user create gives 500/NPE


Jamo Luhrsen <jluhrsen@...>
 

(subject changed)

On 04/27/2017 06:34 AM, Ryan Goulding wrote:
The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports. If you paste the exact
REST call I can assist. Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
interface. I just tested this morning.
yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
from AAA, so should that be a bug on it's own?

here's kind of my repro, if you can help me know what's wrong:

# Create a Domain

14:28 $ curl -u "admin:admin" -X POST -d
'{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
application/json" http://$ODL:8181/auth/v1/domains

{"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}



# Look at domains (question: why is domainid==name, when I gave a '96' in the create?)


14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
{
"domains": [
{
"description": "default odl sdn domain",
"domainid": "sdn",
"enabled": true,
"name": "sdn"
},
{
"description": "planetary domain",
"domainid": "Alderaan-2017-04-12-17-31",
"enabled": true,
"name": "Alderaan-2017-04-12-17-31"
},
{
"description": "BeerClubAficionado",
"domainid": "RyanRocks",
"enabled": true,
"name": "RyanRocks"
}
]
}



# add a user to this new domain
# first try is using domainid = 96, but get 500/NPE
# second try uses domainid = $name, but also get 500/NPE

✔ ~
14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
...
<snip>
...



14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)

...
<snip>
...


Thanks,
JamO



1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
/restconf/operations/aaa-cert-rpc:getODLCertificate

I'll give it a shot and see what I get.

Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?


So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands. Although revert
may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
this type of skew. Let's not start a witch hunt quite yet; I can pull up quite a few examples of far more risque changes in
service releases ;).

Regards,

Ryan Goulding

On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>> wrote:

Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?

--Colin

On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
cert stuff, and my work was in user/domain auth.

anyway, wondering if something fundamental is broken?

JamO

[0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>



On 04/26/2017 06:21 PM, Luis Gomez wrote:
> hi guys, I just tested old-aaa-cert feature and couple of things:
>
> 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
/restconf/operations/aaa-cert-rpc:getODLCertificate
>
> 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
possible to change the path for these files?
>
>
> [1] NPE
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> <title>Error 500 Server Error</title>
> </head>
> <body>
> <h2>HTTP ERROR 500</h2>
> <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>
> <pre> Server Error</pre>
> </p>
> <h3>Caused by:</h3>
> <pre>java.lang.NullPointerException
> at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
> at
org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
> at
org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
> at
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
> at
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
> at
org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
> at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
> at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
> at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
> at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
> at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
> at
org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
> at org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
> at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
> at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
> at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
> at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> at
org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> at org.eclipse.jetty.server.Server.handle(Server.java:370)
> at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
> at
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
> at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Thread.java:745)
>
>
>
>
>
>> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:
>>
>> Hi Colin,
>>
>> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities were
there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>>
>> BR
>>
>> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to access
the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>>
>> --Colin
>>
>> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>> wrote:
>> which is probably not in the spirit of SRs
>>
>> This was done for both usability and security purposes, as I explained via Skype already. The security advantages
alone make it justifiable IMHO.
>>
>> While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
notice is pretty much the definition of what we try to never do in SRs.j
>>
>> This isn't a feature, it is CLI.
>>
>> This patch seems to be the issue:
>> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>>
>> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
least somewhat well known ;). Reverting it shouldn't be particularly hard, but it could open you open to some
security issues in your downstream distro!
>>
>> Regards,
>>
>> Ryan Goulding
>>
>> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>>
>> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of what we
try to never do in SRs.
>>
>> That being said, we're trying to make the best of it and looking for help in understanding how to get the
functionality we rely on from AAA back in Boron-SR3.
>>
>> This patch seems to be the issue:
>> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>>
>> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things as well?
>>
>> Thanks,
>> --Colin
>>
>>
>> _______________________________________________
>> aaa-dev mailing list
>> aaa-dev@... <mailto:aaa-dev@...>
>> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>>
>>
>>
>> _______________________________________________
>> aaa-dev mailing list
>> aaa-dev@... <mailto:aaa-dev@...>
>> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>
> _______________________________________________
> aaa-dev mailing list
> aaa-dev@... <mailto:aaa-dev@...>
> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>


_______________________________________________
aaa-dev mailing list
aaa-dev@... <mailto:aaa-dev@...>
https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>


Ryan Goulding <ryandgoulding@...>
 

The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or you will get internal server error.

Regards,

Ryan Goulding

On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@...> wrote:
(subject changed)

On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
> REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
> interface.  I just tested this morning.

yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
from AAA, so should that be a bug on it's own?

here's kind of my repro, if you can help me know what's wrong:

# Create a Domain

14:28 $ curl -u "admin:admin" -X POST -d
'{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
application/json" http://$ODL:8181/auth/v1/domains

{"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}



# Look at domains (question: why is domainid==name, when I gave a '96' in the create?)


14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
{
    "domains": [
        {
            "description": "default odl sdn domain",
            "domainid": "sdn",
            "enabled": true,
            "name": "sdn"
        },
        {
            "description": "planetary domain",
            "domainid": "Alderaan-2017-04-12-17-31",
            "enabled": true,
            "name": "Alderaan-2017-04-12-17-31"
        },
        {
            "description": "BeerClubAficionado",
            "domainid": "RyanRocks",
            "enabled": true,
            "name": "RyanRocks"
        }
    ]
}



# add a user to this new domain
# first try is using domainid = 96, but get 500/NPE
# second try uses domainid = $name, but also get 500/NPE

✔ ~
14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
        at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
...
<snip>
...



14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
        at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)

...
<snip>
...


Thanks,
JamO



>     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     /restconf/operations/aaa-cert-rpc:getODLCertificate
>
> I'll give it a shot and see what I get.
>
>     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
>
> So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although revert
> may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
> this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque changes in
> service releases ;).
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>
>     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
>     --Colin
>
>     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>         cert stuff, and my work was in user/domain auth.
>
>         anyway, wondering if something fundamental is broken?
>
>         JamO
>
>         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>
>
>
>         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>         > hi guys, I just tested old-aaa-cert feature and couple of things:
>         >
>         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>         /restconf/operations/aaa-cert-rpc:getODLCertificate
>         >
>         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>         possible to change the path for these files?
>         >
>         >
>         > [1] NPE
>         >
>         > <html>
>         >     <head>
>         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>         >         <title>Error 500 Server Error</title>
>         >     </head>
>         >     <body>
>         >         <h2>HTTP ERROR 500</h2>
>         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>         >
>         >             <pre>    Server Error</pre>
>         >         </p>
>         >         <h3>Caused by:</h3>
>         >         <pre>java.lang.NullPointerException
>         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>         >       at
>         org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>         >       at
>         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>         >       at
>         org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>         >       at
>         org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>         >       at
>         org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>         >       at
>         org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>         >       at org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         >       at java.lang.reflect.Method.invoke(Method.java:498)
>         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         >       at
>         com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>         >       at
>         com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>         >       at
>         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>         >       at
>         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         >       at java.lang.Thread.run(Thread.java:745)
>         >
>         >
>         >
>         >
>         >
>         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:
>         >>
>         >> Hi Colin,
>         >>
>         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities were
>         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>         >>
>         >> BR
>         >>
>         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to access
>         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>         >>
>         >> --Colin
>         >>
>         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>> wrote:
>         >> which is probably not in the spirit of SRs
>         >>
>         >> This was done for both usability and security purposes, as I explained via Skype already.  The security advantages
>         alone make it justifiable IMHO.
>         >>
>         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>         notice is pretty much the definition of what we try to never do in SRs.j
>         >>
>         >> This isn't a feature, it is CLI.
>         >>
>         >>  This patch seems to be the issue:
>         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >>
>         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>         security issues in your downstream distro!
>         >>
>         >> Regards,
>         >>
>         >> Ryan Goulding
>         >>
>         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >>
>         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of what we
>         try to never do in SRs.
>         >>
>         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>         functionality we rely on from AAA back in Boron-SR3.
>         >>
>         >> This patch seems to be the issue:
>         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >>
>         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things as well?
>         >>
>         >> Thanks,
>         >> --Colin
>         >>
>         >>
>         >> _______________________________________________
>         >> aaa-dev mailing list
>         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >>
>         >>
>         >>
>         >> _______________________________________________
>         >> aaa-dev mailing list
>         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >
>         > _______________________________________________
>         > aaa-dev mailing list
>         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >
>
>
>     _______________________________________________
>     aaa-dev mailing list
>     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>
>


Jamo Luhrsen <jluhrsen@...>
 

so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
The domain id "96" does not exist. Probably should be a better error message, but you need to use a domain that exists or
you will get internal server error.

Regards,

Ryan Goulding

On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

(subject changed)

On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports. If you paste the exact
> REST call I can assist. Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
> interface. I just tested this morning.

yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
from AAA, so should that be a bug on it's own?

here's kind of my repro, if you can help me know what's wrong:

# Create a Domain

14:28 $ curl -u "admin:admin" -X POST -d
'{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
application/json" http://$ODL:8181/auth/v1/domains

{"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}



# Look at domains (question: why is domainid==name, when I gave a '96' in the create?)


14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
{
"domains": [
{
"description": "default odl sdn domain",
"domainid": "sdn",
"enabled": true,
"name": "sdn"
},
{
"description": "planetary domain",
"domainid": "Alderaan-2017-04-12-17-31",
"enabled": true,
"name": "Alderaan-2017-04-12-17-31"
},
{
"description": "BeerClubAficionado",
"domainid": "RyanRocks",
"enabled": true,
"name": "RyanRocks"
}
]
}



# add a user to this new domain
# first try is using domainid = 96, but get 500/NPE
# second try uses domainid = $name, but also get 500/NPE

✔ ~
14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
...
<snip>
...



14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)

...
<snip>
...


Thanks,
JamO



> 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> /restconf/operations/aaa-cert-rpc:getODLCertificate
>
> I'll give it a shot and see what I get.
>
> Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
>
> So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands. Although
revert
> may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
> this type of skew. Let's not start a witch hunt quite yet; I can pull up quite a few examples of far more risque
changes in
> service releases ;).
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>> wrote:
>
> Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
> --Colin
>
> On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
<mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>
> btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
> troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
> cert stuff, and my work was in user/domain auth.
>
> anyway, wondering if something fundamental is broken?
>
> JamO
>
> [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>
>
>
> On 04/26/2017 06:21 PM, Luis Gomez wrote:
> > hi guys, I just tested old-aaa-cert feature and couple of things:
> >
> > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> /restconf/operations/aaa-cert-rpc:getODLCertificate
> >
> > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
> possible to change the path for these files?
> >
> >
> > [1] NPE
> >
> > <html>
> > <head>
> > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > <title>Error 500 Server Error</title>
> > </head>
> > <body>
> > <h2>HTTP ERROR 500</h2>
> > <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
> >
> > <pre> Server Error</pre>
> > </p>
> > <h3>Caused by:</h3>
> > <pre>java.lang.NullPointerException
> > at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
> > at
>
org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
> > at
> org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
> > at
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
> > at
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
> > at
>
org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
> > at
org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
> > at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
> > at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
> > at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
> > at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
> > at
>
org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
> > at
org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> > at
>
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> > at
>
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> > at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
> > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> > at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> > at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> > at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> > at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> > at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
> > at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
> > at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
> > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
> > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
> > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
> > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> > at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> > at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> > at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> > at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> > at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
> > at
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
> > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
> > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
> > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> > at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
> > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
> > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> > at
> org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
> > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> > at org.eclipse.jetty.server.Server.handle(Server.java:370)
> > at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> > at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
> > at
> org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
> > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
> > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
> > at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> > at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> > at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> > at java.lang.Thread.run(Thread.java:745)
> >
> >
> >
> >
> >
> >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>
<mailto:melserngawy@... <mailto:melserngawy@...>>> wrote:
> >>
> >> Hi Colin,
> >>
> >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
were
> there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
> you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
> >>
> >> BR
> >>
> >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>> wrote:
> >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
access
> the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
> >>
> >> --Colin
> >>
> >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>
<mailto:ryandgoulding@... <mailto:ryandgoulding@...>>> wrote:
> >> which is probably not in the spirit of SRs
> >>
> >> This was done for both usability and security purposes, as I explained via Skype already. The security
advantages
> alone make it justifiable IMHO.
> >>
> >> While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
> notice is pretty much the definition of what we try to never do in SRs.j
> >>
> >> This isn't a feature, it is CLI.
> >>
> >> This patch seems to be the issue:
> >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> >>
> >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
> least somewhat well known ;). Reverting it shouldn't be particularly hard, but it could open you open to some
> security issues in your downstream distro!
> >>
> >> Regards,
> >>
> >> Ryan Goulding
> >>
> >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
<https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> >>
> >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>> wrote:
> >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
> between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
> adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
what we
> try to never do in SRs.
> >>
> >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
> functionality we rely on from AAA back in Boron-SR3.
> >>
> >> This patch seems to be the issue:
> >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> >>
> >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
> gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
as well?
> >>
> >> Thanks,
> >> --Colin
> >>
> >>
> >> _______________________________________________
> >> aaa-dev mailing list
> >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> >>
> >>
> >>
> >> _______________________________________________
> >> aaa-dev mailing list
> >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> >
> > _______________________________________________
> > aaa-dev mailing list
> > aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>>
> > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> >
>
>
> _______________________________________________
> aaa-dev mailing list
> aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>>
> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>
>


Ryan Goulding <ryandgoulding@...>
 

Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:

ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
Password:
list_domains

command succeeded!

json:
{
    "domains": [
        {
            "description": "default odl sdn domain",
            "domainid": "sdn",
            "enabled": true,
            "name": "sdn"
        }
    ]
}
ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$

Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.

