[release] Removal of IdP component from AAA


Abhijit Kumbhare <abhijitkoss@...>
 

After Robert's explanation - do you still need it to be on the TSC agenda, Daniel (and maybe Luis)?


On Fri, Mar 22, 2019 at 2:03 PM Robert Varga <nite@...> wrote:
On 21/03/2019 18:07, Luis Gomez wrote:
> Hi Robert,
>
> Can you please explain the impact of this? e.g. can we for instance change the default user admin/admin or use token authentication after this change?

Well, I am just a caretaker trying to get things moving forward.

From what I remember, user credentials should not be affected, as that
goes through Shiro, which is a separate thing.

I would suspect that token authentication would be affected, but I do
not know the deployment details.

Please note this not something new, Ryan has made a call out here:
https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html
and there is a tracker to replace Oltu here:
https://jira.opendaylight.org/browse/AAA-162. Based on the conversation
we have had on this when he was still around, his assessment was that
the feature is not useful in practice.

I do not claim authority over this matter, nor do I claim Ryan's
assessment is correct. Unfortunately, status quo in this project is
simply untenable for the following reasons:

1) JIRA has not been scrubbed for a year. When I scrubbed it, we
immediately got a fix from Richard Kosegi for AAA-174. That issue has
been sitting there for 10 months and it was fixed in about 24 hours.

2) there are a few long-standing issues filed, which require fixing in
Oltu. That is just not going to happen in upstream.

3) it is a core project, on which we rely for our security. We just
cannot afford it being a security hazard.

4) org.json/json dependency, which is coming from Oltu is a real
licensing concern, from what I understood from the conversations we had
(even at the TSC call) around
https://jira.opendaylight.org/browse/ODLPARENT-36

That is why I merged the change early in the dev cycle and announced it
very widely, so that there is plenty of time to determine impacts and
discuss alternatives.

The simplest way to determine it is, and I am kindly asking you to, grab
the latest Karaf distro and test out the functionality you expect to work.

If it turns out that there are stakeholders who are affected, I think
the proper course is for them (or their proxies) to come forward and
take ownership of the feature:
- it is mere 800LOC of code that got removed
- there are at least 3 bugs filed against token auth
- there are alternative libraries: https://oauth.net/code/java/

Thanks,
Robert

_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release


Daniel De La Rosa <ddelarosa@...>
 

Robert, thank you for the details. Abhijit, i think we still need to discuss the details during our next TSC meeting since it sounds like there will be major impact for our customers

Thanks 

On Fri, Mar 22, 2019 at 2:12 PM Abhijit Kumbhare <abhijitkoss@...> wrote:
After Robert's explanation - do you still need it to be on the TSC agenda, Daniel (and maybe Luis)?

On Fri, Mar 22, 2019 at 2:03 PM Robert Varga <nite@...> wrote:
On 21/03/2019 18:07, Luis Gomez wrote:
> Hi Robert,
>
> Can you please explain the impact of this? e.g. can we for instance change the default user admin/admin or use token authentication after this change?

Well, I am just a caretaker trying to get things moving forward.

From what I remember, user credentials should not be affected, as that
goes through Shiro, which is a separate thing.

I would suspect that token authentication would be affected, but I do
not know the deployment details.

Please note this not something new, Ryan has made a call out here:
https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html
and there is a tracker to replace Oltu here:
https://jira.opendaylight.org/browse/AAA-162. Based on the conversation
we have had on this when he was still around, his assessment was that
the feature is not useful in practice.

I do not claim authority over this matter, nor do I claim Ryan's
assessment is correct. Unfortunately, status quo in this project is
simply untenable for the following reasons:

1) JIRA has not been scrubbed for a year. When I scrubbed it, we
immediately got a fix from Richard Kosegi for AAA-174. That issue has
been sitting there for 10 months and it was fixed in about 24 hours.

2) there are a few long-standing issues filed, which require fixing in
Oltu. That is just not going to happen in upstream.

3) it is a core project, on which we rely for our security. We just
cannot afford it being a security hazard.

4) org.json/json dependency, which is coming from Oltu is a real
licensing concern, from what I understood from the conversations we had
(even at the TSC call) around
https://jira.opendaylight.org/browse/ODLPARENT-36

That is why I merged the change early in the dev cycle and announced it
very widely, so that there is plenty of time to determine impacts and
discuss alternatives.

