AuthN and netconf-tcp, netconf-ssh


Ed Warnicke (eaw) <eaw@...>
 

Liem,
Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
As we’ve discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials
to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help
Robert figure out the scope of the work?

Ed


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Robert,

AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service.

More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

Regards,
Liem

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 7:48 AM
To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
Subject: AuthN and netconf-tcp, netconf-ssh

Liem,
Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work?

Ed


Ed Warnicke (eaw) <eaw@...>
 

Liem,
We would need a direct Java binding… do you have DOCs on how to do that?

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Hi Robert,

AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service.

More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

Regards,
Liem

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 7:48 AM
To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
Subject: AuthN and netconf-tcp, netconf-ssh

Liem,
Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work?

Ed


Nguyen, Liem Manh <liem_m_nguyen@...>
 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService. I will provide more developer info as soon as this gets integrated (hopefully) this week.

Regards,
Liem

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Liem,
We would need a direct Java binding... do you have DOCs on how to do that?

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Hi Robert,

AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains. You can use this API to validate credentials from your service, basically passing in username/password/domain and getting back a set of roles for that user on the given domain. You can then do further authorization if needed in your service.

More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

Regards,
Liem

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 7:48 AM
To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
Subject: AuthN and netconf-tcp, netconf-ssh

Liem,
Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials. Hopefully this should be simple. Could you help Robert figure out the scope of the work?

Ed


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

https://github.com/opendaylight/aaa/blob/master/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

>

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

>

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

>

> https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

>

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

>

> Regards,

> Liem

>

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

>

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

>

> Ed

 


Robert Varga -X (rovarga - Pantheon Technologies SRO@Cisco) <rovarga@...>
 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...]
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

https://github.com/opendaylight/aaa/blob/master/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

>

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

>

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

>

> https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

>

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

>

> Regards,

> Liem

>

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

>

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

>

> Ed

 


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...]
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...]
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

https://github.com/opendaylight/aaa/blob/master/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

>

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

>

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

>

> https://docs.google.com/spreadsheets/d/1YYMmK_V5LMAjLGZOEjfKSX0x4Gwb-K5Xuk1wZskwWwY/edit#gid=0

>

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

>

> Regards,

> Liem

>

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

>

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

>

> Ed

 


Ed Warnicke (eaw) <eaw@...>
 

Liem,
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

How would we do that?

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

Hi Robert,
 
I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.
 
Regards,
Liem
 
From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh
 
Hey Liem,
 
This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.
 
Thanks,
Robert
 
 
From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh
 
Hi Robert,
 
While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:
 
 
Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.
 
Please let me know if you have any questions…
 
Regards,
Liem
 
-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh
 
No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.
 
Regards,
Liem
 
-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh
 
Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?
 
Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:
 
> Hi Robert,
>
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
>
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
>
>
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
>
> Regards,
> Liem
>
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
>
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
>
> Ed


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:



Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:



Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Ed Warnicke (eaw) <eaw@...>
 

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros

From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Ed Warnicke (eaw) <eaw@...>
 

Maros,
We’d need it in before code freeze next Monday…

Ed
On Aug 25, 2014, at 10:35 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros

From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

Ed
On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros

From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.
2.       Call the authenticate() method on the service, passing in the user credentials (username/password)
3.       The call will return back a Claim object, consisting of:
a.       Client id (if known)
b.      User id
c.       User name
d.      Domain name
e.      User roles
If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,
Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  
Think of it this way:
We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether
those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed
On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:


Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,
Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,
Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,
Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,
Liem

 

-----Original Message-----
From: Ed Warnicke (eaw) [mailto:eaw@...]
Sent: Tuesday, August 19, 2014 12:24 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,
                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed
On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,
> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 
> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):
> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...
> Regards,
> Liem
> -----Original Message-----
> From: Ed Warnicke (eaw) [mailto:eaw@...]
> Sent: Tuesday, August 19, 2014 7:48 AM
> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh
> Subject: AuthN and netconf-tcp, netconf-ssh
> Liem,
>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.
>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?
> Ed


Nguyen, Liem Manh <liem_m_nguyen@...>
 

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:



Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:



Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Maros Marsalek -X (mmarsale - Pantheon Technologies SRO@Cisco) <mmarsale@...>
 

Hi Liem,

Moving AuthZ into ODL codebase sounds reasonable, but that needs to be addressed by Ed, Tony etc.

