This group is locked. No changes can be made to the group while it is locked.
[infrautils-dev] credentials for REST to jolokia/exec/org.opendaylight.infrautils.diagstatus
Michael Vorburger <vorburger@...>
JamO, +aaa-dev and +controller-dev and Stephen FYI:
Hi Utility folks,
This seems like a bug (bad one, security wise), but it's not for infrautils-dev - we don't actually do anything re. Jolokia in project infrautils, the diagstatus sub-module simply exposes a JMX bean... the code related to the Jolokia integration in ODL which then make makes this available via HTTP, and secures it with the AAA creds (also used by RESTCONF; there are no creds in RESTCONF itself FYI), is actually in controller and/or aaa (I'm not 100% sure myself what is where)... see https://jira.opendaylight.org/browse/AAA-147 and https://jira.opendaylight.org/browse/CONTROLLER-1324.
If you are right, we have this problem (that when changing the default username and password you can still use the previous one) on *ALL* /jolokia/ URLs, I'm guessing.
Would you like to open a (Critical?) bug in JIRA against AAA about this?