OR:

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

if you are using raw REST

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@...> wrote:
so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
> you will get internal server error.
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     (subject changed)
>
>     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
>     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
>     > interface.  I just tested this morning.
>
>     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     from AAA, so should that be a bug on it's own?
>
>     here's kind of my repro, if you can help me know what's wrong:
>
>     # Create a Domain
>
>     14:28 $ curl -u "admin:admin" -X POST -d
>     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     application/json" http://$ODL:8181/auth/v1/domains
>
>     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>
>
>
>     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>
>
>     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     {
>         "domains": [
>             {
>                 "description": "default odl sdn domain",
>                 "domainid": "sdn",
>                 "enabled": true,
>                 "name": "sdn"
>             },
>             {
>                 "description": "planetary domain",
>                 "domainid": "Alderaan-2017-04-12-17-31",
>                 "enabled": true,
>                 "name": "Alderaan-2017-04-12-17-31"
>             },
>             {
>                 "description": "BeerClubAficionado",
>                 "domainid": "RyanRocks",
>                 "enabled": true,
>                 "name": "RyanRocks"
>             }
>         ]
>     }
>
>
>
>     # add a user to this new domain
>     # first try is using domainid = 96, but get 500/NPE
>     # second try uses domainid = $name, but also get 500/NPE
>
>     ✔ ~
>     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     ...
>     <snip>
>     ...
>
>
>
>     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>
>     ...
>     <snip>
>     ...
>
>
>     Thanks,
>     JamO
>
>
>
>     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >
>     > I'll give it a shot and see what I get.
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >
>     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     revert
>     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
>     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     changes in
>     > service releases ;).
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >     --Colin
>     >
>     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >         cert stuff, and my work was in user/domain auth.
>     >
>     >         anyway, wondering if something fundamental is broken?
>     >
>     >         JamO
>     >
>     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >
>     >
>     >
>     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >         >
>     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >         >
>     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >         possible to change the path for these files?
>     >         >
>     >         >
>     >         > [1] NPE
>     >         >
>     >         > <html>
>     >         >     <head>
>     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >         >         <title>Error 500 Server Error</title>
>     >         >     </head>
>     >         >     <body>
>     >         >         <h2>HTTP ERROR 500</h2>
>     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >         >
>     >         >             <pre>    Server Error</pre>
>     >         >         </p>
>     >         >         <h3>Caused by:</h3>
>     >         >         <pre>java.lang.NullPointerException
>     >         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >         >       at
>     >
>      org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >         >       at
>     >         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >         >       at
>     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >         >       at
>     >
>      org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >         >       at
>     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >         >       at
>     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >         >       at
>     >         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >         >       at
>     >         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >         >       at java.lang.Thread.run(Thread.java:745)
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>
>     <mailto:melserngawy@... <mailto:melserngawy@...>>> wrote:
>     >         >>
>     >         >> Hi Colin,
>     >         >>
>     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     were
>     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >         >>
>     >         >> BR
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     access
>     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >         >>
>     >         >> --Colin
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>
>     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>> wrote:
>     >         >> which is probably not in the spirit of SRs
>     >         >>
>     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     advantages
>     >         alone make it justifiable IMHO.
>     >         >>
>     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >         >>
>     >         >> This isn't a feature, it is CLI.
>     >         >>
>     >         >>  This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >         security issues in your downstream distro!
>     >         >>
>     >         >> Regards,
>     >         >>
>     >         >> Ryan Goulding
>     >         >>
>     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     what we
>     >         try to never do in SRs.
>     >         >>
>     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >         functionality we rely on from AAA back in Boron-SR3.
>     >         >>
>     >         >> This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     as well?
>     >         >>
>     >         >> Thanks,
>     >         >> --Colin
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >>
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >         > _______________________________________________
>     >         > aaa-dev mailing list
>     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >
>     >
>     >     _______________________________________________
>     >     aaa-dev mailing list
>     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >
>     >
>
>


Ryan Goulding <ryandgoulding@...>
 

I will also note that it is not entirely useful at the moment to derive multiple tenants.  This was an aspect of the data model that original contributors added, but never quite put their heads around.  We have kept it for compatibility purposes, but just recommend using "sdn".  I.e., network segmentation over RESTCONF is something that you are better off using "roles" for instead of "tenants".  In nitrogen, we hope to improve this OOB.  Right now, the only difference will primarily be in logging for tenants.  Not particularly great but wasn't a priority to fix fin the past.

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:00 PM, Ryan Goulding <ryandgoulding@...> wrote:
Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:

ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
Password:
list_domains

command succeeded!

json:
{
    "domains": [
        {
            "description": "default odl sdn domain",
            "domainid": "sdn",
            "enabled": true,
            "name": "sdn"
        }
    ]
}
ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$

Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.

OR:

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

if you are using raw REST

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@...> wrote:
so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
> you will get internal server error.
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     (subject changed)
>
>     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
>     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
>     > interface.  I just tested this morning.
>
>     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     from AAA, so should that be a bug on it's own?
>
>     here's kind of my repro, if you can help me know what's wrong:
>
>     # Create a Domain
>
>     14:28 $ curl -u "admin:admin" -X POST -d
>     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     application/json" http://$ODL:8181/auth/v1/domains
>
>     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>
>
>
>     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>
>
>     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     {
>         "domains": [
>             {
>                 "description": "default odl sdn domain",
>                 "domainid": "sdn",
>                 "enabled": true,
>                 "name": "sdn"
>             },
>             {
>                 "description": "planetary domain",
>                 "domainid": "Alderaan-2017-04-12-17-31",
>                 "enabled": true,
>                 "name": "Alderaan-2017-04-12-17-31"
>             },
>             {
>                 "description": "BeerClubAficionado",
>                 "domainid": "RyanRocks",
>                 "enabled": true,
>                 "name": "RyanRocks"
>             }
>         ]
>     }
>
>
>
>     # add a user to this new domain
>     # first try is using domainid = 96, but get 500/NPE
>     # second try uses domainid = $name, but also get 500/NPE
>
>     ✔ ~
>     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     ...
>     <snip>
>     ...
>
>
>
>     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>
>     ...
>     <snip>
>     ...
>
>
>     Thanks,
>     JamO
>
>
>
>     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >
>     > I'll give it a shot and see what I get.
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >
>     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     revert
>     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
>     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     changes in
>     > service releases ;).
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >     --Colin
>     >
>     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >         cert stuff, and my work was in user/domain auth.
>     >
>     >         anyway, wondering if something fundamental is broken?
>     >
>     >         JamO
>     >
>     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >
>     >
>     >
>     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >         >
>     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >         >
>     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >         possible to change the path for these files?
>     >         >
>     >         >
>     >         > [1] NPE
>     >         >
>     >         > <html>
>     >         >     <head>
>     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >         >         <title>Error 500 Server Error</title>
>     >         >     </head>
>     >         >     <body>
>     >         >         <h2>HTTP ERROR 500</h2>
>     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >         >
>     >         >             <pre>    Server Error</pre>
>     >         >         </p>
>     >         >         <h3>Caused by:</h3>
>     >         >         <pre>java.lang.NullPointerException
>     >         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >         >       at
>     >
>      org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >         >       at
>     >         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >         >       at
>     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >         >       at
>     >
>      org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >         >       at
>     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >         >       at
>     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >         >       at
>     >         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >         >       at
>     >         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >         >       at java.lang.Thread.run(Thread.java:745)
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>
>     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...>>> wrote:
>     >         >>
>     >         >> Hi Colin,
>     >         >>
>     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     were
>     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >         >>
>     >         >> BR
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     access
>     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >         >>
>     >         >> --Colin
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m>
>     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m>>> wrote:
>     >         >> which is probably not in the spirit of SRs
>     >         >>
>     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     advantages
>     >         alone make it justifiable IMHO.
>     >         >>
>     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >         >>
>     >         >> This isn't a feature, it is CLI.
>     >         >>
>     >         >>  This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >         security issues in your downstream distro!
>     >         >>
>     >         >> Regards,
>     >         >>
>     >         >> Ryan Goulding
>     >         >>
>     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     what we
>     >         try to never do in SRs.
>     >         >>
>     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >         functionality we rely on from AAA back in Boron-SR3.
>     >         >>
>     >         >> This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     as well?
>     >         >>
>     >         >> Thanks,
>     >         >> --Colin
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >>
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >         > _______________________________________________
>     >         > aaa-dev mailing list
>     >         > aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >
>     >
>     >     _______________________________________________
>     >     aaa-dev mailing list
>     >     aaa-dev@....org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >
>     >
>
>



Jamo Luhrsen <jluhrsen@...>
 

wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
Its either going to be the default one (sdn) or one you created. You can find out which ones exist by:

ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
Password:
list_domains

command succeeded!

json:
{
"domains": [
{
"description": "default odl sdn domain",
"domainid": "sdn",
"enabled": true,
"name": "sdn"
}
]
}
ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$

*Note: it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.

*
OR:

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

if you are using raw REST

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> The domain id "96" does not exist. Probably should be a better error message, but you need to use a domain that exists or
> you will get internal server error.
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
<mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>
> (subject changed)
>
> On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports. If you paste
the exact
> > REST call I can assist. Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
wraps that
> > interface. I just tested this morning.
>
> yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
> from AAA, so should that be a bug on it's own?
>
> here's kind of my repro, if you can help me know what's wrong:
>
> # Create a Domain
>
> 14:28 $ curl -u "admin:admin" -X POST -d
> '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
> application/json" http://$ODL:8181/auth/v1/domains
>
> {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>
>
>
> # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>
>
> 14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
> {
> "domains": [
> {
> "description": "default odl sdn domain",
> "domainid": "sdn",
> "enabled": true,
> "name": "sdn"
> },
> {
> "description": "planetary domain",
> "domainid": "Alderaan-2017-04-12-17-31",
> "enabled": true,
> "name": "Alderaan-2017-04-12-17-31"
> },
> {
> "description": "BeerClubAficionado",
> "domainid": "RyanRocks",
> "enabled": true,
> "name": "RyanRocks"
> }
> ]
> }
>
>
>
> # add a user to this new domain
> # first try is using domainid = 96, but get 500/NPE
> # second try uses domainid = $name, but also get 500/NPE
>
> ✔ ~
> 14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
> "Content-Type: application/json" http://$ODL:8181/auth/v1/users
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> <title>Error 500 Server Error</title>
> </head>
> <body><h2>HTTP ERROR 500</h2>
> <p>Problem accessing /auth/v1/users. Reason:
> <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
> ...
> <snip>
> ...
>
>
>
> 14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
> Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
> http://$ODL:8181/auth/v1/users
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> <title>Error 500 Server Error</title>
> </head>
> <body><h2>HTTP ERROR 500</h2>
> <p>Problem accessing /auth/v1/users. Reason:
> <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>
> ...
> <snip>
> ...
>
>
> Thanks,
> JamO
>
>
>
> > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > /restconf/operations/aaa-cert-rpc:getODLCertificate
> >
> > I'll give it a shot and see what I get.
> >
> > Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
> >
> >
> > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands. Although
> revert
> > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
and avoid
> > this type of skew. Let's not start a witch hunt quite yet; I can pull up quite a few examples of far more risque
> changes in
> > service releases ;).
> >
> > Regards,
> >
> > Ryan Goulding
> >
> > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
> >
> > Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
> >
> > --Colin
> >
> > On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
> >
> > btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
> > troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
> > cert stuff, and my work was in user/domain auth.
> >
> > anyway, wondering if something fundamental is broken?
> >
> > JamO
> >
> > [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
> >
> >
> >
> > On 04/26/2017 06:21 PM, Luis Gomez wrote:
> > > hi guys, I just tested old-aaa-cert feature and couple of things:
> > >
> > > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > /restconf/operations/aaa-cert-rpc:getODLCertificate
> > >
> > > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
> > possible to change the path for these files?
> > >
> > >
> > > [1] NPE
> > >
> > > <html>
> > > <head>
> > > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > > <title>Error 500 Server Error</title>
> > > </head>
> > > <body>
> > > <h2>HTTP ERROR 500</h2>
> > > <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
> > >
> > > <pre> Server Error</pre>
> > > </p>
> > > <h3>Caused by:</h3>
> > > <pre>java.lang.NullPointerException
> > > at
org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
> > > at
> >
>
org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
> > > at
> >
org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
> > > at
> >
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
> > > at
> >
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
> > > at
> >
>
org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
> > > at
> org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
> > > at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
> > > at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
> > > at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
> > > at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
> > > at
> >
>
org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
> > > at
> org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> > > at
> >
>
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> > > at
> >
>
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> > > at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> > > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
> > > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> > > at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> > > at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> > > at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> > > at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> > > at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> > > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> > > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> > > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
> > > at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
> > > at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
> > > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
> > > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
> > > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
> > > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> > > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> > > at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> > > at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> > > at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> > > at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> > > at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> > > at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
> > > at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
> > > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
> > > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
> > > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> > > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> > > at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
> > > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
> > > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> > > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> > > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> > > at
> >
org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
> > > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> > > at org.eclipse.jetty.server.Server.handle(Server.java:370)
> > > at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> > > at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
> > > at
> >
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
> > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
> > > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
> > > at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> > > at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> > > at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> > > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> > > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> > > at java.lang.Thread.run(Thread.java:745)
> > >
> > >
> > >
> > >
> > >
> > >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
<mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>
> <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
wrote:
> > >>
> > >> Hi Colin,
> > >>
> > >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
> were
> > there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
> > you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
> > >>
> > >> BR
> > >>
> > >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
> > >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
> access
> > the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
> > >>
> > >> --Colin
> > >>
> > >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>>>> wrote:
> > >> which is probably not in the spirit of SRs
> > >>
> > >> This was done for both usability and security purposes, as I explained via Skype already. The security
> advantages
> > alone make it justifiable IMHO.
> > >>
> > >> While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
> > notice is pretty much the definition of what we try to never do in SRs.j
> > >>
> > >> This isn't a feature, it is CLI.
> > >>
> > >> This patch seems to be the issue:
> > >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > >>
> > >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
> > least somewhat well known ;). Reverting it shouldn't be particularly hard, but it could open you open to some
> > security issues in your downstream distro!
> > >>
> > >> Regards,
> > >>
> > >> Ryan Goulding
> > >>
> > >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
<https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
<https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
> > >>
> > >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
> > >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
> > between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
> > adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
> what we
> > try to never do in SRs.
> > >>
> > >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
> > functionality we rely on from AAA back in Boron-SR3.
> > >>
> > >> This patch seems to be the issue:
> > >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > >>
> > >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
> > gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
> as well?
> > >>
> > >> Thanks,
> > >> --Colin
> > >>
> > >>
> > >> _______________________________________________
> > >> aaa-dev mailing list
> > >> aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> aaa-dev mailing list
> > >> aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > >
> > > _______________________________________________
> > > aaa-dev mailing list
> > > aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>> <mailto:aaa-dev@...
<mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > >
> >
> >
> > _______________________________________________
> > aaa-dev mailing list
> > aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>> <mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> >
> >
>
>


