(subject changed)

On 04/27/2017 06:34 AM, Ryan Goulding wrote:
> The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
> REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
> interface.  I just tested this morning.

yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
from AAA, so should that be a bug on it's own?

here's kind of my repro, if you can help me know what's wrong:

# Create a Domain

14:28 $ curl -u "admin:admin" -X POST -d
'{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
application/json" http://$ODL:8181/auth/v1/domains

{"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}



# Look at domains (question: why is domainid==name, when I gave a '96' in the create?)


14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
{
    "domains": [
        {
            "description": "default odl sdn domain",
            "domainid": "sdn",
            "enabled": true,
            "name": "sdn"
        },
        {
            "description": "planetary domain",
            "domainid": "Alderaan-2017-04-12-17-31",
            "enabled": true,
            "name": "Alderaan-2017-04-12-17-31"
        },
        {
            "description": "BeerClubAficionado",
            "domainid": "RyanRocks",
            "enabled": true,
            "name": "RyanRocks"
        }
    ]
}



# add a user to this new domain
# first try is using domainid = 96, but get 500/NPE
# second try uses domainid = $name, but also get 500/NPE

✔ ~
14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
"Content-Type: application/json" http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
        at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
...
<snip>
...



14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
http://$ODL:8181/auth/v1/users
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /auth/v1/users. Reason:
<pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
        at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)

...
<snip>
...


Thanks,
JamO



>     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     /restconf/operations/aaa-cert-rpc:getODLCertificate
>
> I'll give it a shot and see what I get.
>
>     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
>
> So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although revert
> may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
> this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque changes in
> service releases ;).
>
> Regards,
>
> Ryan Goulding
>
> On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>
>     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>
>     --Colin
>
>     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>         cert stuff, and my work was in user/domain auth.
>
>         anyway, wondering if something fundamental is broken?
>
>         JamO
>
>         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>
>
>
>         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>         > hi guys, I just tested old-aaa-cert feature and couple of things:
>         >
>         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>         /restconf/operations/aaa-cert-rpc:getODLCertificate
>         >
>         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>         possible to change the path for these files?
>         >
>         >
>         > [1] NPE
>         >
>         > <html>
>         >     <head>
>         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>         >         <title>Error 500 Server Error</title>
>         >     </head>
>         >     <body>
>         >         <h2>HTTP ERROR 500</h2>
>         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>         >
>         >             <pre>    Server Error</pre>
>         >         </p>
>         >         <h3>Caused by:</h3>
>         >         <pre>java.lang.NullPointerException
>         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>         >       at
>         org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>         >       at
>         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>         >       at
>         org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>         >       at
>         org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>         >       at
>         org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>         >       at
>         org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>         >       at org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         >       at java.lang.reflect.Method.invoke(Method.java:498)
>         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         >       at
>         com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>         >       at
>         com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>         >       at
>         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>         >       at
>         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         >       at java.lang.Thread.run(Thread.java:745)
>         >
>         >
>         >
>         >
>         >
>         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>> wrote:
>         >>
>         >> Hi Colin,
>         >>
>         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities were
>         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>         >>
>         >> BR
>         >>
>         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to access
>         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>         >>
>         >> --Colin
>         >>
>         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>> wrote:
>         >> which is probably not in the spirit of SRs
>         >>
>         >> This was done for both usability and security purposes, as I explained via Skype already.  The security advantages
>         alone make it justifiable IMHO.
>         >>
>         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>         notice is pretty much the definition of what we try to never do in SRs.j
>         >>
>         >> This isn't a feature, it is CLI.
>         >>
>         >>  This patch seems to be the issue:
>         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >>
>         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>         security issues in your downstream distro!
>         >>
>         >> Regards,
>         >>
>         >> Ryan Goulding
>         >>
>         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>         >>
>         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>> wrote:
>         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of what we
>         try to never do in SRs.
>         >>
>         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>         functionality we rely on from AAA back in Boron-SR3.
>         >>
>         >> This patch seems to be the issue:
>         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>         >>
>         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things as well?
>         >>
>         >> Thanks,
>         >> --Colin
>         >>
>         >>
>         >> _______________________________________________
>         >> aaa-dev mailing list
>         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >>
>         >>
>         >>
>         >> _______________________________________________
>         >> aaa-dev mailing list
>         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >
>         > _______________________________________________
>         > aaa-dev mailing list
>         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>         >
>
>
>     _______________________________________________
>     aaa-dev mailing list
>     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>
>