I have pushed 2 commits:
1. ODL: https://git.opendaylight.org/gerrit/#/c/10318/ Extracted AuthProvider SPI bundle, Extracted UserManager backed AuthProvider into separate bundle
2. AAA: https://git.opendaylight.org/gerrit/#/c/10356/ Implemented AuthProvider SPI interface backed by CredentialAuth service.

Please review

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, August 26, 2014 18:25
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter; Nguyen, Liem Manh
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed

 


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Maros,

 

I think we can worry about the md-sal authz piece later, since we don’t have it for Helium anyways.  So… let’s focus on AuthN. 

 

For AuthN, I really don’t want it to depend on other controller components, because let’s say if the netconf bundle fails to load for instance, then we won’t have AuthN.  Having direct dependency from netconf to AuthN would also keep things simpler too.

 

Thoughts, Ed/Tony?

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Wednesday, August 27, 2014 1:38 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Liem,

Moving AuthZ into ODL codebase sounds reasonable, but that needs to be addressed by Ed, Tony etc.

I have pushed 2 commits:
1. ODL: https://git.opendaylight.org/gerrit/#/c/10318/ Extracted AuthProvider SPI bundle, Extracted UserManager backed AuthProvider into separate bundle
2. AAA: https://git.opendaylight.org/gerrit/#/c/10356/ Implemented AuthProvider SPI interface backed by CredentialAuth service.

Please review

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Tuesday, August 26, 2014 18:25
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter; Nguyen, Liem Manh
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Maros,

 

Sounds good…  Just a clarification:  only the odl-aaa-authz feature/bundles (AuthZ) depend on ODL; the odl-aaa-authn feature/bundles (AuthN) do not.  So, an alternative is we could have the AuthZ reside with the ODL codebase…  AuthZ, of course, would depend on AuthN.  Thoughts on the 2 different approaches?  I personally like the fact that AuthZ should reside as close to the business/service layer as possible, since it ultimately understands the service logics for authorization.

 

Thanks,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Tuesday, August 26, 2014 12:42 AM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Tony Tkacik -X (ttkacik - Pantheon Technologies SRO at Cisco)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Talked to Tony,

He said that we cannot introduce a direct dependency in ODL to the AAA bundles. AAA bundles depend on ODL bundles and we would introduce a cyclic dependency that would cause problems when bumping version of ODL bundles during release or otherwise (since AAA is not part of ODL base repository).

He suggested that we introduce a new bundle in ODL with SPI for Authentication Service for Netconf. It would serve as an interface between ODL netconf and Authentication Service implementations. Then there would be 2 implementations:
- AD-SAL UserManager (we would extract UserManager related code and all AD-SAL dependencies there so it can be easily replaceable)
- Liem's implementation (this implementation would be hosted in AAA repository and would replace the first implementation in distributions)

So what do you say to that approach ?
We would have to introduce new interface to ODL (only SPI but still, its API freeze)
Liem would still have to bump the version of ODL they use and release their bundles.

Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Monday, August 25, 2014 17:44
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco); Mellquist, Peter
Subject: RE: AuthN and netconf-tcp, netconf-ssh

>> what shape is your service in ?

 

The snapshot is available in Nexus…  The AuthN piece is working 100%; the IdM backend is being integrated (so not yet checked in)… Hopefully, it will be in earlier this week.  For testing, you can just use the canned user (admin/odl).

 

Regards,

Liem

 

From: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) [mailto:mmarsale@...]
Sent: Monday, August 25, 2014 8:35 AM
To: Ed Warnicke (eaw)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Ok, I can take a look at that tomorrow. But its just 2 days(tomorrow and the day after) for me until code freeze, will be on PTO from Thursday.

So if I am not able to accomplish that by September 1st, will it be possible to merge after ? Or should someone else take it ?

And Liem, what shape is your service in ? Can I start using it from tomorrow in ODL ? Is it possible to integrate it with ODL-netconf bundle in 1-2 days ?

Maros


From: Ed Warnicke (eaw)
Sent: Monday, August 25, 2014 17:17
To: Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: Nguyen, Liem Manh; Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

Definitely Helium.

 

Ed

On Aug 25, 2014, at 10:11 AM, Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco) <mmarsale@...> wrote:

 

Hi Liem,

Netconf in ODL still uses old UserManager service from AD-SAL.
I'd be happy to replace it with your API/Implementation for user/password authentication.

But I have a few questions for you/Robert/Ed:
Do we want to do it in Helium or later (not too much time until code freeze) ?
Are your bundles (Api/Implementation) part of ODL base distribution or will they be ?