Mohamed ElSerngawy <melserngawy@...>
 

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@...> wrote:
wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>
>     >     <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>
>     >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>     <mailto:ryandgoulding@gmail.com>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>> <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>


Ryan Goulding <ryandgoulding@...>
 

I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@...> wrote:

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@...> wrote:
wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@inocybe.ca> <mailto:melserngawy@... <mailto:melserngawy@...>>
>     >     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>>
>     >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>     <mailto:ryandgoulding@...om>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@....org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>> <mailto:aaa-dev@...ight.org <mailto:aaa-dev@...ight.org>



Mohamed ElSerngawy <melserngawy@...>
 

yes, I agree. I don't know why does it exist in this way

On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@...> wrote:
I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@...> wrote:

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@...> wrote:
wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@...a> <mailto:melserngawy@... <mailto:melserngawy@...>>
>     >     <mailto:melserngawy@...a <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>>
>     >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>     <mailto:ryandgoulding@...om>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@...g <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>> <mailto:aaa-dev@...ight.org <mailto:aaa-dev@...ight.org>




Jamo Luhrsen <jluhrsen@...>
 

so two things.

1)
I'll open a bug that we should not allow a domain create to specify the domainid.

2)
more importantly, it does not fix my NPE to *not* use a domainid when creating it.

can one of you try these three curl cmds with your setup to see if maybe I'm crazy:

curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
"Content-Type:application/json" http://$ODL:8181/auth/v1/domains

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users



JamO

On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
yes, I agree. I don't know why does it exist in this way

On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>> wrote:

I'd call that a bug on our side. If we expose it we ought to honor it if it is there.

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:

Hi Jamo,

You are not suppose to set the domain-id [0].

[0]
https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created. You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
> "domains": [
> {
> "description": "default odl sdn domain",
> "domainid": "sdn",
> "enabled": true,
> "name": "sdn"
> }
> ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note: it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>
> so, when creating a domain you have to use a domain id that already exists? where do I find
> that domainid?
>
> JamO
>
> On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> > The domain id "96" does not exist. Probably should be a better error message, but you need to use a domain that exists or
> > you will get internal server error.
> >
> > Regards,
> >
> > Ryan Goulding
> >
> > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
> >
> > (subject changed)
> >
> > On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> > > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis
reports. If you paste
> the exact
> > > REST call I can assist. Also, if you are curious how to use those endpoints, refer to idmtool.py,
which just
> wraps that
> > > interface. I just tested this morning.
> >
> > yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
> > from AAA, so should that be a bug on it's own?
> >
> > here's kind of my repro, if you can help me know what's wrong:
> >
> > # Create a Domain
> >
> > 14:28 $ curl -u "admin:admin" -X POST -d
> > '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H
"Content-Type:
> > application/json" http://$ODL:8181/auth/v1/domains
> >
> > {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
> >
> >
> >
> > # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
> >
> >
> > 14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
> > {
> > "domains": [
> > {
> > "description": "default odl sdn domain",
> > "domainid": "sdn",
> > "enabled": true,
> > "name": "sdn"
> > },
> > {
> > "description": "planetary domain",
> > "domainid": "Alderaan-2017-04-12-17-31",
> > "enabled": true,
> > "name": "Alderaan-2017-04-12-17-31"
> > },
> > {
> > "description": "BeerClubAficionado",
> > "domainid": "RyanRocks",
> > "enabled": true,
> > "name": "RyanRocks"
> > }
> > ]
> > }
> >
> >
> >
> > # add a user to this new domain
> > # first try is using domainid = 96, but get 500/NPE
> > # second try uses domainid = $name, but also get 500/NPE
> >
> > ✔ ~
> > 14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
> Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
> > "Content-Type: application/json" http://$ODL:8181/auth/v1/users
> > <html>
> > <head>
> > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > <title>Error 500 Server Error</title>
> > </head>
> > <body><h2>HTTP ERROR 500</h2>
> > <p>Problem accessing /auth/v1/users. Reason:
> > <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> > at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
> > ...
> > <snip>
> > ...
> >
> >
> >
> > 14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
> > Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
> > http://$ODL:8181/auth/v1/users
> > <html>
> > <head>
> > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > <title>Error 500 Server Error</title>
> > </head>
> > <body><h2>HTTP ERROR 500</h2>
> > <p>Problem accessing /auth/v1/users. Reason:
> > <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> > at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
> >
> > ...
> > <snip>
> > ...
> >
> >
> > Thanks,
> > JamO
> >
> >
> >
> > > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > > /restconf/operations/aaa-cert-rpc:getODLCertificate
> > >
> > > I'll give it a shot and see what I get.
> > >
> > > Do we have an idea of what the implications of just reverting that one patch are? Is it likely
to work?
> > >
> > >
> > > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe
commands. Although
> > revert
> > > may probably be easiest from your perspective, there are a lot of people who actually push their
tests upstream
> and avoid
> > > this type of skew. Let's not start a witch hunt quite yet; I can pull up quite a few examples of
far more risque
> > changes in
> > > service releases ;).
> > >
> > > Regards,
> > >
> > > Ryan Goulding
> > >
> > > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>
> > <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>>> wrote:
> > >
> > > Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
> > >
> > > --Colin
> > >
> > > On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
<mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
> > <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
<mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
<mailto:jluhrsen@...>>>>> wrote:
> > >
> > > btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
> > > troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
> > > cert stuff, and my work was in user/domain auth.
> > >
> > > anyway, wondering if something fundamental is broken?
> > >
> > > JamO
> > >
> > > [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
> > > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>
> > >
> > >
> > >
> > > On 04/26/2017 06:21 PM, Luis Gomez wrote:
> > > > hi guys, I just tested old-aaa-cert feature and couple of things:
> > > >
> > > > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > > /restconf/operations/aaa-cert-rpc:getODLCertificate
> > > >
> > > > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under
~/temp folder. Is it
> > > possible to change the path for these files?
> > > >
> > > >
> > > > [1] NPE
> > > >
> > > > <html>
> > > > <head>
> > > > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > > > <title>Error 500 Server Error</title>
> > > > </head>
> > > > <body>
> > > > <h2>HTTP ERROR 500</h2>
> > > > <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
> > > >
> > > > <pre> Server Error</pre>
> > > > </p>
> > > > <h3>Caused by:</h3>
> > > > <pre>java.lang.NullPointerException
> > > > at
> org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
> > > > at
> > >
> >
>
org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
> > > > at
> > >
>
org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
> > > > at
> > >
> >
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
> > > > at
> > >
> >
>
org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
> > > > at
> > >
> >
>
org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
> > > > at
> >
org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
> > > > at org.opendaylight.controller.md
<http://org.opendaylight.controller.md>.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
> > > > at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
> > > > at
org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
> > > > at
org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
> > > > at
> > >
> >
>
org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
> > > > at
> >
org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > > at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > > at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> > > > at
> > >
> >
> com.sun.jersey.server.impl.mo
<http://com.sun.jersey.server.impl.mo>del.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> > > > at
> > >
> >
> com.sun.jersey.server.impl.mo
<http://com.sun.jersey.server.impl.mo>del.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> > > > at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> > > > at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > > at
com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
> > > > at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > > at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> > > > at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> > > > at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> > > > at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> > > > at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> > > > at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> > > > at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> > > > at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> > > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> > > > at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
> > > > at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
> > > > at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
> > > > at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
> > > > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
> > > > at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > at
org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
> > > > at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> > > > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > > at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > > at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > > at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > > at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > > at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> > > > at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> > > > at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> > > > at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> > > > at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> > > > at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> > > > at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
> > > > at
> >
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
> > > > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
> > > > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
> > > > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> > > > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> > > > at
org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
> > > > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
> > > > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> > > > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> > > > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> > > > at
> > >
>
org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
> > > > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> > > > at org.eclipse.jetty.server.Server.handle(Server.java:370)
> > > > at
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> > > > at
org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
> > > > at
> > >
>
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
> > > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
> > > > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
> > > > at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> > > > at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> > > > at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> > > > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> > > > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> > > > at java.lang.Thread.run(Thread.java:745)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
<mailto:melserngawy@...>
> <mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
<mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>
> > <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
<mailto:melserngawy@...>> <mailto:melserngawy@... <mailto:melserngawy@...>
<mailto:melserngawy@... <mailto:melserngawy@...>>>>>
> wrote:
> > > >>
> > > >> Hi Colin,
> > > >>
> > > >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
> > were
> > > there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
> > > you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
> > > >>
> > > >> BR
> > > >>
> > > >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>
> > <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>>>> wrote:
> > > >> Putting the argument about what should go in an SR aside for the moment, is there a
straightforward way to
> > access
> > > the functionality that was provided by the removed commands? Specifically gen-odl-ks and
gen-trust-ks?
> > > >>
> > > >> --Colin
> > > >>
> > > >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@...
<mailto:ryandgoulding@...> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>
<mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>>>
> > <mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>>>> wrote:
> > > >> which is probably not in the spirit of SRs
> > > >>
> > > >> This was done for both usability and security purposes, as I explained via Skype
already. The security
> > advantages
> > > alone make it justifiable IMHO.
> > > >>
> > > >> While we're somewhat less strict about adding features in SRs. Taking them out without
a lot of warning and
> > > notice is pretty much the definition of what we try to never do in SRs.j
> > > >>
> > > >> This isn't a feature, it is CLI.
> > > >>
> > > >> This patch seems to be the issue:
> > > >> https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
> > > >>
> > > >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd
argue that it was at
> > > least somewhat well known ;). Reverting it shouldn't be particularly hard, but it could
open you open to some
> > > security issues in your downstream distro!
> > > >>
> > > >> Regards,
> > > >>
> > > >> Ryan Goulding
> > > >>
> > > >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
<https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
> > <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
<https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>
> > > >>
> > > >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@...
<mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>
> > <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>>>> wrote:
> > > >> So, in some downstream testing at Brocade we found that the AAA CLI commands were
changed somewhat drastically
> > > between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're
somewhat less strict about
> > > adding features in SRs. Taking them out without a lot of warning and notice is pretty much
the definition of
> > what we
> > > try to never do in SRs.
> > > >>
> > > >> That being said, we're trying to make the best of it and looking for help in
understanding how to get the
> > > functionality we rely on from AAA back in Boron-SR3.
> > > >>
> > > >> This patch seems to be the issue:
> > > >> https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
> > > >>
> > > >> Is there somebody that can comment on how we might recover the functionality that used
to be provided by the
> > > gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would
it break other things
> > as well?
> > > >>
> > > >> Thanks,
> > > >> --Colin
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> aaa-dev mailing list
> > > >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> > > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> aaa-dev mailing list
> > > >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> > > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > > >
> > > > _______________________________________________
> > > > aaa-dev mailing list
> > > > aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>>>>
> > > > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > > >
> > >
> > >
> > > _______________________________________________
> > > aaa-dev mailing list
> > > aaa-dev@... <mailto:aaa-dev@...> <mailto:aaa-dev@...
<mailto:aaa-dev@...>> <mailto:aaa-dev@...
<mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> > > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > >
> > >
> >
> >
>
>




Ryan Goulding <ryandgoulding@...>
 

Created [0] and submitted patch [1].  Basically, idmtool.py fills in an email in the request with an empty string.  However, the rest endpoint had a bug that we didn't notice since most people just use idmtool.py (if email not provided, NPE occurs).