so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
> you will get internal server error.
>
> Regards,
>
> Ryan Goulding
>

> On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     (subject changed)
>
>     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
>     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
>     > interface.  I just tested this morning.
>
>     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     from AAA, so should that be a bug on it's own?
>
>     here's kind of my repro, if you can help me know what's wrong:
>
>     # Create a Domain
>
>     14:28 $ curl -u "admin:admin" -X POST -d
>     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     application/json" http://$ODL:8181/auth/v1/domains
>
>     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>
>
>
>     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>
>
>     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     {
>         "domains": [
>             {
>                 "description": "default odl sdn domain",
>                 "domainid": "sdn",
>                 "enabled": true,
>                 "name": "sdn"
>             },
>             {
>                 "description": "planetary domain",
>                 "domainid": "Alderaan-2017-04-12-17-31",
>                 "enabled": true,
>                 "name": "Alderaan-2017-04-12-17-31"
>             },
>             {
>                 "description": "BeerClubAficionado",
>                 "domainid": "RyanRocks",
>                 "enabled": true,
>                 "name": "RyanRocks"
>             }
>         ]
>     }
>
>
>
>     # add a user to this new domain
>     # first try is using domainid = 96, but get 500/NPE
>     # second try uses domainid = $name, but also get 500/NPE
>
>     ✔ ~
>     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     ...
>     <snip>
>     ...
>
>
>
>     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>
>     ...
>     <snip>
>     ...
>
>
>     Thanks,
>     JamO
>
>
>
>     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >
>     > I'll give it a shot and see what I get.
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >
>     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     revert
>     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
>     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     changes in
>     > service releases ;).
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>

>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >     --Colin
>     >
>     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>

>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >         cert stuff, and my work was in user/domain auth.
>     >
>     >         anyway, wondering if something fundamental is broken?
>     >
>     >         JamO
>     >
>     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >
>     >
>     >
>     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >         >
>     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >         >
>     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >         possible to change the path for these files?
>     >         >
>     >         >
>     >         > [1] NPE
>     >         >
>     >         > <html>
>     >         >     <head>
>     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >         >         <title>Error 500 Server Error</title>
>     >         >     </head>
>     >         >     <body>
>     >         >         <h2>HTTP ERROR 500</h2>
>     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >         >
>     >         >             <pre>    Server Error</pre>
>     >         >         </p>
>     >         >         <h3>Caused by:</h3>
>     >         >         <pre>java.lang.NullPointerException
>     >         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >         >       at
>     >
>      org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >         >       at
>     >         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >         >       at
>     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >         >       at
>     >
>      org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >         >       at
>     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >         >       at
>     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >         >       at
>     >         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >         >       at
>     >         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >         >       at java.lang.Thread.run(Thread.java:745)
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>

