This group is locked. No changes can be made to the group while it is locked.
Date
1 - 3 of 3
Removal of IdP component from AAA
|
Robert Varga
Hello everyone,
as part of keeping OpenDaylight infrastructure secure and relevant, we will be removing OAuth2 Identity Provider component from the AAA project. There are three technical drivers behind this decision: 1) current implementation is based on Apache Oltu, which has been terminated on March 21st, 2018 and moved to Attic: https://attic.apache.org/projects/oltu.html 2) Oltu depends on org.json/json, which has a problematic license (https://www.json.org/license.html) 3) we do not strive to be an IdP, as there are plenty solutions available out there. The details are in the tracker issue, https://jira.opendaylight.org/browse/AAA-173, and in the removal patch, https://git.opendaylight.org/gerrit/72022. Should there be interest in having this functionality present, we will gladly accept an alternative implementation, provided it comes with at least a minimal commitment to support it. Regards, Robert
|
|
|
|
Luis Gomez
Hi Robert,
toggle quoted messageShow quoted text
Can you please explain the impact of this? e.g. can we for instance change the default user admin/admin or use token authentication after this change? BR/Luis
On Mar 21, 2019, at 4:50 AM, Robert Varga <nite@...> wrote:
|
|
|
|
Robert Varga
On 21/03/2019 18:07, Luis Gomez wrote:
Hi Robert,Well, I am just a caretaker trying to get things moving forward. From what I remember, user credentials should not be affected, as that goes through Shiro, which is a separate thing. I would suspect that token authentication would be affected, but I do not know the deployment details. Please note this not something new, Ryan has made a call out here: https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html and there is a tracker to replace Oltu here: https://jira.opendaylight.org/browse/AAA-162. Based on the conversation we have had on this when he was still around, his assessment was that the feature is not useful in practice. I do not claim authority over this matter, nor do I claim Ryan's assessment is correct. Unfortunately, status quo in this project is simply untenable for the following reasons: 1) JIRA has not been scrubbed for a year. When I scrubbed it, we immediately got a fix from Richard Kosegi for AAA-174. That issue has been sitting there for 10 months and it was fixed in about 24 hours. 2) there are a few long-standing issues filed, which require fixing in Oltu. That is just not going to happen in upstream. 3) it is a core project, on which we rely for our security. We just cannot afford it being a security hazard. 4) org.json/json dependency, which is coming from Oltu is a real licensing concern, from what I understood from the conversations we had (even at the TSC call) around https://jira.opendaylight.org/browse/ODLPARENT-36 That is why I merged the change early in the dev cycle and announced it very widely, so that there is plenty of time to determine impacts and discuss alternatives. The simplest way to determine it is, and I am kindly asking you to, grab the latest Karaf distro and test out the functionality you expect to work. If it turns out that there are stakeholders who are affected, I think the proper course is for them (or their proxies) to come forward and take ownership of the feature: - it is mere 800LOC of code that got removed - there are at least 3 bugs filed against token auth - there are alternative libraries: https://oauth.net/code/java/ Thanks, Robert
|
|
|