On Thu, May 4, 2017 at 4:35 PM, Jamo Luhrsen <jluhrsen@...> wrote:
so two things.

1)
I'll open a bug that we should not allow a domain create to specify the domainid.

2)
more importantly, it does not fix my NPE to *not* use a domainid when creating it.

can one of you try these three curl cmds with your setup to see if maybe I'm crazy:

curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
"Content-Type:application/json" http://$ODL:8181/auth/v1/domains

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users



JamO




On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
> yes, I agree. I don't know why does it exist in this way
>
> On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>> wrote:
>
>     I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.
>
>     Regards,
>
>     Ryan Goulding
>
>     On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:
>
>         Hi Jamo,
>
>         You are not suppose to set the domain-id [0].
>
>         [0]
>         https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
>         <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
>
>         On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>             wait, I get the sense you missed my first step where I did create a domain. I created it
>             with the domainid 96.
>
>             JamO
>
>             On 05/04/2017 01:00 PM, Ryan Goulding wrote:
>             > Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>             >
>             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
>             > Password:
>             > list_domains
>             >
>             > command succeeded!
>             >
>             > json:
>             > {
>             >     "domains": [
>             >         {
>             >             "description": "default odl sdn domain",
>             >             "domainid": "sdn",
>             >             "enabled": true,
>             >             "name": "sdn"
>             >         }
>             >     ]
>             > }
>             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>             >
>             > *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>             >
>             > *
>             > OR:
>             >
>             > curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>             >
>             > if you are using raw REST
>             >
>             > Regards,
>             >
>             > Ryan Goulding
>             >
>             > On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>             >
>             >     so, when creating a domain you have to use a domain id that already exists? where do I find
>             >     that domainid?
>             >
>             >     JamO
>             >
>             >     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>             >     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>             >     > you will get internal server error.
>             >     >
>             >     > Regards,
>             >     >
>             >     > Ryan Goulding
>             >     >
>             >     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>             >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>             >     >
>             >     >     (subject changed)
>             >     >
>             >     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>             >     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis
>             reports.  If you paste
>             >     the exact
>             >     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py,
>             which just
>             >     wraps that
>             >     >     > interface.  I just tested this morning.
>             >     >
>             >     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>             >     >     from AAA, so should that be a bug on it's own?
>             >     >
>             >     >     here's kind of my repro, if you can help me know what's wrong:
>             >     >
>             >     >     # Create a Domain
>             >     >
>             >     >     14:28 $ curl -u "admin:admin" -X POST -d
>             >     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H
>             "Content-Type:
>             >     >     application/json" http://$ODL:8181/auth/v1/domains
>             >     >
>             >     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>             >     >
>             >     >
>             >     >
>             >     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>             >     >
>             >     >
>             >     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>             >     >     {
>             >     >         "domains": [
>             >     >             {
>             >     >                 "description": "default odl sdn domain",
>             >     >                 "domainid": "sdn",
>             >     >                 "enabled": true,
>             >     >                 "name": "sdn"
>             >     >             },
>             >     >             {
>             >     >                 "description": "planetary domain",
>             >     >                 "domainid": "Alderaan-2017-04-12-17-31",
>             >     >                 "enabled": true,
>             >     >                 "name": "Alderaan-2017-04-12-17-31"
>             >     >             },
>             >     >             {
>             >     >                 "description": "BeerClubAficionado",
>             >     >                 "domainid": "RyanRocks",
>             >     >                 "enabled": true,
>             >     >                 "name": "RyanRocks"
>             >     >             }
>             >     >         ]
>             >     >     }
>             >     >
>             >     >
>             >     >
>             >     >     # add a user to this new domain
>             >     >     # first try is using domainid = 96, but get 500/NPE
>             >     >     # second try uses domainid = $name, but also get 500/NPE
>             >     >
>             >     >     ✔ ~
>             >     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>             >     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>             >     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>             >     >     <html>
>             >     >     <head>
>             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     <title>Error 500 Server Error</title>
>             >     >     </head>
>             >     >     <body><h2>HTTP ERROR 500</h2>
>             >     >     <p>Problem accessing /auth/v1/users. Reason:
>             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>             >     >     ...
>             >     >     <snip>
>             >     >     ...
>             >     >
>             >     >
>             >     >
>             >     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>             >     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>             >     >     http://$ODL:8181/auth/v1/users
>             >     >     <html>
>             >     >     <head>
>             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     <title>Error 500 Server Error</title>
>             >     >     </head>
>             >     >     <body><h2>HTTP ERROR 500</h2>
>             >     >     <p>Problem accessing /auth/v1/users. Reason:
>             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>             >     >
>             >     >     ...
>             >     >     <snip>
>             >     >     ...
>             >     >
>             >     >
>             >     >     Thanks,
>             >     >     JamO
>             >     >
>             >     >
>             >     >
>             >     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>             >     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>             >     >     >
>             >     >     > I'll give it a shot and see what I get.
>             >     >     >
>             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely
>             to work?
>             >     >     >
>             >     >     >
>             >     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe
>             commands.  Although
>             >     >     revert
>             >     >     > may probably be easiest from your perspective, there are a lot of people who actually push their
>             tests upstream
>             >     and avoid
>             >     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of
>             far more risque
>             >     >     changes in
>             >     >     > service releases ;).
>             >     >     >
>             >     >     > Regards,
>             >     >     >
>             >     >     > Ryan Goulding
>             >     >     >
>             >     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>
>             >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>>> wrote:
>             >     >     >
>             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>             >     >     >
>             >     >     >     --Colin
>             >     >     >
>             >     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>             <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
>             >     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>             <mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>             <mailto:jluhrsen@...>>>>> wrote:
>             >     >     >
>             >     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>             >     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>             >     >     >         cert stuff, and my work was in user/domain auth.
>             >     >     >
>             >     >     >         anyway, wondering if something fundamental is broken?
>             >     >     >
>             >     >     >         JamO
>             >     >     >
>             >     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>             >     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>
>             >     >     >
>             >     >     >
>             >     >     >
>             >     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>             >     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>             >     >     >         >
>             >     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>             >     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>             >     >     >         >
>             >     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under
>             ~/temp folder. Is it
>             >     >     >         possible to change the path for these files?
>             >     >     >         >
>             >     >     >         >
>             >     >     >         > [1] NPE
>             >     >     >         >
>             >     >     >         > <html>
>             >     >     >         >     <head>
>             >     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     >         >         <title>Error 500 Server Error</title>
>             >     >     >         >     </head>
>             >     >     >         >     <body>
>             >     >     >         >         <h2>HTTP ERROR 500</h2>
>             >     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>             >     >     >         >
>             >     >     >         >             <pre>    Server Error</pre>
>             >     >     >         >         </p>
>             >     >     >         >         <h3>Caused by:</h3>
>             >     >     >         >         <pre>java.lang.NullPointerException
>             >     >     >         >       at
>             >     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>             >     >     >         >       at
>             >     >
>              org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>             >     >     >         >       at org.opendaylight.controller.md
>             <http://org.opendaylight.controller.md>.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>             >     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>             >     >     >         >       at
>             org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>             >     >     >         >       at
>             org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>             >     >     >         >       at
>             >     >
>              org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>             >     >     >         >       at
>             sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>             >     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >     com.sun.jersey.server.impl.mo
>             <http://com.sun.jersey.server.impl.mo>del.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >     com.sun.jersey.server.impl.mo
>             <http://com.sun.jersey.server.impl.mo>del.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>             >     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>             >     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>             >     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>             >     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>             >     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>             >     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at
>             org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>             >     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>             >     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>             >     >     >         >       at
>             org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>             >     >     >         >       at
>             >     >
>              org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>             >     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>             >     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>             >     >     >         >       at
>             org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>             >     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>             >     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>             >     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>             >     >     >         >       at
>             org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>             >     >     >         >       at
>             org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>             >     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>             >     >     >         >       at
>             org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>             >     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>             >     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>             >     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>             >     >     >         >       at java.lang.Thread.run(Thread.java:745)
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>             <mailto:melserngawy@...>
>             >     <mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
>             <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>
>             >     >     <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
>             <mailto:melserngawy@...>> <mailto:melserngawy@... <mailto:melserngawy@...>
>             <mailto:melserngawy@... <mailto:melserngawy@...>>>>>
>             >     wrote:
>             >     >     >         >>
>             >     >     >         >> Hi Colin,
>             >     >     >         >>
>             >     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>             >     >     were
>             >     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>             >     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>             >     >     >         >>
>             >     >     >         >> BR
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>>>> wrote:
>             >     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a
>             straightforward way to
>             >     >     access
>             >     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and
>             gen-trust-ks?
>             >     >     >         >>
>             >     >     >         >> --Colin
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@...
>             <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>
>             <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>             <mailto:ryandgoulding@gmail.com>>>
>             >     >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>             <mailto:ryandgoulding@gmail.com>> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>
>             >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>>>> wrote:
>             >     >     >         >> which is probably not in the spirit of SRs
>             >     >     >         >>
>             >     >     >         >> This was done for both usability and security purposes, as I explained via Skype
>             already.  The security
>             >     >     advantages
>             >     >     >         alone make it justifiable IMHO.
>             >     >     >         >>
>             >     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without
>             a lot of warning and
>             >     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>             >     >     >         >>
>             >     >     >         >> This isn't a feature, it is CLI.
>             >     >     >         >>
>             >     >     >         >>  This patch seems to be the issue:
>             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>             >     >     >         >>
>             >     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd
>             argue that it was at
>             >     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could
>             open you open to some
>             >     >     >         security issues in your downstream distro!
>             >     >     >         >>
>             >     >     >         >> Regards,
>             >     >     >         >>
>             >     >     >         >> Ryan Goulding
>             >     >     >         >>
>             >     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>             >     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@...
>             <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>>>> wrote:
>             >     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were
>             changed somewhat drastically
>             >     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're
>             somewhat less strict about
>             >     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much
>             the definition of
>             >     >     what we
>             >     >     >         try to never do in SRs.
>             >     >     >         >>
>             >     >     >         >> That being said, we're trying to make the best of it and looking for help in
>             understanding how to get the
>             >     >     >         functionality we rely on from AAA back in Boron-SR3.
>             >     >     >         >>
>             >     >     >         >> This patch seems to be the issue:
>             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>             >     >     >         >>
>             >     >     >         >> Is there somebody that can comment on how we might recover the functionality that used
>             to be provided by the
>             >     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would
>             it break other things
>             >     >     as well?
>             >     >     >         >>
>             >     >     >         >> Thanks,
>             >     >     >         >> --Colin
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >> _______________________________________________
>             >     >     >         >> aaa-dev mailing list
>             >     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >> _______________________________________________
>             >     >     >         >> aaa-dev mailing list
>             >     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >
>             >     >     >         > _______________________________________________
>             >     >     >         > aaa-dev mailing list
>             >     >     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>             <mailto:aaa-dev@lists.opendaylight.org>>>>
>             >     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >
>             >     >     >
>             >     >     >
>             >     >     >     _______________________________________________
>             >     >     >     aaa-dev mailing list
>             >     >     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>             <mailto:aaa-dev@lists.opendaylight.org>> <mailto:aaa-dev@lists.opendaylight.org
>             <mailto:aaa-dev@lists.opendaylight.org>
>             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>             >     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >
>             >     >     >
>             >     >
>             >     >
>             >
>             >
>
>
>
>


Ryan Goulding <ryandgoulding@...>
 


Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:52 PM, Ryan Goulding <ryandgoulding@...> wrote:
Created [0] and submitted patch [1].  Basically, idmtool.py fills in an email in the request with an empty string.  However, the rest endpoint had a bug that we didn't notice since most people just use idmtool.py (if email not provided, NPE occurs).