>     <mailto:melserngawy@... <mailto:melserngawy@...>>> wrote:
>     >         >>
>     >         >> Hi Colin,
>     >         >>
>     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     were
>     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >         >>
>     >         >> BR
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     access
>     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >         >>
>     >         >> --Colin
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com>
>     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>> wrote:
>     >         >> which is probably not in the spirit of SRs
>     >         >>
>     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     advantages
>     >         alone make it justifiable IMHO.
>     >         >>
>     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >         >>
>     >         >> This isn't a feature, it is CLI.
>     >         >>
>     >         >>  This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >         security issues in your downstream distro!
>     >         >>
>     >         >> Regards,
>     >         >>
>     >         >> Ryan Goulding
>     >         >>
>     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     what we
>     >         try to never do in SRs.
>     >         >>
>     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >         functionality we rely on from AAA back in Boron-SR3.
>     >         >>
>     >         >> This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     as well?
>     >         >>
>     >         >> Thanks,
>     >         >> --Colin
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >>
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >         > _______________________________________________
>     >         > aaa-dev mailing list
>     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >
>     >
>     >     _______________________________________________
>     >     aaa-dev mailing list
>     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >
>     >
>
>

Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:

ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
Password:
list_domains

command succeeded!

json:
{
    "domains": [
        {
            "description": "default odl sdn domain",
            "domainid": "sdn",
            "enabled": true,
            "name": "sdn"
        }
    ]
}
ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$

Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.

OR:

curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool

if you are using raw REST

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@...> wrote:

so, when creating a domain you have to use a domain id that already exists? where do I find
that domainid?

JamO

On 05/04/2017 12:51 PM, Ryan Goulding wrote:
> The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
> you will get internal server error.
>
> Regards,
>
> Ryan Goulding
>

> On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     (subject changed)
>
>     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste the exact
>     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just wraps that
>     > interface.  I just tested this morning.
>
>     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     from AAA, so should that be a bug on it's own?
>
>     here's kind of my repro, if you can help me know what's wrong:
>
>     # Create a Domain
>
>     14:28 $ curl -u "admin:admin" -X POST -d
>     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     application/json" http://$ODL:8181/auth/v1/domains
>
>     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>
>
>
>     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>
>
>     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     {
>         "domains": [
>             {
>                 "description": "default odl sdn domain",
>                 "domainid": "sdn",
>                 "enabled": true,
>                 "name": "sdn"
>             },
>             {
>                 "description": "planetary domain",
>                 "domainid": "Alderaan-2017-04-12-17-31",
>                 "enabled": true,
>                 "name": "Alderaan-2017-04-12-17-31"
>             },
>             {
>                 "description": "BeerClubAficionado",
>                 "domainid": "RyanRocks",
>                 "enabled": true,
>                 "name": "RyanRocks"
>             }
>         ]
>     }
>
>
>
>     # add a user to this new domain
>     # first try is using domainid = 96, but get 500/NPE
>     # second try uses domainid = $name, but also get 500/NPE
>
>     ✔ ~
>     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     ...
>     <snip>
>     ...
>
>
>
>     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     http://$ODL:8181/auth/v1/users
>     <html>
>     <head>
>     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     <title>Error 500 Server Error</title>
>     </head>
>     <body><h2>HTTP ERROR 500</h2>
>     <p>Problem accessing /auth/v1/users. Reason:
>     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>
>     ...
>     <snip>
>     ...
>
>
>     Thanks,
>     JamO
>
>
>
>     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >
>     > I'll give it a shot and see what I get.
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >
>     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     revert
>     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream and avoid
>     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     changes in
>     > service releases ;).
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>

>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >
>     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >
>     >     --Colin
>     >
>     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>

>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >
>     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >         cert stuff, and my work was in user/domain auth.
>     >
>     >         anyway, wondering if something fundamental is broken?
>     >
>     >         JamO
>     >
>     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >
>     >
>     >
>     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >         >
>     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >         >
>     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >         possible to change the path for these files?
>     >         >
>     >         >
>     >         > [1] NPE
>     >         >
>     >         > <html>
>     >         >     <head>
>     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >         >         <title>Error 500 Server Error</title>
>     >         >     </head>
>     >         >     <body>
>     >         >         <h2>HTTP ERROR 500</h2>
>     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >         >
>     >         >             <pre>    Server Error</pre>
>     >         >         </p>
>     >         >         <h3>Caused by:</h3>
>     >         >         <pre>java.lang.NullPointerException
>     >         >       at org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >         >       at
>     >
>      org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >         >       at
>     >         org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >         >       at
>     >
>      org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >         >       at
>     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >         >       at
>     >
>      org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >         >       at
>     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >         >       at
>     >
>      com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >         >       at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >         >       at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >         >       at
>     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >         >       at
>     >         org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >         >       at
>     >         org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >         >       at java.lang.Thread.run(Thread.java:745)
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >
>     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@... <mailto:melserngawy@...>

