New tests proposed for aaa


Miguel Angel Muñoz Gonzalez <miguel.angel.munoz.gonzalez@...>
 

Hi everyone,

 As mentioned in the previous mail I would like to add some tests to aaa project to show some basic HTTPS/TLS communication in RESTCONF, using also client certificates. The purpose is also to write down the steps needed to configure ODL as secure server (documented as a set of working test cases).

 

The tests would be something like:

 

Test secure RESTCONF request, using server’s certificate

Test secure RESTCONF request, using server’s certificate and client certificate

Repeat above items with a request for Jolokia data (e.g. cluster mbeans)

If previous items were done with self-signed certificates, then repeat with CA signed certificates

Additionally I could include some tests with revocation lists.

 

They would be intended for clustered environment, thus I would need to handle the keystore directly with keytool across every node in the cluster.

Would you consider it as a proper contribution?

 

Best Regards,

Miguel Ángel Muñoz.


Ryan Goulding <ryandgoulding@...>
 

Repeat above items with a request for Jolokia data (e.g. cluster mbeans)

Jolokia authentication is handled on its own right now, separate from AAA.  I pushed a patch to Jolokia to allow us to tie into Jolokia's challenge mechanism, but still haven't built an ODL impl yet [0]. 

Would you consider it as a proper contribution?

Without seeing the actual code, I can't blindly say it will be accepted.  However, your plan seems thorough and well thought out, and additional system tests are always appreciated as they really do help harden the product.
 
Thanks,

Ryan Goulding


On Wed, Feb 22, 2017 at 10:24 AM, Miguel Angel Muñoz Gonzalez <miguel.angel.munoz.gonzalez@...> wrote:

Hi everyone,

 As mentioned in the previous mail I would like to add some tests to aaa project to show some basic HTTPS/TLS communication in RESTCONF, using also client certificates. The purpose is also to write down the steps needed to configure ODL as secure server (documented as a set of working test cases).

 

The tests would be something like:

 

Test secure RESTCONF request, using server’s certificate

Test secure RESTCONF request, using server’s certificate and client certificate

Repeat above items with a request for Jolokia data (e.g. cluster mbeans)

If previous items were done with self-signed certificates, then repeat with CA signed certificates

Additionally I could include some tests with revocation lists.

 

They would be intended for clustered environment, thus I would need to handle the keystore directly with keytool across every node in the cluster.

Would you consider it as a proper contribution?

 

Best Regards,

Miguel Ángel Muñoz.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



David Suarez Fuentes <david.suarez.fuentes@...>
 

Hi Ryan,


We have resumed part of the work Miguel Angel were talking to, and we have plans to somehow "integrate" Jolokia authentication mechanism with the AAA's. I think we can talk about this in the next Weekly meeting, but in the meantime, if you have the time, we can exchange some emails about the topic ;)


Thanks.


Best regards,
David.


De: aaa-dev-bounces@... <aaa-dev-bounces@...> en nombre de Ryan Goulding <ryandgoulding@...>
Enviado: miércoles, 22 de febrero de 2017 17:58:32
Para: Miguel Angel Muñoz Gonzalez
Cc: aaa-dev@...
Asunto: Re: [Aaa-dev] New tests proposed for aaa
 
Repeat above items with a request for Jolokia data (e.g. cluster mbeans)

Jolokia authentication is handled on its own right now, separate from AAA.  I pushed a patch to Jolokia to allow us to tie into Jolokia's challenge mechanism, but still haven't built an ODL impl yet [0]. 

Would you consider it as a proper contribution?

Without seeing the actual code, I can't blindly say it will be accepted.  However, your plan seems thorough and well thought out, and additional system tests are always appreciated as they really do help harden the product.
 
Thanks,

Ryan Goulding


On Wed, Feb 22, 2017 at 10:24 AM, Miguel Angel Muñoz Gonzalez <miguel.angel.munoz.gonzalez@...> wrote:

Hi everyone,

 As mentioned in the previous mail I would like to add some tests to aaa project to show some basic HTTPS/TLS communication in RESTCONF, using also client certificates. The purpose is also to write down the steps needed to configure ODL as secure server (documented as a set of working test cases).