Regards,

Ryan Goulding


On Thu, May 4, 2017 at 4:35 PM, Jamo Luhrsen <jluhrsen@...> wrote:
so two things.

1)
I'll open a bug that we should not allow a domain create to specify the domainid.

2)
more importantly, it does not fix my NPE to *not* use a domainid when creating it.

can one of you try these three curl cmds with your setup to see if maybe I'm crazy:

curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
"Content-Type:application/json" http://$ODL:8181/auth/v1/domains

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users



JamO




On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
> yes, I agree. I don't know why does it exist in this way
>
> On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m>> wrote:
>
>     I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.
>
>     Regards,
>
>     Ryan Goulding
>
>     On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:
>
>         Hi Jamo,
>
>         You are not suppose to set the domain-id [0].
>
>         [0]
>         https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
>         <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
>
>         On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>             wait, I get the sense you missed my first step where I did create a domain. I created it
>             with the domainid 96.
>
>             JamO
>
>             On 05/04/2017 01:00 PM, Ryan Goulding wrote:
>             > Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>             >
>             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
>             > Password:
>             > list_domains
>             >
>             > command succeeded!
>             >
>             > json:
>             > {
>             >     "domains": [
>             >         {
>             >             "description": "default odl sdn domain",
>             >             "domainid": "sdn",
>             >             "enabled": true,
>             >             "name": "sdn"
>             >         }
>             >     ]
>             > }
>             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>             >
>             > *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>             >
>             > *
>             > OR:
>             >
>             > curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>             >
>             > if you are using raw REST
>             >
>             > Regards,
>             >
>             > Ryan Goulding
>             >
>             > On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>             >
>             >     so, when creating a domain you have to use a domain id that already exists? where do I find
>             >     that domainid?
>             >
>             >     JamO
>             >
>             >     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>             >     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>             >     > you will get internal server error.
>             >     >
>             >     > Regards,
>             >     >
>             >     > Ryan Goulding
>             >     >
>             >     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>             >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>             >     >
>             >     >     (subject changed)
>             >     >
>             >     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>             >     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis
>             reports.  If you paste
>             >     the exact
>             >     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py,
>             which just
>             >     wraps that
>             >     >     > interface.  I just tested this morning.
>             >     >
>             >     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>             >     >     from AAA, so should that be a bug on it's own?
>             >     >
>             >     >     here's kind of my repro, if you can help me know what's wrong:
>             >     >
>             >     >     # Create a Domain
>             >     >
>             >     >     14:28 $ curl -u "admin:admin" -X POST -d
>             >     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H
>             "Content-Type:
>             >     >     application/json" http://$ODL:8181/auth/v1/domains
>             >     >
>             >     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>             >     >
>             >     >
>             >     >
>             >     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>             >     >
>             >     >
>             >     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>             >     >     {
>             >     >         "domains": [
>             >     >             {
>             >     >                 "description": "default odl sdn domain",
>             >     >                 "domainid": "sdn",
>             >     >                 "enabled": true,
>             >     >                 "name": "sdn"
>             >     >             },
>             >     >             {
>             >     >                 "description": "planetary domain",
>             >     >                 "domainid": "Alderaan-2017-04-12-17-31",
>             >     >                 "enabled": true,
>             >     >                 "name": "Alderaan-2017-04-12-17-31"
>             >     >             },
>             >     >             {
>             >     >                 "description": "BeerClubAficionado",
>             >     >                 "domainid": "RyanRocks",
>             >     >                 "enabled": true,
>             >     >                 "name": "RyanRocks"
>             >     >             }
>             >     >         ]
>             >     >     }
>             >     >
>             >     >
>             >     >
>             >     >     # add a user to this new domain
>             >     >     # first try is using domainid = 96, but get 500/NPE
>             >     >     # second try uses domainid = $name, but also get 500/NPE
>             >     >
>             >     >     ✔ ~
>             >     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>             >     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>             >     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>             >     >     <html>
>             >     >     <head>
>             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     <title>Error 500 Server Error</title>
>             >     >     </head>
>             >     >     <body><h2>HTTP ERROR 500</h2>
>             >     >     <p>Problem accessing /auth/v1/users. Reason:
>             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>             >     >     ...
>             >     >     <snip>
>             >     >     ...
>             >     >
>             >     >
>             >     >
>             >     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>             >     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>             >     >     http://$ODL:8181/auth/v1/users
>             >     >     <html>
>             >     >     <head>
>             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     <title>Error 500 Server Error</title>
>             >     >     </head>
>             >     >     <body><h2>HTTP ERROR 500</h2>
>             >     >     <p>Problem accessing /auth/v1/users. Reason:
>             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>             >     >
>             >     >     ...
>             >     >     <snip>
>             >     >     ...
>             >     >
>             >     >
>             >     >     Thanks,
>             >     >     JamO
>             >     >
>             >     >
>             >     >
>             >     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>             >     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>             >     >     >
>             >     >     > I'll give it a shot and see what I get.
>             >     >     >
>             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely
>             to work?
>             >     >     >
>             >     >     >
>             >     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe
>             commands.  Although
>             >     >     revert
>             >     >     > may probably be easiest from your perspective, there are a lot of people who actually push their
>             tests upstream
>             >     and avoid
>             >     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of
>             far more risque
>             >     >     changes in
>             >     >     > service releases ;).
>             >     >     >
>             >     >     > Regards,
>             >     >     >
>             >     >     > Ryan Goulding
>             >     >     >
>             >     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>
>             >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>>> wrote:
>             >     >     >
>             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>             >     >     >
>             >     >     >     --Colin
>             >     >     >
>             >     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>             <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
>             >     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>             <mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>             <mailto:jluhrsen@...>>>>> wrote:
>             >     >     >
>             >     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>             >     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>             >     >     >         cert stuff, and my work was in user/domain auth.
>             >     >     >
>             >     >     >         anyway, wondering if something fundamental is broken?
>             >     >     >
>             >     >     >         JamO
>             >     >     >
>             >     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>             >     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>
>             >     >     >
>             >     >     >
>             >     >     >
>             >     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>             >     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>             >     >     >         >
>             >     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>             >     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>             >     >     >         >
>             >     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under
>             ~/temp folder. Is it
>             >     >     >         possible to change the path for these files?
>             >     >     >         >
>             >     >     >         >
>             >     >     >         > [1] NPE
>             >     >     >         >
>             >     >     >         > <html>
>             >     >     >         >     <head>
>             >     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>             >     >     >         >         <title>Error 500 Server Error</title>
>             >     >     >         >     </head>
>             >     >     >         >     <body>
>             >     >     >         >         <h2>HTTP ERROR 500</h2>
>             >     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>             >     >     >         >
>             >     >     >         >             <pre>    Server Error</pre>
>             >     >     >         >         </p>
>             >     >     >         >         <h3>Caused by:</h3>
>             >     >     >         >         <pre>java.lang.NullPointerException
>             >     >     >         >       at
>             >     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>             >     >     >         >       at
>             >     >
>              org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>             >     >     >         >       at org.opendaylight.controller.md
>             <http://org.opendaylight.controller.md>.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>             >     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>             >     >     >         >       at
>             org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>             >     >     >         >       at
>             org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >
>              org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>             >     >     >         >       at
>             >     >
>              org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>             >     >     >         >       at
>             sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>             >     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >     com.sun.jersey.server.impl.mo
>             <http://com.sun.jersey.server.impl.mo>del.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>             >     >     >         >       at
>             >     >     >
>             >     >
>             >     com.sun.jersey.server.impl.mo
>             <http://com.sun.jersey.server.impl.mo>del.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>             >     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>             >     >     >         >       at
>             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>             >     >     >         >       at
>             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>             >     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>             >     >     >         >       at
>             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>             >     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>             >     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>             >     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>             >     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at
>             org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>             >     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>             >     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>             >     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>             >     >     >         >       at
>             org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>             >     >     >         >       at
>             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>             >     >     >         >       at
>             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>             >     >     >         >       at
>             >     >
>              org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>             >     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>             >     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>             >     >     >         >       at
>             org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>             >     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>             >     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>             >     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>             >     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>             >     >     >         >       at
>             org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>             >     >     >         >       at
>             org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>             >     >     >         >       at
>             >     >     >
>             >
>             org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>             >     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>             >     >     >         >       at
>             org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>             >     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>             >     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>             >     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>             >     >     >         >       at java.lang.Thread.run(Thread.java:745)
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >
>             >     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>             <mailto:melserngawy@inocybe.ca>
>             >     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...>> <mailto:melserngawy@...
>             <mailto:melserngawy@inocybe.ca> <mailto:melserngawy@... <mailto:melserngawy@...>>>
>             >     >     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...> <mailto:melserngawy@...
>             <mailto:melserngawy@inocybe.ca>> <mailto:melserngawy@... <mailto:melserngawy@...>
>             <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...>>>>>
>             >     wrote:
>             >     >     >         >>
>             >     >     >         >> Hi Colin,
>             >     >     >         >>
>             >     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>             >     >     were
>             >     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>             >     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>             >     >     >         >>
>             >     >     >         >> BR
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>>>> wrote:
>             >     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a
>             straightforward way to
>             >     >     access
>             >     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and
>             gen-trust-ks?
>             >     >     >         >>
>             >     >     >         >> --Colin
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@...
>             <mailto:ryandgoulding@...om> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>>
>             <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>             <mailto:ryandgoulding@...om>>>
>             >     >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>             <mailto:ryandgoulding@...om>> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>
>             >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m>>>>> wrote:
>             >     >     >         >> which is probably not in the spirit of SRs
>             >     >     >         >>
>             >     >     >         >> This was done for both usability and security purposes, as I explained via Skype
>             already.  The security
>             >     >     advantages
>             >     >     >         alone make it justifiable IMHO.
>             >     >     >         >>
>             >     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without
>             a lot of warning and
>             >     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>             >     >     >         >>
>             >     >     >         >> This isn't a feature, it is CLI.
>             >     >     >         >>
>             >     >     >         >>  This patch seems to be the issue:
>             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>             >     >     >         >>
>             >     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd
>             argue that it was at
>             >     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could
>             open you open to some
>             >     >     >         security issues in your downstream distro!
>             >     >     >         >>
>             >     >     >         >> Regards,
>             >     >     >         >>
>             >     >     >         >> Ryan Goulding
>             >     >     >         >>
>             >     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>             >     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>
>             >     >     >         >>
>             >     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@...
>             <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>>>
>             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>             <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>             <mailto:colin@... <mailto:colin@...>>>>> wrote:
>             >     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were
>             changed somewhat drastically
>             >     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're
>             somewhat less strict about
>             >     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much
>             the definition of
>             >     >     what we
>             >     >     >         try to never do in SRs.
>             >     >     >         >>
>             >     >     >         >> That being said, we're trying to make the best of it and looking for help in
>             understanding how to get the
>             >     >     >         functionality we rely on from AAA back in Boron-SR3.
>             >     >     >         >>
>             >     >     >         >> This patch seems to be the issue:
>             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>             <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>             >     >     >         >>
>             >     >     >         >> Is there somebody that can comment on how we might recover the functionality that used
>             to be provided by the
>             >     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would
>             it break other things
>             >     >     as well?
>             >     >     >         >>
>             >     >     >         >> Thanks,
>             >     >     >         >> --Colin
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >> _______________________________________________
>             >     >     >         >> aaa-dev mailing list
>             >     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>             >     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>>
>             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >>
>             >     >     >         >> _______________________________________________
>             >     >     >         >> aaa-dev mailing list
>             >     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>             >     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>>
>             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >
>             >     >     >         > _______________________________________________
>             >     >     >         > aaa-dev mailing list
>             >     >     >         > aaa-dev@... <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             >     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>             <mailto:aaa-dev@...light.org>>>>
>             >     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >         >
>             >     >     >
>             >     >     >
>             >     >     >     _______________________________________________
>             >     >     >     aaa-dev mailing list
>             >     >     >     aaa-dev@....org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>             <mailto:aaa-dev@...light.org>> <mailto:aaa-dev@...ight.org
>             <mailto:aaa-dev@...light.org>
>             >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>             >     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>             <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>>
>             >     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>             >     >     >
>             >     >     >
>             >     >
>             >     >
>             >
>             >
>
>
>
>



Jamo Luhrsen <jluhrsen@...>
 

cool beans.

I filed 8282 as well.

I'll get CSIT working like we need it and add an extra test case to NOT use email
which will fail until 8283 is fixed.

Thanks guys,
JamO

On 05/04/2017 01:54 PM, Ryan Goulding wrote:
[0] https://bugs.opendaylight.org/show_bug.cgi?id=8383

oops :)

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:52 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>> wrote:

Created [0] and submitted patch [1]. Basically, idmtool.py fills in an email in the request with an empty string.
However, the rest endpoint had a bug that we didn't notice since most people just use idmtool.py (if email not provided,
NPE occurs).