>     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...>>> wrote:
>     >         >>
>     >         >> Hi Colin,
>     >         >>
>     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     were
>     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >         >>
>     >         >> BR
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     access
>     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >         >>
>     >         >> --Colin
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m>
>     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m>>> wrote:
>     >         >> which is probably not in the spirit of SRs
>     >         >>
>     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     advantages
>     >         alone make it justifiable IMHO.
>     >         >>
>     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >         >>
>     >         >> This isn't a feature, it is CLI.
>     >         >>
>     >         >>  This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >         security issues in your downstream distro!
>     >         >>
>     >         >> Regards,
>     >         >>
>     >         >> Ryan Goulding
>     >         >>
>     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >         >>
>     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>> wrote:
>     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     what we
>     >         try to never do in SRs.
>     >         >>
>     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >         functionality we rely on from AAA back in Boron-SR3.
>     >         >>
>     >         >> This patch seems to be the issue:
>     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >         >>
>     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     as well?
>     >         >>
>     >         >> Thanks,
>     >         >> --Colin
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >>
>     >         >>
>     >         >>
>     >         >> _______________________________________________
>     >         >> aaa-dev mailing list
>     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>
>     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >         > _______________________________________________
>     >         > aaa-dev mailing list
>     >         > aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev> <https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >         >
>     >
>     >
>     >     _______________________________________________
>     >     aaa-dev mailing list
>     >     aaa-dev@....org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >
>     >
>
>

wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >

>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>

>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>

>     >     <mailto:melserngawy@... <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com>>
>     >     <mailto:ryandgoulding@gmail.com <mailto:ryandgoulding@gmail.com> <mailto:ryandgoulding@gmail.com
>     <mailto:ryandgoulding@gmail.com>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>
>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org>

>     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>
>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@... <mailto:aaa-dev@lists.opendaylight.org> <mailto:aaa-dev@lists.opendaylight.org
>     <mailto:aaa-dev@lists.opendaylight.org>> <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>

>     >     <mailto:aaa-dev@lists.opendaylight.org <mailto:aaa-dev@lists.opendaylight.org>>>
>     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >
>     >     >
>     >
>     >
>
>

Hi Jamo,

You are not suppose to set the domain-id [0].

[0] https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@...> wrote:

wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >

>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>

>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@inocybe.ca> <mailto:melserngawy@... <mailto:melserngawy@...>>

>     >     <mailto:melserngawy@inocybe.ca <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>>
>     >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>     <mailto:ryandgoulding@...om>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@...ight.org>

>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@....org <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>> <mailto:aaa-dev@...ight.org <mailto:aaa-dev@...ight.org>

>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >
>     >     >
>     >
>     >
>
>

I'd call that a bug on our side.  If we expose it we ought to honor it if it is there.

Regards,

Ryan Goulding

On Thu, May 4, 2017 at 4:21 PM, Mohamed ElSerngawy <melserngawy@...> wrote:

Hi Jamo,

You are not suppose to set the domain-id [0].

[0] https://github.com/opendaylight/aaa/blob/master/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java#L104

On Thu, May 4, 2017 at 4:11 PM, Jamo Luhrsen <jluhrsen@...> wrote:

wait, I get the sense you missed my first step where I did create a domain. I created it
with the domainid 96.