Regards,
Maros


From: Nguyen, Liem Manh [liem_m_nguyen@...]
Sent: Saturday, August 23, 2014 00:13
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

Hi Ed,

 

So… the bundle would:

 

1.       Get a reference to the org.opendaylight.aaa.api.CredentialAuth service from OSGi.

2.       Call the authenticate() method on the service, passing in the user credentials (username/password)

3.       The call will return back a Claim object, consisting of:

a.       Client id (if known)

b.      User id

c.       User name

d.      Domain name

e.      User roles

If the credentials are not valid, a runtime AuthenticationException will be thrown.

 

Regards,

Liem

 

From: Ed Warnicke (eaw) [mailto:eaw@...] 
Sent: Friday, August 22, 2014 2:44 PM
To: Nguyen, Liem Manh
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco); aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,  

Think of it this way:

We have a bundle.  The bundle gets user credentials.  It needs to via a java service ask the AuthN to whether

those credentials are valid or not (and what roles they correspond to).

 

How would we do that?

 

Ed

On Aug 22, 2014, at 3:44 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

Hi Robert,

 

I am not sure I quite understand your comment about API macro, but the AuthN piece in AAA is designed to be independent of either AD-SAL or MD-SAL.

 

Regards,

Liem

 

From: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco) [mailto:rovarga@...] 
Sent: Friday, August 22, 2014 1:04 PM
To: Nguyen, Liem Manh; Ed Warnicke (eaw); Maros Marsalek -X (mmarsale - Pantheon Technologies SRO at Cisco)
Cc: aaa-dev@...; Kristian Kocsis -X (kkocsis - Pantheon Technologies SRO at Cisco)
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hey Liem,

 

This looks like an API Maros (CC’d) will need to migrate the NETCONF bits away from AD-SAL.

 

Thanks,

Robert

 

 

From: Nguyen, Liem Manh [mailto:liem_m_nguyen@...] 
Sent: Wednesday, August 20, 2014 8:06 PM
To: Ed Warnicke (eaw)
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

Hi Robert,

 

While we are working on integrating the IdM server (almost there!), this is the service you can obtain from OSGi to do the authentication:

 

 

Currently, the only credential AAA supports out-of-the-box for direct authentication is username/password:  PasswordCredentials.

 

Please let me know if you have any questions…

 

Regards,

Liem

 

-----Original Message-----
From: Nguyen, Liem Manh 
Sent: Tuesday, August 19, 2014 12:50 PM
To: 'Ed Warnicke (eaw)'
Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...
Subject: RE: AuthN and netconf-tcp, netconf-ssh

 

No, we don't have any formal doc on that yet (will be Javadoc as soon as we get the IdM server integrated); but, it will be part of the OSGi IdmService.  I will provide more developer info as soon as this gets integrated (hopefully) this week.

 

Regards,

Liem

 

-----Original Message-----

From: Ed Warnicke (eaw) [mailto:eaw@...]

Sent: Tuesday, August 19, 2014 12:24 PM

To: Nguyen, Liem Manh

Cc: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...

Subject: Re: AuthN and netconf-tcp, netconf-ssh

 

Liem,

                We would need a direct Java binding… do you have DOCs on how to do that?

 

Ed

On Aug 19, 2014, at 1:51 PM, Nguyen, Liem Manh <liem_m_nguyen@...> wrote:

 

> Hi Robert,

> AAA comes a built-in IdM server with a set of REST API to manage users/roles/domains.  You can use this API to validate credentials from your service, basically passing in  username/password/domain and getting back a set of roles for that user on the given domain.  You can then do further authorization if needed in your service. 

> More details on the IdM APIs here (Sorry, we are working on getting more formal documentation than a spreadsheet):

> This work is not yet checked in, since we are still working on integrating it into Karaf (having issue with JAXB/JSON in Karaf)...

> Regards,

> Liem

> -----Original Message-----

> From: Ed Warnicke (eaw) [mailto:eaw@...]

> Sent: Tuesday, August 19, 2014 7:48 AM

> To: Robert Varga -X (rovarga - Pantheon Technologies SRO at Cisco); aaa-dev@...; Nguyen, Liem Manh

> Subject: AuthN and netconf-tcp, netconf-ssh

> Liem,

>             Robert is wanting to explore using AAA for netconf-tcp and netconf-ssh for Helium.

>             As we've discussed, the need here is for netconf-{tcp,ssh} to be able to present credentials to authN, and find out if they are valid credentials.  Hopefully this should be simple.  Could you help Robert figure out the scope of the work?

> Ed