Regards,

Ryan Goulding

[0] https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199
<https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199>
[1] https://git.opendaylight.org/gerrit/#/c/56558/ <https://git.opendaylight.org/gerrit/#/c/56558/>

On Thu, May 4, 2017 at 4:35 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

so two things.

1)
I'll open a bug that we should not allow a domain create to specify the domainid.

2)
more importantly, it does not fix my NPE to *not* use a domainid when creating it.

can one of you try these three curl cmds with your setup to see if maybe I'm crazy:

curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
"Content-Type:application/json" http://$ODL:8181/auth/v1/domains

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users



JamO




On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
> yes, I agree. I don't know why does it exist in this way
>
> On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>>> wrote:
>
> I'd call that a bug on our side. If we expose it we ought to honor it if it is there.
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
<mailto:melserngawy@...>>> wrote:
>
> Hi Jamo,
>
> You are not suppose to set the domain-id [0].
>
> [0]
> https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
> <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>>
>
> On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>
> wait, I get the sense you missed my first step where I did create a domain. I created it
> with the domainid 96.
>
> JamO
>
> On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> > Its either going to be the default one (sdn) or one you created. You can find out which ones exist by:
> >
> > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> > Password:
> > list_domains
> >
> > command succeeded!
> >
> > json:
> > {
> > "domains": [
> > {
> > "description": "default odl sdn domain",
> > "domainid": "sdn",
> > "enabled": true,
> > "name": "sdn"
> > }
> > ]
> > }
> > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
> >
> > *Note: it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
> >
> > *
> > OR:
> >
> > curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
> >
> > if you are using raw REST
> >
> > Regards,
> >
> > Ryan Goulding
> >
> > On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
<mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
> >
> > so, when creating a domain you have to use a domain id that already exists? where do I find
> > that domainid?
> >
> > JamO
> >
> > On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> > > The domain id "96" does not exist. Probably should be a better error message, but you need to use a domain that exists or
> > > you will get internal server error.
> > >
> > > Regards,
> > >
> > > Ryan Goulding
> > >
> > > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
<mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
> > <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
<mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>>> wrote:
> > >
> > > (subject changed)
> > >
> > > On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> > > > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis
> reports. If you paste
> > the exact
> > > > REST call I can assist. Also, if you are curious how to use those endpoints, refer to
idmtool.py,
> which just
> > wraps that
> > > > interface. I just tested this morning.
> > >
> > > yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
> > > from AAA, so should that be a bug on it's own?
> > >
> > > here's kind of my repro, if you can help me know what's wrong:
> > >
> > > # Create a Domain
> > >
> > > 14:28 $ curl -u "admin:admin" -X POST -d
> > > '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H
> "Content-Type:
> > > application/json" http://$ODL:8181/auth/v1/domains
> > >
> > > {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
> > >
> > >
> > >
> > > # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
> > >
> > >
> > > 14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
> > > {
> > > "domains": [
> > > {
> > > "description": "default odl sdn domain",
> > > "domainid": "sdn",
> > > "enabled": true,
> > > "name": "sdn"
> > > },
> > > {
> > > "description": "planetary domain",
> > > "domainid": "Alderaan-2017-04-12-17-31",
> > > "enabled": true,
> > > "name": "Alderaan-2017-04-12-17-31"
> > > },
> > > {
> > > "description": "BeerClubAficionado",
> > > "domainid": "RyanRocks",
> > > "enabled": true,
> > > "name": "RyanRocks"
> > > }
> > > ]
> > > }
> > >
> > >
> > >
> > > # add a user to this new domain
> > > # first try is using domainid = 96, but get 500/NPE
> > > # second try uses domainid = $name, but also get 500/NPE
> > >
> > > ✔ ~
> > > 14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
> > Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
> > > "Content-Type: application/json" http://$ODL:8181/auth/v1/users
> > > <html>
> > > <head>
> > > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > > <title>Error 500 Server Error</title>
> > > </head>
> > > <body><h2>HTTP ERROR 500</h2>
> > > <p>Problem accessing /auth/v1/users. Reason:
> > > <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> > > at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
> > > ...
> > > <snip>
> > > ...
> > >
> > >
> > >
> > > 14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
> > > Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type:
application/json"
> > > http://$ODL:8181/auth/v1/users
> > > <html>
> > > <head>
> > > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > > <title>Error 500 Server Error</title>
> > > </head>
> > > <body><h2>HTTP ERROR 500</h2>
> > > <p>Problem accessing /auth/v1/users. Reason:
> > > <pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
> > > at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
> > >
> > > ...
> > > <snip>
> > > ...
> > >
> > >
> > > Thanks,
> > > JamO
> > >
> > >
> > >
> > > > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > > > /restconf/operations/aaa-cert-rpc:getODLCertificate
> > > >
> > > > I'll give it a shot and see what I get.
> > > >
> > > > Do we have an idea of what the implications of just reverting that one patch are? Is
it likely
> to work?
> > > >
> > > >
> > > > So far we haven't demonstrated that the patch does anything negative except deprecate
some unsafe
> commands. Although
> > > revert
> > > > may probably be easiest from your perspective, there are a lot of people who actually
push their
> tests upstream
> > and avoid
> > > > this type of skew. Let's not start a witch hunt quite yet; I can pull up quite a few
examples of
> far more risque
> > > changes in
> > > > service releases ;).
> > > >
> > > > Regards,
> > > >
> > > > Ryan Goulding
> > > >
> > > > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@...
<mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>
> > <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>>>
> > > <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>>>>> wrote:
> > > >
> > > > Do we have an idea of what the implications of just reverting that one patch are? Is
it likely to work?
> > > >
> > > > --Colin
> > > >
> > > > On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@...
<mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>> <mailto:jluhrsen@...
<mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
<mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
<mailto:jluhrsen@...>>>>
> > > <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
<mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...>
> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> <mailto:jluhrsen@...
<mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>> <mailto:jluhrsen@...
<mailto:jluhrsen@...>
> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>>>> wrote:
> > > >
> > > > btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
> > > > troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is
playing with
> > > > cert stuff, and my work was in user/domain auth.
> > > >
> > > > anyway, wondering if something fundamental is broken?
> > > >
> > > > JamO
> > > >
> > > > [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
> > > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>
> > > > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
> > > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
> > <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
> <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
<https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>>
> > > >
> > > >
> > > >
> > > > On 04/26/2017 06:21 PM, Luis Gomez wrote:
> > > > > hi guys, I just tested old-aaa-cert feature and couple of things:
> > > > >
> > > > > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
> > > > /restconf/operations/aaa-cert-rpc:getODLCertificate
> > > > >
> > > > > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are
created under
> ~/temp folder. Is it
> > > > possible to change the path for these files?
> > > > >
> > > > >
> > > > > [1] NPE
> > > > >
> > > > > <html>
> > > > > <head>
> > > > > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> > > > > <title>Error 500 Server Error</title>
> > > > > </head>
> > > > > <body>
> > > > > <h2>HTTP ERROR 500</h2>
> > > > > <p>Problem accessing
/restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
> > > > >
> > > > > <pre> Server Error</pre>
> > > > > </p>
> > > > > <h3>Caused by:</h3>
> > > > > <pre>java.lang.NullPointerException
> > > > > at
> > org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
> > > > > at
> > > >
> > >
> >
>
org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
> > > > > at
> > > >
> >
>
org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
> > > > > at
> > > >
> > >
> >
> org.opendaylight.controller.md
<http://org.opendaylight.controller.md>.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
> > > > > at
> > > >
> > >
> >
> org.opendaylight.controller.md
<http://org.opendaylight.controller.md>.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
> > > > > at
> > > >
> > >
> >
> org.opendaylight.controller.md
<http://org.opendaylight.controller.md>.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
> > > > > at
> > >
> org.opendaylight.controller.md
<http://org.opendaylight.controller.md>.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
> > > > > at org.opendaylight.controller.md <http://org.opendaylight.controller.md>
> <http://org.opendaylight.controller.md
<http://org.opendaylight.controller.md>>.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
> > > > > at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
> > > > > at
> org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
> > > > > at
> org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
> > > > > at
> > > >
> > >
> >
> org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
> > > > > at
> > >
> org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > > > at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > > > at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> > > > > at
> > > >
> > >
> > com.sun.jersey.server.impl.mo <http://com.sun.jersey.server.impl.mo>
> <http://com.sun.jersey.server.impl.mo
<http://com.sun.jersey.server.impl.mo>>del.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> > > > > at
> > > >
> > >
> > com.sun.jersey.server.impl.mo <http://com.sun.jersey.server.impl.mo>
> <http://com.sun.jersey.server.impl.mo
<http://com.sun.jersey.server.impl.mo>>del.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> > > > > at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> > > > > at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > > > at
> com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
> > > > > at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > > > > at
> > com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> > > > > at
> >
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> > > > > at
> >
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> > > > > at
> > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> > > > > at
> > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> > > > > at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> > > > > at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> > > > > at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> > > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
> > > > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
> > > > > at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
> > > > > at
org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
> > > > > at
org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
> > > > > at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > > at
org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
> > > > > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
> > > > > at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > > at
> org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
> > > > > at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > > at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> > > > > at
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > > > at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > > > at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > > at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > > > at
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> > > > > at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> > > > > at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > > at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> > > > > at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> > > > > at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> > > > > at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> > > > > at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> > > > > at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> > > > > at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> > > > > at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> > > > > at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
> > > > > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
> > > > > at
> > >
>
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
> > > > > at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
> > > > > at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
> > > > > at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> > > > > at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
> > > > > at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
> > > > > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
> > > > > at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
> > > > > at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
> > > > > at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
> > > > > at
> > > >
> >
>
org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
> > > > > at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
> > > > > at org.eclipse.jetty.server.Server.handle(Server.java:370)
> > > > > at
> org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
> > > > > at
> org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
> > > > > at
> > > >
> >
>
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
> > > > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
> > > > > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
> > > > > at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> > > > > at
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> > > > > at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> > > > > at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> > > > > at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> > > > > at java.lang.Thread.run(Thread.java:745)
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
<mailto:melserngawy@...>
> <mailto:melserngawy@... <mailto:melserngawy@...>>
> > <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
<mailto:melserngawy@...>>> <mailto:melserngawy@... <mailto:melserngawy@...>
> <mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
<mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
> > > <mailto:melserngawy@... <mailto:melserngawy@...>
<mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
<mailto:melserngawy@...>
> <mailto:melserngawy@... <mailto:melserngawy@...>>> <mailto:melserngawy@...
<mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>
> <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
<mailto:melserngawy@...>>>>>>
> > wrote:
> > > > >>
> > > > >> Hi Colin,
> > > > >>
> > > > >> You are not suppose to use them after the changes that we made in the patch.
Basically these functionalities
> > > were
> > > > there because of the keystores need to be generated after starting ODL. But now,
the keystore will be created once
> > > > you install the aaa-cert feature. keeping this functionalities could make a
serious security thread.
> > > > >>
> > > > >> BR
> > > > >>
> > > > >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@...
<mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>>>
> > > <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>> <mailto:colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>>>> wrote:
> > > > >> Putting the argument about what should go in an SR aside for the moment, is there a
> straightforward way to
> > > access
> > > > the functionality that was provided by the removed commands? Specifically gen-odl-ks and
> gen-trust-ks?
> > > > >>
> > > > >> --Colin
> > > > >>
> > > > >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>>>
> > > <mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>
> > <mailto:ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>>>>>> wrote:
> > > > >> which is probably not in the spirit of SRs
> > > > >>
> > > > >> This was done for both usability and security purposes, as I explained via Skype
> already. The security
> > > advantages
> > > > alone make it justifiable IMHO.
> > > > >>
> > > > >> While we're somewhat less strict about adding features in SRs. Taking them
out without
> a lot of warning and
> > > > notice is pretty much the definition of what we try to never do in SRs.j
> > > > >>
> > > > >> This isn't a feature, it is CLI.
> > > > >>
> > > > >> This patch seems to be the issue:
> > > > >> https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
> > > <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>>
> > > > >>
> > > > >> Yes, if you look at the bug actually, a member from your team commented on it
[0] so I'd
> argue that it was at
> > > > least somewhat well known ;). Reverting it shouldn't be particularly hard, but
it could
> open you open to some
> > > > security issues in your downstream distro!
> > > > >>
> > > > >> Regards,
> > > > >>
> > > > >> Ryan Goulding
> > > > >>
> > > > >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
> > <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>
> > > <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
> > <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
<https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>>
> > > > >>
> > > > >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@...
<mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>> <mailto:colin@...
<mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>>>
> > > <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
<mailto:colin@... <mailto:colin@...>
> <mailto:colin@... <mailto:colin@...>>> <mailto:colin@... <mailto:colin@...>
<mailto:colin@... <mailto:colin@...>>
> <mailto:colin@... <mailto:colin@...> <mailto:colin@...
<mailto:colin@...>>>>>> wrote:
> > > > >> So, in some downstream testing at Brocade we found that the AAA CLI commands were
> changed somewhat drastically
> > > > between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs.
While we're
> somewhat less strict about
> > > > adding features in SRs. Taking them out without a lot of warning and notice is
pretty much
> the definition of
> > > what we
> > > > try to never do in SRs.
> > > > >>
> > > > >> That being said, we're trying to make the best of it and looking for help in
> understanding how to get the
> > > > functionality we rely on from AAA back in Boron-SR3.
> > > > >>
> > > > >> This patch seems to be the issue:
> > > > >> https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
> > > <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
<https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
> > <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
> <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
<https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>>
> > > > >>
> > > > >> Is there somebody that can comment on how we might recover the functionality
that used
> to be provided by the
> > > > gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work
or would
> it break other things
> > > as well?
> > > > >>
> > > > >> Thanks,
> > > > >> --Colin
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> aaa-dev mailing list
> > > > >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> > > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>>
> > > > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
> > > > >>
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> aaa-dev mailing list
> > > > >> aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> > > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>>
> > > > >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
> > > > >
> > > > > _______________________________________________
> > > > > aaa-dev mailing list
> > > > > aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>>>
> > > > > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > aaa-dev mailing list
> > > > aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>>
<mailto:aaa-dev@... <mailto:aaa-dev@...>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>>
> > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>
> > > <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>
> <mailto:aaa-dev@... <mailto:aaa-dev@...>
<mailto:aaa-dev@... <mailto:aaa-dev@...>>>>>
> > > > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
> > > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
> > <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
<https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
>



Ryan Goulding <ryandgoulding@...>
 

Hi Jamo et al.,

Just to continue this thread in case anyone is ever looking through archives, I have proposed a fix here [0].  Since ids should be considered an internal detail, I repeated the checks for all other aspects of the AAA data store (grantid, userid, roleid, domainid).  In the case that someone does specify an id, a 400 HTTP error message is returned to the client, since the client request is flawed.  Does this seem like a good approach?