JamO

On 05/04/2017 01:00 PM, Ryan Goulding wrote:
> Its either going to be the default one (sdn) or one you created.  You can find out which ones exist by:
>
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$ python bin/idmtool admin list-domains
> Password:
> list_domains
>
> command succeeded!
>
> json:
> {
>     "domains": [
>         {
>             "description": "default odl sdn domain",
>             "domainid": "sdn",
>             "enabled": true,
>             "name": "sdn"
>         }
>     ]
> }
> ryan@ubuntu:/code/aaa-nitrogen/karaf/target/assembly$
>
> *Note:  it will be python etc/idmtool in Carbon since we didn't get that bug fix in in time.
>
> *
> OR:
>
> curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>
> if you are using raw REST
>
> Regards,
>
> Ryan Goulding
>
> On Thu, May 4, 2017 at 3:53 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
>
>     so, when creating a domain you have to use a domain id that already exists? where do I find
>     that domainid?
>
>     JamO
>
>     On 05/04/2017 12:51 PM, Ryan Goulding wrote:
>     > The domain id "96" does not exist.  Probably should be a better error message, but you need to use a domain that exists or
>     > you will get internal server error.
>     >
>     > Regards,
>     >
>     > Ryan Goulding
>     >
>     > On Thu, Apr 27, 2017 at 5:36 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>
>     <mailto:jluhrsen@... <mailto:jluhrsen@...>>> wrote:
>     >

>     >     (subject changed)
>     >
>     >     On 04/27/2017 06:34 AM, Ryan Goulding wrote:
>     >     > The stuff you are referring to works, JamO, and is completely orthogonal to the issue Luis reports.  If you paste
>     the exact
>     >     > REST call I can assist.  Also, if you are curious how to use those endpoints, refer to idmtool.py, which just
>     wraps that
>     >     > interface.  I just tested this morning.
>     >
>     >     yeah, if you can help me get it right I'll fix the CSIT. Still, I don't expect a 500/NPE
>     >     from AAA, so should that be a bug on it's own?
>     >
>     >     here's kind of my repro, if you can help me know what's wrong:
>     >
>     >     # Create a Domain
>     >
>     >     14:28 $ curl -u "admin:admin" -X POST -d
>     >     '{"description":"BeerClubAficionado","domainid":"96","name":"RyanRocks","enabled":"true"}' -H "Content-Type:
>     >     application/json" http://$ODL:8181/auth/v1/domains
>     >
>     >     {"domainid":"RyanRocks","name":"RyanRocks","description":"BeerClubAficionado","enabled":true}
>     >
>     >
>     >
>     >     # Look at domains (question: why is domainid==name, when I gave a '96' in the create?)
>     >
>     >
>     >     14:30 $ curl -u "admin:admin" http://$ODL:8181/auth/v1/domains | python -m json.tool
>     >     {
>     >         "domains": [
>     >             {
>     >                 "description": "default odl sdn domain",
>     >                 "domainid": "sdn",
>     >                 "enabled": true,
>     >                 "name": "sdn"
>     >             },
>     >             {
>     >                 "description": "planetary domain",
>     >                 "domainid": "Alderaan-2017-04-12-17-31",
>     >                 "enabled": true,
>     >                 "name": "Alderaan-2017-04-12-17-31"
>     >             },
>     >             {
>     >                 "description": "BeerClubAficionado",
>     >                 "domainid": "RyanRocks",
>     >                 "enabled": true,
>     >                 "name": "RyanRocks"
>     >             }
>     >         ]
>     >     }
>     >
>     >
>     >
>     >     # add a user to this new domain
>     >     # first try is using domainid = 96, but get 500/NPE
>     >     # second try uses domainid = $name, but also get 500/NPE
>     >
>     >     ✔ ~
>     >     14:30 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     Man","name":"Goulding","enabled":"true","domainid":"96"}' -H
>     >     "Content-Type: application/json" http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >
>     >     14:31 $ curl -u "admin:admin" -X POST -d '{"description":"The
>     >     Man","name":"Goulding","enabled":"true","domainid":"RyanRocks"}' -H "Content-Type: application/json"
>     >     http://$ODL:8181/auth/v1/users
>     >     <html>
>     >     <head>
>     >     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     <title>Error 500 Server Error</title>
>     >     </head>
>     >     <body><h2>HTTP ERROR 500</h2>
>     >     <p>Problem accessing /auth/v1/users. Reason:
>     >     <pre>    Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
>     >             at org.opendaylight.aaa.idm.rest.UserHandler.createUser(UserHandler.java:199)
>     >
>     >     ...
>     >     <snip>
>     >     ...
>     >
>     >
>     >     Thanks,
>     >     JamO
>     >
>     >
>     >
>     >     >     1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >     /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >
>     >     > I'll give it a shot and see what I get.
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >
>     >     > So far we haven't demonstrated that the patch does anything negative except deprecate some unsafe commands.  Although
>     >     revert
>     >     > may probably be easiest from your perspective, there are a lot of people who actually push their tests upstream
>     and avoid
>     >     > this type of skew.  Let's not start a witch hunt quite yet;  I can pull up quite a few examples of far more risque
>     >     changes in
>     >     > service releases ;).
>     >     >
>     >     > Regards,
>     >     >
>     >     > Ryan Goulding
>     >     >
>     >     > On Thu, Apr 27, 2017 at 9:11 AM, Colin Dixon <colin@... <mailto:colin@...>
>     <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >
>     >     >     Do we have an idea of what the implications of just reverting that one patch are? Is it likely to work?
>     >     >
>     >     >     --Colin
>     >     >
>     >     >     On Wed, Apr 26, 2017 at 11:11 PM Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>