The simplest way to determine it is, and I am kindly asking you to, grab
the latest Karaf distro and test out the functionality you expect to work.

If it turns out that there are stakeholders who are affected, I think
the proper course is for them (or their proxies) to come forward and
take ownership of the feature:
- it is mere 800LOC of code that got removed
- there are at least 3 bugs filed against token auth
- there are alternative libraries: https://oauth.net/code/java/

Thanks,
Robert

_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release
_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release


--
Daniel de la Rosa
Customer Support Manager
Lumina Networks Inc.
e: ddelarosa@...
m:  +1 408 7728120


Abhijit Kumbhare <abhijitkoss@...>
 

OK.


On Fri, Mar 22, 2019 at 2:30 PM Daniel De La Rosa <ddelarosa@...> wrote:
Robert, thank you for the details. Abhijit, i think we still need to discuss the details during our next TSC meeting since it sounds like there will be major impact for our customers

Thanks 

On Fri, Mar 22, 2019 at 2:12 PM Abhijit Kumbhare <abhijitkoss@...> wrote:
After Robert's explanation - do you still need it to be on the TSC agenda, Daniel (and maybe Luis)?

On Fri, Mar 22, 2019 at 2:03 PM Robert Varga <nite@...> wrote:
On 21/03/2019 18:07, Luis Gomez wrote:
> Hi Robert,
>
> Can you please explain the impact of this? e.g. can we for instance change the default user admin/admin or use token authentication after this change?

Well, I am just a caretaker trying to get things moving forward.

From what I remember, user credentials should not be affected, as that
goes through Shiro, which is a separate thing.

I would suspect that token authentication would be affected, but I do
not know the deployment details.

Please note this not something new, Ryan has made a call out here:
https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html
and there is a tracker to replace Oltu here:
https://jira.opendaylight.org/browse/AAA-162. Based on the conversation
we have had on this when he was still around, his assessment was that
the feature is not useful in practice.

I do not claim authority over this matter, nor do I claim Ryan's
assessment is correct. Unfortunately, status quo in this project is
simply untenable for the following reasons:

1) JIRA has not been scrubbed for a year. When I scrubbed it, we
immediately got a fix from Richard Kosegi for AAA-174. That issue has
been sitting there for 10 months and it was fixed in about 24 hours.

2) there are a few long-standing issues filed, which require fixing in
Oltu. That is just not going to happen in upstream.

3) it is a core project, on which we rely for our security. We just
cannot afford it being a security hazard.

4) org.json/json dependency, which is coming from Oltu is a real
licensing concern, from what I understood from the conversations we had
(even at the TSC call) around
https://jira.opendaylight.org/browse/ODLPARENT-36

That is why I merged the change early in the dev cycle and announced it
very widely, so that there is plenty of time to determine impacts and
discuss alternatives.

The simplest way to determine it is, and I am kindly asking you to, grab
the latest Karaf distro and test out the functionality you expect to work.

If it turns out that there are stakeholders who are affected, I think
the proper course is for them (or their proxies) to come forward and
take ownership of the feature:
- it is mere 800LOC of code that got removed
- there are at least 3 bugs filed against token auth
- there are alternative libraries: https://oauth.net/code/java/

Thanks,
Robert

_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release
_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release


--
Daniel de la Rosa
Customer Support Manager
Lumina Networks Inc.
e: ddelarosa@...
m:  +1 408 7728120


Robert Varga
 

On 22/03/2019 22:30, Daniel De La Rosa wrote:
Robert, thank you for the details. Abhijit, i think we still need to
discuss the details during our next TSC meeting since it sounds like
there will be major impact for our customers
Hello Daniel,

any update on the impact for your customers?

Thanks,
Robert


Daniel De La Rosa <ddelarosa@...>
 



On Sat, Jun 1, 2019 at 2:13 PM Robert Varga <nite@...> wrote:
On 22/03/2019 22:30, Daniel De La Rosa wrote:
> Robert, thank you for the details. Abhijit, i think we still need to
> discuss the details during our next TSC meeting since it sounds like
> there will be major impact for our customers

Hello Daniel,

any update on the impact for your customers?

Thanks,
Robert
Hello Robert

We are still working with our customers on trying to determine the impact. The security team hasn’t been very responsive but we will try again and let you all know. 



Thanks 


--
Daniel de la Rosa
Customer Support Manager
Lumina Networks Inc.
e: ddelarosa@...
m:  +1 408 7728120