For reference, we are hoping to migrate to an OOB MDSAL based store in Nitrogen.

On Thu, May 4, 2017 at 4:58 PM, Jamo Luhrsen <jluhrsen@...> wrote:
cool beans.

I filed 8282 as well.

I'll get CSIT working like we need it and add an extra test case to NOT use email
which will fail until 8283 is fixed.

Thanks guys,
JamO

On 05/04/2017 01:54 PM, Ryan Goulding wrote:
> [0] https://bugs.opendaylight.org/show_bug.cgi?id=8383
>
> oops :)
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 4:52 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>> wrote:
>
>     Created [0] and submitted patch [1].  Basically, idmtool.py fills in an email in the request with an empty string.
>     However, the rest endpoint had a bug that we didn't notice since most people just use idmtool.py (if email not provided,
>     NPE occurs).
>
>     Regards,
>
>     Ryan Goulding
>
>     [0] https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199
>     <https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199>
>     [1] https://git.opendaylight.org/gerrit/#/c/56558/ <https://git.opendaylight.org/gerrit/#/c/56558/>
>
>     On Thu, May 4, 2017 at 4:35 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>         so two things.
>
>         1)
>         I'll open a bug that we should not allow a domain create to specify the domainid.
>
>         2)
>         more importantly, it does not fix my NPE to *not* use a domainid when creating it.
>
>         can one of you try these three curl cmds with your setup to see if maybe I'm crazy:
>
>         curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
>         "Content-Type:application/json" http://$ODL:8181/auth/v1/domains
>
>         curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
>         curl -u "admin:admin" -X POST -d '{"description":"The
>         Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
>         "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>
>
>
>         JamO
>
>
>
>
>         On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
>         > yes, I agree. I don't know why does it exist in this way
>         >
>         > On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com>>> wrote:
>         >
>         >     I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.
>         >
>         >     Regards,
>         >
>         >     Ryan Goulding
>         >
>         >     On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
>         <mailto:melserngawy@...>>> wrote:
>         >
>         >         Hi Jamo,
>         >
>         >         You are not suppose to set the domain-id [0].
>         >
>         >         [0]
>         >         https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
>         <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
>         >         <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
>         <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>>
>         >
>         >         On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>         >
>         >             wait, I get the sense you missed my first step where I did create a domain. I created it
>         >             with the domainid 96.
>         >
>         >             JamO
>         >
>         >             On 05/04/2017 01:00 PM, Ryan Goulding wrote:
>         >             > Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>         >             >
>         >             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
>         >             > Password:
>         >             > list_domains
>         >             >
>         >             > command succeeded!
>         >             >
>         >             > json:
>         >             > {
>         >             >     "domains": [
>         >             >         {
>         >             >             "description": "default odl sdn domain",
>         >             >             "domainid": "sdn",
>         >             >             "enabled": true,
>         >             >             "name": "sdn"
>         >             >         }
>         >             >     ]
>         >             > }
>         >             > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>         >             >
>         >             > *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>         >             >
>         >             > *
>         >             > OR:
>         >             >
>         >             > curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>         >             >
>         >             > if you are using raw REST
>         >             >
>         >             > Regards,
>         >             >
>         >             > Ryan Goulding
>         >             >
>         >             > On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>         <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>         >             >
>         >             >     so, when creating a domain you have to use a domain id that already exists? where do I find
>         >             >     that domainid?
>         >             >
>         >             >     JamO
>         >             >
>         >             >     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>         >             >     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>         >             >     > you will get internal server error.
>         >             >     >
>         >             >     > Regards,
>         >             >     >
>         >             >     > Ryan Goulding
>         >             >     >
>         >             >     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>         <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
>         >             >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>
>         <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>>> wrote:
>         >             >     >
>         >             >     >     (subject changed)
>         >             >     >
>         >             >     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>         >             >     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis
>         >             reports.  If you paste
>         >             >     the exact
>         >             >     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to
>         idmtool.py,
>         >             which just
>         >             >     wraps that
>         >             >     >     > interface.  I just tested this morning.
>         >             >     >
>         >             >     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>         >             >     >     from AAA, so should that be a bug on it's own?
>         >             >     >
>         >             >     >     here's kind of my repro, if you can help me know what's wrong:
>         >             >     >
>         >             >     >     # Create a Domain
>         >             >     >
>         >             >     >     14:28 $ curl -u "admin:admin" -X POST -d
>         >             >     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H
>         >             "Content-Type:
>         >             >     >     application/json" http://$ODL:8181/auth/v1/domains
>         >             >     >
>         >             >     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>         >             >     >
>         >             >     >
>         >             >     >
>         >             >     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>         >             >     >
>         >             >     >
>         >             >     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>         >             >     >     {
>         >             >     >         "domains": [
>         >             >     >             {
>         >             >     >                 "description": "default odl sdn domain",
>         >             >     >                 "domainid": "sdn",
>         >             >     >                 "enabled": true,
>         >             >     >                 "name": "sdn"
>         >             >     >             },
>         >             >     >             {
>         >             >     >                 "description": "planetary domain",
>         >             >     >                 "domainid": "Alderaan-2017-04-12-17-31",
>         >             >     >                 "enabled": true,
>         >             >     >                 "name": "Alderaan-2017-04-12-17-31"
>         >             >     >             },
>         >             >     >             {
>         >             >     >                 "description": "BeerClubAficionado",
>         >             >     >                 "domainid": "RyanRocks",
>         >             >     >                 "enabled": true,
>         >             >     >                 "name": "RyanRocks"
>         >             >     >             }
>         >             >     >         ]
>         >             >     >     }
>         >             >     >
>         >             >     >
>         >             >     >
>         >             >     >     # add a user to this new domain
>         >             >     >     # first try is using domainid = 96, but get 500/NPE
>         >             >     >     # second try uses domainid = $name, but also get 500/NPE
>         >             >     >
>         >             >     >     ✔ ~
>         >             >     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>         >             >     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>         >             >     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>         >             >     >     <html>
>         >             >     >     <head>
>         >             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>         >             >     >     <title>Error 500 Server Error</title>
>         >             >     >     </head>
>         >             >     >     <body><h2>HTTP ERROR 500</h2>
>         >             >     >     <p>Problem accessing /auth/v1/users. Reason:
>         >             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>         >             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>         >             >     >     ...
>         >             >     >     <snip>
>         >             >     >     ...
>         >             >     >
>         >             >     >
>         >             >     >
>         >             >     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>         >             >     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type:
>         application/json"
>         >             >     >     http://$ODL:8181/auth/v1/users
>         >             >     >     <html>
>         >             >     >     <head>
>         >             >     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>         >             >     >     <title>Error 500 Server Error</title>
>         >             >     >     </head>
>         >             >     >     <body><h2>HTTP ERROR 500</h2>
>         >             >     >     <p>Problem accessing /auth/v1/users. Reason:
>         >             >     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>         >             >     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>         >             >     >
>         >             >     >     ...
>         >             >     >     <snip>
>         >             >     >     ...
>         >             >     >
>         >             >     >
>         >             >     >     Thanks,
>         >             >     >     JamO
>         >             >     >
>         >             >     >
>         >             >     >
>         >             >     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>         >             >     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>         >             >     >     >
>         >             >     >     > I'll give it a shot and see what I get.
>         >             >     >     >
>         >             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is
>         it likely
>         >             to work?
>         >             >     >     >
>         >             >     >     >
>         >             >     >     > So far we haven't demonstrated that the patch does anything negative except deprecate
>         some unsafe
>         >             commands.  Although
>         >             >     >     revert
>         >             >     >     > may probably be easiest from your perspective, there are a lot of people who actually
>         push their
>         >             tests upstream
>         >             >     and avoid
>         >             >     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few
>         examples of
>         >             far more risque
>         >             >     >     changes in
>         >             >     >     > service releases ;).
>         >             >     >     >
>         >             >     >     > Regards,
>         >             >     >     >
>         >             >     >     > Ryan Goulding
>         >             >     >     >
>         >             >     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@...
>         <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>>>
>         >             >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>>>
>         >             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>         <mailto:colin@... <mailto:colin@...>>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>>>>> wrote:
>         >             >     >     >
>         >             >     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is
>         it likely to work?
>         >             >     >     >
>         >             >     >     >     --Colin
>         >             >     >     >
>         >             >     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@...
>         <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>
>         >             <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...>>>>
>         >             >     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...>
>         >             <mailto:jluhrsen@... <mailto:jluhrsen@...>>> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>> <mailto:jluhrsen@...
>         <mailto:jluhrsen@...>
>         >             <mailto:jluhrsen@... <mailto:jluhrsen@...>>>>>> wrote:
>         >             >     >     >
>         >             >     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>         >             >     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is
>         playing with
>         >             >     >     >         cert stuff, and my work was in user/domain auth.
>         >             >     >     >
>         >             >     >     >         anyway, wondering if something fundamental is broken?
>         >             >     >     >
>         >             >     >     >         JamO
>         >             >     >     >
>         >             >     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>         >             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>         >             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>         >             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>
>         >             >     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>         >             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>         >             >     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>         >             >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>         >             <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>>>
>         >             >     >     >
>         >             >     >     >
>         >             >     >     >
>         >             >     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>         >             >     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>         >             >     >     >         >
>         >             >     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>         >             >     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>         >             >     >     >         >
>         >             >     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are
>         created under
>         >             ~/temp folder. Is it
>         >             >     >     >         possible to change the path for these files?
>         >             >     >     >         >
>         >             >     >     >         >
>         >             >     >     >         > [1] NPE
>         >             >     >     >         >
>         >             >     >     >         > <html>
>         >             >     >     >         >     <head>
>         >             >     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>         >             >     >     >         >         <title>Error 500 Server Error</title>
>         >             >     >     >         >     </head>
>         >             >     >     >         >     <body>
>         >             >     >     >         >         <h2>HTTP ERROR 500</h2>
>         >             >     >     >         >         <p>Problem accessing
>         /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>         >             >     >     >         >
>         >             >     >     >         >             <pre>    Server Error</pre>
>         >             >     >     >         >         </p>
>         >             >     >     >         >         <h3>Caused by:</h3>
>         >             >     >     >         >         <pre>java.lang.NullPointerException
>         >             >     >     >         >       at
>         >             >     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >
>         >
>         org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >
>         >
>          org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >
>         >              org.opendaylight.controller.md
>         <http://org.opendaylight.controller.md>.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >
>         >              org.opendaylight.controller.md
>         <http://org.opendaylight.controller.md>.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >
>         >              org.opendaylight.controller.md
>         <http://org.opendaylight.controller.md>.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>         >             >     >     >         >       at
>         >             >     >
>         >              org.opendaylight.controller.md
>         <http://org.opendaylight.controller.md>.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>         >             >     >     >         >       at org.opendaylight.controller.md <http://org.opendaylight.controller.md>
>         >             <http://org.opendaylight.controller.md
>         <http://org.opendaylight.controller.md>>.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>         >             >     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>         >             >     >     >         >       at
>         >             org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>         >             >     >     >         >       at
>         >             org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >
>         >              org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>         >             >     >     >         >       at
>         >             >     >
>         >              org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>         >             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         >             >     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         >             >     >     >         >       at
>         >             sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         >             >     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>         >             >     >     >         >       at
>         >             com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >     com.sun.jersey.server.impl.mo <http://com.sun.jersey.server.impl.mo>
>         >             <http://com.sun.jersey.server.impl.mo
>         <http://com.sun.jersey.server.impl.mo>>del.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >     >
>         >             >     com.sun.jersey.server.impl.mo <http://com.sun.jersey.server.impl.mo>
>         >             <http://com.sun.jersey.server.impl.mo
>         <http://com.sun.jersey.server.impl.mo>>del.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>         >             >     >     >         >       at
>         com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>         >             >     >     >         >       at
>         >             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >             >     >     >         >       at
>         >             com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>         >             >     >     >         >       at
>         >             com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >             >     >     >         >       at
>         >             >     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>         >             >     >     >         >       at
>         >             >
>          com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>         >             >     >     >         >       at
>         >             >
>          com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>         >             >     >     >         >       at
>         >             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>         >             >     >     >         >       at
>         >             >     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>         >             >     >     >         >       at
>         com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>         >             >     >     >         >       at
>         >             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>         >             >     >     >         >       at
>         >             com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>         >             >     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>         >             >     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>         >             >     >     >         >       at
>         org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>         >             >     >     >         >       at
>         org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >             >     >     >         >       at
>         org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>         >             >     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >             >     >     >         >       at
>         >             org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >             >     >     >         >       at
>         org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>         >             >     >     >         >       at
>         org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>         >             >     >     >         >       at
>         org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>         >             >     >     >         >       at
>         >             org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>         >             >     >     >         >       at
>         >             org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>         >             >     >     >         >       at
>         >             >     >
>         >
>         org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>         >             >     >     >         >       at
>         org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>         >             >     >     >         >       at
>         >             org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>         >             >     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >
>         >
>          org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>         >             >     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>         >             >     >     >         >       at
>         >             >     >     >
>         >             >
>         >
>          org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>         >             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>         >             >     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>         >             >     >     >         >       at
>         org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         >             >     >     >         >       at
>         >             org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         >             >     >     >         >       at
>         org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         >             >     >     >         >       at
>         org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         >             >     >     >         >       at
>         org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         >             >     >     >         >       at java.lang.Thread.run(Thread.java:745)
>         >             >     >     >         >
>         >             >     >     >         >
>         >             >     >     >         >
>         >             >     >     >         >
>         >             >     >     >         >
>         >             >     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>         <mailto:melserngawy@...>
>         >             <mailto:melserngawy@... <mailto:melserngawy@...>>
>         >             >     <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
>         <mailto:melserngawy@...>>> <mailto:melserngawy@... <mailto:melserngawy@...>
>         >             <mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
>         <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>         >             >     >     <mailto:melserngawy@... <mailto:melserngawy@...>
>         <mailto:melserngawy@... <mailto:melserngawy@...>> <mailto:melserngawy@...
>         <mailto:melserngawy@...>
>         >             <mailto:melserngawy@... <mailto:melserngawy@...>>> <mailto:melserngawy@...
>         <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>
>         >             <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@...
>         <mailto:melserngawy@...>>>>>>
>         >             >     wrote:
>         >             >     >     >         >>
>         >             >     >     >         >> Hi Colin,
>         >             >     >     >         >>
>         >             >     >     >         >> You are not suppose to use them after the changes that we made in the patch.
>         Basically these functionalities
>         >             >     >     were
>         >             >     >     >         there because of the keystores need to be generated after starting ODL. But now,
>         the keystore will be created once
>         >             >     >     >         you install the aaa-cert feature. keeping this functionalities could make a
>         serious security thread.
>         >             >     >     >         >>
>         >             >     >     >         >> BR
>         >             >     >     >         >>
>         >             >     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@...
>         <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>         <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>>>
>         >             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>         <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>> <mailto:colin@... <mailto:colin@...>
>         <mailto:colin@... <mailto:colin@...>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>>>> wrote:
>         >             >     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a
>         >             straightforward way to
>         >             >     >     access
>         >             >     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and
>         >             gen-trust-ks?
>         >             >     >     >         >>
>         >             >     >     >         >> --Colin
>         >             >     >     >         >>
>         >             >     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>
>         >             <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>>
>         >             <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com>> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>
>         >             <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>>>
>         >             >     >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com>> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>
>         >             <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>
>         >             >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>         <mailto:ryandgoulding@gmail.com>>>>>> wrote:
>         >             >     >     >         >> which is probably not in the spirit of SRs
>         >             >     >     >         >>
>         >             >     >     >         >> This was done for both usability and security purposes, as I explained via Skype
>         >             already.  The security
>         >             >     >     advantages
>         >             >     >     >         alone make it justifiable IMHO.
>         >             >     >     >         >>
>         >             >     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them
>         out without
>         >             a lot of warning and
>         >             >     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>         >             >     >     >         >>
>         >             >     >     >         >> This isn't a feature, it is CLI.
>         >             >     >     >         >>
>         >             >     >     >         >>  This patch seems to be the issue:
>         >             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>         >             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>         >             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>         >             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>>
>         >             >     >     >         >>
>         >             >     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it
>         [0] so I'd
>         >             argue that it was at
>         >             >     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but
>         it could
>         >             open you open to some
>         >             >     >     >         security issues in your downstream distro!
>         >             >     >     >         >>
>         >             >     >     >         >> Regards,
>         >             >     >     >         >>
>         >             >     >     >         >> Ryan Goulding
>         >             >     >     >         >>
>         >             >     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>         >             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>
>         >             >     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>         >             >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>         >             <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774> <https://bugs.opendaylight.org/show_bug.cgi?id=7774
>         <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>>>
>         >             >     >     >         >>
>         >             >     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@...
>         <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>> <mailto:colin@...
>         <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>> <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>>>
>         >             >     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>
>         <mailto:colin@... <mailto:colin@...>
>         >             <mailto:colin@... <mailto:colin@...>>> <mailto:colin@... <mailto:colin@...>
>         <mailto:colin@... <mailto:colin@...>>
>         >             <mailto:colin@... <mailto:colin@...> <mailto:colin@...
>         <mailto:colin@...>>>>>> wrote:
>         >             >     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were
>         >             changed somewhat drastically
>         >             >     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs.
>         While we're
>         >             somewhat less strict about
>         >             >     >     >         adding features in SRs. Taking them out without a lot of warning and notice is
>         pretty much
>         >             the definition of
>         >             >     >     what we
>         >             >     >     >         try to never do in SRs.
>         >             >     >     >         >>
>         >             >     >     >         >> That being said, we're trying to make the best of it and looking for help in
>         >             understanding how to get the
>         >             >     >     >         functionality we rely on from AAA back in Boron-SR3.
>         >             >     >     >         >>
>         >             >     >     >         >> This patch seems to be the issue:
>         >             >     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>         >             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>
>         >             >     >     <https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/> <https://git.opendaylight.org/gerrit/#/c/51649/
>         <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>         >             >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>         >             <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>>>
>         >             >     >     >         >>
>         >             >     >     >         >> Is there somebody that can comment on how we might recover the functionality
>         that used
>         >             to be provided by the
>         >             >     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work
>         or would
>         >             it break other things
>         >             >     >     as well?
>         >             >     >     >         >>
>         >             >     >     >         >> Thanks,
>         >             >     >     >         >> --Colin
>         >             >     >     >         >>
>         >             >     >     >         >>
>         >             >     >     >         >> _______________________________________________
>         >             >     >     >         >> aaa-dev mailing list
>         >             >     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>         >             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>>
>         >             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
>         >             >     >     >         >>
>         >             >     >     >         >>
>         >             >     >     >         >>
>         >             >     >     >         >> _______________________________________________
>         >             >     >     >         >> aaa-dev mailing list
>         >             >     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>         >             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>>
>         >             >     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
>         >             >     >     >         >
>         >             >     >     >         > _______________________________________________
>         >             >     >     >         > aaa-dev mailing list
>         >             >     >     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>>
>         >             >     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
>         >             >     >     >         >
>         >             >     >     >
>         >             >     >     >
>         >             >     >     >     _______________________________________________
>         >             >     >     >     aaa-dev mailing list
>         >             >     >     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>         >             >     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>         >             <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>         <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>>>
>         >             >     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>
>         >             >     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>         >             >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>         >             <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>         <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>>>
>         >             >     >     >
>         >             >     >     >
>         >             >     >
>         >             >     >
>         >             >
>         >             >
>         >
>         >
>         >
>         >
>
>
>