>     >     <mailto:jluhrsen@... <mailto:jluhrsen@...> <mailto:jluhrsen@... <mailto:jluhrsen@...>>>> wrote:
>     >     >
>     >     >         btw, I was also trying to help get a broken AAA CSIT job working and ran in to some
>     >     >         troubles similar symptoms [0] to what Luis is reporting (500/NPE). Luis is playing with
>     >     >         cert stuff, and my work was in user/domain auth.
>     >     >
>     >     >         anyway, wondering if something fundamental is broken?
>     >     >
>     >     >         JamO
>     >     >
>     >     >         [0] https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>
>     >     >         <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>
>     >     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html
>     <https://lists.opendaylight.org/pipermail/aaa-dev/2017-April/001280.html>>>
>     >     >
>     >     >
>     >     >
>     >     >         On 04/26/2017 06:21 PM, Luis Gomez wrote:
>     >     >         > hi guys, I just tested old-aaa-cert feature and couple of things:
>     >     >         >
>     >     >         > 1) it does not work in Boron, I get 500 Server error + NPE [1] when I try: POST
>     >     >         /restconf/operations/aaa-cert-rpc:getODLCertificate
>     >     >         >
>     >     >         > 2) When I try in carbon I see 2 store files: ctl.jks, truststore.jks are created under ~/temp folder. Is it
>     >     >         possible to change the path for these files?
>     >     >         >
>     >     >         >
>     >     >         > [1] NPE
>     >     >         >
>     >     >         > <html>
>     >     >         >     <head>
>     >     >         >         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>     >     >         >         <title>Error 500 Server Error</title>
>     >     >         >     </head>
>     >     >         >     <body>
>     >     >         >         <h2>HTTP ERROR 500</h2>
>     >     >         >         <p>Problem accessing /restconf/operations/aaa-cert-rpc:getODLCertificate. Reason:
>     >     >         >
>     >     >         >             <pre>    Server Error</pre>
>     >     >         >         </p>
>     >     >         >         <h3>Caused by:</h3>
>     >     >         >         <pre>java.lang.NullPointerException
>     >     >         >       at
>     org.opendaylight.aaa.cert.impl.AaaCertRpcServiceImpl.getODLCertificate(AaaCertRpcServiceImpl.java:92)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.yangtools.yang.binding.util.RpcMethodInvokerWithoutInput.invokeOn(RpcMethodInvokerWithoutInput.java:30)
>     >     >         >       at
>     >     >
>      org.opendaylight.yangtools.yang.binding.util.AbstractMappedRpcInvoker.invokeRpc(AbstractMappedRpcInvoker.java:52)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invoke(BindingDOMRpcImplementationAdapter.java:85)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.binding.impl.BindingDOMRpcImplementationAdapter.invokeRpc(BindingDOMRpcImplementationAdapter.java:72)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.controller.md.sal.dom.broker.impl.GlobalDOMRpcRoutingTableEntry.invokeRpc(GlobalDOMRpcRoutingTableEntry.java:39)
>     >     >         >       at
>     >     org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRoutingTable.invokeRpc(DOMRpcRoutingTable.java:177)
>     >     >         >       at org.opendaylight.controller.md.sal.dom.broker.impl.DOMRpcRouter.invokeRpc(DOMRpcRouter.java:102)
>     >     >         >       at Proxye69c1788_e30d_4fd8_8d29_f7f08932a9e7.invokeRpc(Unknown Source)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.BrokerFacade.invokeRpc(BrokerFacade.java:506)
>     >     >         >       at org.opendaylight.netconf.sal.restconf.impl.RestconfImpl.invokeRpc(RestconfImpl.java:464)
>     >     >         >       at
>     >     >
>     >
>     org.opendaylight.netconf.sal.restconf.impl.StatisticsRestconfServiceWrapper.invokeRpc(StatisticsRestconfServiceWrapper.java:83)
>     >     >         >       at
>     >     org.opendaylight.netconf.sal.rest.impl.RestconfCompositeWrapper.invokeRpc(RestconfCompositeWrapper.java:64)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     >     >         >       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     >     >         >       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     >     >         >       at java.lang.reflect.Method.invoke(Method.java:498)
>     >     >         >       at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>     >     >         >       at
>     >     >
>     >
>     com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
>     >     >         >       at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>     >     >         >       at
>     com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>     >     >         >       at
>     com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>     >     >         >       at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>     >     >         >       at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>     >     >         >       at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>     >     >         >       at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
>     >     >         >       at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter.doFilter(CustomFilterAdapter.java:85)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>     >     >         >       at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>     >     >         >       at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>     >     >         >       at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>     >     >         >       at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>     >     >         >       at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
>     >     >         >       at
>     >     org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
>     >     >         >       at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>     >     >         >       at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)
>     >     >         >       at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
>     >     >         >       at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>     >     >         >       at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>     >     >         >       at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
>     >     >         >       at
>     >     >
>      org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)
>     >     >         >       at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>     >     >         >       at org.eclipse.jetty.server.Server.handle(Server.java:370)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>     >     >         >       at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)
>     >     >         >       at
>     >     >
>      org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)
>     >     >         >       at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
>     >     >         >       at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>     >     >         >       at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>     >     >         >       at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>     >     >         >       at java.lang.Thread.run(Thread.java:745)
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >
>     >     >         >> On Apr 26, 2017, at 12:50 PM, Mohamed ElSerngawy <melserngawy@...
>     <mailto:melserngawy@...a> <mailto:melserngawy@... <mailto:melserngawy@...>>