 

The tests would be something like:

 

Test secure RESTCONF request, using server’s certificate

Test secure RESTCONF request, using server’s certificate and client certificate

Repeat above items with a request for Jolokia data (e.g. cluster mbeans)

If previous items were done with self-signed certificates, then repeat with CA signed certificates

Additionally I could include some tests with revocation lists.

 

They would be intended for clustered environment, thus I would need to handle the keystore directly with keytool across every node in the cluster.

Would you consider it as a proper contribution?

 

Best Regards,

Miguel Ángel Muñoz.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



Jaime Caamaño Ruiz <jaime.caamano.ruiz@...>
 

Hello Ryan,

Getting into a bit of detail following up from [1], with a few doubts.

1. Could we have the problem of the Authenticator class configured not
being found through the class loader that is being used at that point?

2. Wouldnt be another option to repackage the Jolokia WAR as a bundle
with our own web.xml directives to map the servlet to AAA/Shiro filter?

3. There is still the open issue of the circular dependency, right?

BR
Jaime.

[1] https://lists.opendaylight.org/pipermail/dev/2017-February/003334.html

On lun, 2017-06-05 at 15:57 +0000, David Suarez Fuentes wrote:
Hi Ryan,


We have resumed part of the work Miguel Angel were talking to, and we
have plans to somehow "integrate" Jolokia authentication mechanism
with the AAA's. I think we can talk about this in the next Weekly
meeting, but in the meantime, if you have the time, we can exchange
some emails about the topic ;)


Thanks.


Best regards,
David.

________________________________
De: aaa-dev-bounces@... <aaa-dev-bounces@...
ndaylight.org> en nombre de Ryan Goulding <ryandgoulding@...>
Enviado: miércoles, 22 de febrero de 2017 17:58:32
Para: Miguel Angel Muñoz Gonzalez
Cc: aaa-dev@...
Asunto: Re: [Aaa-dev] New tests proposed for aaa

Repeat above items with a request for Jolokia data (e.g. cluster
mbeans)

Jolokia authentication is handled on its own right now, separate from
AAA.  I pushed a patch to Jolokia to allow us to tie into Jolokia's
challenge mechanism, but still haven't built an ODL impl yet [0].

Would you consider it as a proper contribution?

Without seeing the actual code, I can't blindly say it will be
accepted.  However, your plan seems thorough and well thought out,
and additional system tests are always appreciated as they really do
help harden the product.

Thanks,

Ryan Goulding

[0] https://github.com/ryandgoulding/jolokia/commit/9f914e149f2ecb6e8
d7e21b1389e7c43cb5d3fe7

On Wed, Feb 22, 2017 at 10:24 AM, Miguel Angel Muñoz Gonzalez <miguel
.angel.munoz.gonzalez@...<mailto:miguel.angel.munoz.gonzalez
@ericsson.com>> wrote:
Hi everyone,
 As mentioned in the previous mail I would like to add some tests to
aaa project to show some basic HTTPS/TLS communication in RESTCONF,
using also client certificates. The purpose is also to write down the
steps needed to configure ODL as secure server (documented as a set
of working test cases).

The tests would be something like:

Test secure RESTCONF request, using server’s certificate
Test secure RESTCONF request, using server’s certificate and client
certificate
Repeat above items with a request for Jolokia data (e.g. cluster
mbeans)
If previous items were done with self-signed certificates, then
repeat with CA signed certificates
Additionally I could include some tests with revocation lists.

They would be intended for clustered environment, thus I would need
to handle the keystore directly with keytool across every node in the
cluster.
Would you consider it as a proper contribution?

Best Regards,
Miguel Ángel Muñoz.

_______________________________________________
aaa-dev mailing list
aaa-dev@...<mailto:aaa-dev@...>
https://lists.opendaylight.org/mailman/listinfo/aaa-dev