaw@...]
Liem, Think of it this way: We have a bundle. The bundle gets user credentials. It needs to via a java service ask the AuthN to whether those credentials are valid or not (and what roles they correspond to).
How would we do that?
Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Hi Robert,
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
Regards, Liem
From: Robert
Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Hey Liem,
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
Thanks, Robert
From: Nguyen,
Liem Manh [mailto:liem_m_nguyen@...]
Hi Robert,
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password: PasswordCredentials.
Please let me know if you have any questions…
Regards, Liem
-----Original Message-----
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.
Regards, Liem
-----Original Message----- From: Ed Warnicke (eaw) [mailto:eaw@...] Sent: Tuesday, August 19, 2014 12:24 PM To: Nguyen, Liem Manh Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@... Subject: Re: AuthN and netconf-tcp, netconf-ssh
Liem, We would need a direct Java binding… do you have DOCs on how to do that?
Ed On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
> Hi Robert, > > AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service. > > More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet): > > > This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)... > > Regards, > Liem > > -----Original Message----- > From: Ed Warnicke (eaw) [mailto:eaw@...] > Sent: Tuesday, August 19, 2014 7:48 AM > To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh > Subject: AuthN and netconf-tcp, netconf-ssh > > Liem, > Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium. > As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work? > > Ed
|
|
|
|
Documentation meeting for AAA
Nguyen, Liem Manh <liem_m_nguyen@...>
Hi guys,
I am overbooked… Moving to Thursday after our status meeting… Sorry for the change.
Thanks,
Liem
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Nguyen, Liem Manh <liem_m_nguyen@...>
>> what shape is your service in ?
The snapshot is available in Nexus… The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week. For testing, you can just use the canned user (admin/odl).
Regards, Liem
From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. From: Ed Warnicke (eaw) Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
Hi Liem, From: Nguyen,
Liem Manh [liem_m_nguyen@...] Hi Ed,
So… the bundle would:
1. Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi. 2. Call the authenticate() method on the service, passing in the user credentials (username/password) 3. The call will return back a Claim object, consisting of: a. Client id (if known) b. User id c. User name d. Domain name e. User roles If the credentials are not valid, a runtime AuthenticationException will be thrown.
Regards, Liem
From: Ed
Warnicke (eaw) [mailto:eaw@...]
Liem, Think of it this way: We have a bundle. The bundle gets user credentials. It needs to via a java service ask the AuthN to whether those credentials are valid or not (and what roles they correspond to).
How would we do that?
Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
Hi Robert,
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
Regards, Liem
From: Robert
Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Hey Liem,
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
Thanks, Robert
From: Nguyen,
Liem Manh [mailto:liem_m_nguyen@...]
Hi Robert,
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password: PasswordCredentials.
Please let me know if you have any questions…
Regards, Liem
-----Original Message-----
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.
Regards, Liem
-----Original Message----- From: Ed Warnicke (eaw) [mailto:eaw@...] Sent: Tuesday, August 19, 2014 12:24 PM To: Nguyen, Liem Manh Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@... Subject: Re: AuthN and netconf-tcp, netconf-ssh
Liem, We would need a direct Java binding… do you have DOCs on how to do that?
Ed On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
> Hi Robert, > > AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service. > > More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet): > > > This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)... > > Regards, > Liem > > -----Original Message----- > From: Ed Warnicke (eaw) [mailto:eaw@...] > Sent: Tuesday, August 19, 2014 7:48 AM > To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh > Subject: AuthN and netconf-tcp, netconf-ssh > > Liem, > Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium. > As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work? > > Ed
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Ed Warnicke (eaw) <eaw@...>
Maros,
toggle quoted messageShow quoted text
We’d need it in before code freeze next Monday…
Ed On Aug 25, 2014, at 10:35 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
|
|
|
|
Re: AuthN and netconf-tcp, netconf-ssh
Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday. So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ? And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ? Maros From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17 To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco) Subject: Re: AuthN and netconf-tcp, netconf-ssh Definitely Helium.
Ed On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:
|
|
|