>     >     <mailto:melserngawy@...a <mailto:melserngawy@...> <mailto:melserngawy@... <mailto:melserngawy@...>>>>
>     wrote:
>     >     >         >>
>     >     >         >> Hi Colin,
>     >     >         >>
>     >     >         >> You are not suppose to use them after the changes that we made in the patch. Basically these functionalities
>     >     were
>     >     >         there because of the keystores need to be generated after starting ODL. But now, the keystore will be created once
>     >     >         you install the aaa-cert feature. keeping this functionalities could make a serious security thread.
>     >     >         >>
>     >     >         >> BR
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:40 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> Putting the argument about what should go in an SR aside for the moment, is there a straightforward way to
>     >     access
>     >     >         the functionality that was provided by the removed commands? Specifically gen-odl-ks and gen-trust-ks?
>     >     >         >>
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:15 PM Ryan Goulding <ryandgoulding@... <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m <mailto:ryandgoulding@...m>>
>     >     <mailto:ryandgoulding@...om <mailto:ryandgoulding@...m> <mailto:ryandgoulding@...m
>     <mailto:ryandgoulding@...om>>>> wrote:
>     >     >         >> which is probably not in the spirit of SRs
>     >     >         >>
>     >     >         >> This was done for both usability and security purposes, as I explained via Skype already.  The security
>     >     advantages
>     >     >         alone make it justifiable IMHO.
>     >     >         >>
>     >     >         >>  While we're somewhat less strict about adding features in SRs. Taking them out without a lot of warning and
>     >     >         notice is pretty much the definition of what we try to never do in SRs.j
>     >     >         >>
>     >     >         >> This isn't a feature, it is CLI.
>     >     >         >>
>     >     >         >>  This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Yes, if you look at the bug actually, a member from your team commented on it [0] so I'd argue that it was at
>     >     >         least somewhat well known ;).  Reverting it shouldn't be particularly hard, but it could open you open to some
>     >     >         security issues in your downstream distro!
>     >     >         >>
>     >     >         >> Regards,
>     >     >         >>
>     >     >         >> Ryan Goulding
>     >     >         >>
>     >     >         >> [0] https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>
>     >     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>
>     <https://bugs.opendaylight.org/show_bug.cgi?id=7774 <https://bugs.opendaylight.org/show_bug.cgi?id=7774>>>
>     >     >         >>
>     >     >         >> On Wed, Apr 26, 2017 at 3:03 PM, Colin Dixon <colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>