Jamo Luhrsen <jluhrsen@...>
 

Thanks Ryan,

and from my side, here is a topic-branch to try and breathe some life back in
to that CSIT job:

https://git.opendaylight.org/gerrit/#/q/status:open+project:integration/test+branch:master+topic:aaa-needs-help

JamO

On 05/05/2017 10:06 AM, Ryan Goulding wrote:
Hi Jamo et al.,

Just to continue this thread in case anyone is ever looking through archives, I have proposed a fix here [0]. Since ids
should be considered an internal detail, I repeated the checks for all other aspects of the AAA data store (grantid, userid,
roleid, domainid). In the case that someone does specify an id, a 400 HTTP error message is returned to the client, since
the client request is flawed. Does this seem like a good approach?

For reference, we are hoping to migrate to an OOB MDSAL based store in Nitrogen.

Regards,

Ryan Goulding

[0] https://git.opendaylight.org/gerrit/#/c/56607

On Thu, May 4, 2017 at 4:58 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

cool beans.

I filed 8282 as well.

I'll get CSIT working like we need it and add an extra test case to NOT use email
which will fail until 8283 is fixed.

Thanks guys,
JamO

On 05/04/2017 01:54 PM, Ryan Goulding wrote:
> [0] https://bugs.opendaylight.org/show_bug.cgi?id=8383 <https://bugs.opendaylight.org/show_bug.cgi?id=8383>
>
> oops :)
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 4:52 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>>> wrote:
>
> Created [0] and submitted patch [1]. Basically, idmtool.py fills in an email in the request with an empty string.
> However, the rest endpoint had a bug that we didn't notice since most people just use idmtool.py (if email not provided,
> NPE occurs).
>
> Regards,
>
> Ryan Goulding
>
> [0] https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199
<https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199>
> <https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199
<https://github.com/opendaylight/aaa/blob/master/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java#L199>>
> [1] https://git.opendaylight.org/gerrit/#/c/56558/ <https://git.opendaylight.org/gerrit/#/c/56558/>
<https://git.opendaylight.org/gerrit/#/c/56558/ <https://git.opendaylight.org/gerrit/#/c/56558/>>
>
> On Thu, May 4, 2017 at 4:35 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>
> so two things.
>
> 1)
> I'll open a bug that we should not allow a domain create to specify the domainid.
>
> 2)
> more importantly, it does not fix my NPE to *not* use a domainid when creating it.
>
> can one of you try these three curl cmds with your setup to see if maybe I'm crazy:
>
> curl -u "admin:admin" -X POST -d '{"description":"BeerClubAficionado1","name":"RyanRocks1","enabled":"true"}' -H
> "Content-Type:application/json" http://$ODL:8181/auth/v1/domains
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> curl -u "admin:admin" -X POST -d '{"description":"The
> Man","name":"Goulding","enabled":"true","domainid":"RyanRocks1"}' -H
> "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>
>
>
> JamO
>
>
>
>
> On 05/04/2017 01:29 PM, Mohamed ElSerngawy wrote:
> > yes, I agree. I don't know why does it exist in this way
> >
> > On Thu, May 4, 2017 at 4:24 PM, Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...> <mailto:ryandgoulding@...
<mailto:ryandgoulding@...>> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>
> <mailto:ryandgoulding@... <mailto:ryandgoulding@...>>>> wrote:
> >
> > I'd call that a bug on our side. If we expose it we ought to honor it if it is there.
> >
> > Regards,
> >
> > Ryan Goulding
> >
> > On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>
<mailto:melserngawy@... <mailto:melserngawy@...>
> <mailto:melserngawy@... <mailto:melserngawy@...>>>> wrote:
> >
> > Hi Jamo,
> >
> > You are not suppose to set the domain-id [0].
> >
> > [0]
> > https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
> <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>>
> > <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>
> <https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104
<https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104>>>
> >
> > On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
<mailto:jluhrsen@... <mailto:jluhrsen@...>> <mailto:jluhrsen@... <mailto:jluhrsen@...>
<mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
> >
> > wait, I get the sense you missed my first step where I did create a domain. I created it
> > with the domainid 96.
> >
> > JamO
> >
> > On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> > > Its either going to be the default one (sdn) or one you created. You can find out which ones
exist by:
> > >
> > > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> > > Password:
> > > list_domains
> > >
> > > command succeeded!
> > >
> > > json:
> > > {
> > > "domains": [
> > > {
> > > "description": "default odl sdn domain",
> > > "domainid": "sdn",
> > > "enabled": true,
> > > "name": "sdn"
> > > }
> > > ]
> > > }
> > > ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
> > >