>     >     <mailto:colin@... <mailto:colin@...> <mailto:colin@... <mailto:colin@...>>>> wrote:
>     >     >         >> So, in some downstream testing at Brocade we found that the AAA CLI commands were changed somewhat drastically
>     >     >         between Boron-SR2 and Boron-SR3, which is probably not in the spirit of SRs. While we're somewhat less strict about
>     >     >         adding features in SRs. Taking them out without a lot of warning and notice is pretty much the definition of
>     >     what we
>     >     >         try to never do in SRs.
>     >     >         >>
>     >     >         >> That being said, we're trying to make the best of it and looking for help in understanding how to get the
>     >     >         functionality we rely on from AAA back in Boron-SR3.
>     >     >         >>
>     >     >         >> This patch seems to be the issue:
>     >     >         >> https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>
>     >     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>
>     <https://git.opendaylight.org/gerrit/#/c/51649/ <https://git.opendaylight.org/gerrit/#/c/51649/>>>
>     >     >         >>
>     >     >         >> Is there somebody that can comment on how we might recover the functionality that used to be provided by the
>     >     >         gen-odl-ks and gen-trust-ks CLI commands? Would simply reverting that patch work or would it break other things
>     >     as well?
>     >     >         >>
>     >     >         >> Thanks,
>     >     >         >> --Colin
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >>
>     >     >         >>
>     >     >         >>
>     >     >         >> _______________________________________________
>     >     >         >> aaa-dev mailing list
>     >     >         >> aaa-dev@... <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>
>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         >> https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >         > _______________________________________________
>     >     >         > aaa-dev mailing list
>     >     >         > aaa-dev@... <mailto:aaa-dev@...ight.org>

>     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>
>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >         > https://lists.opendaylight.org/mailman/listinfo/aaa-dev
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >         >
>     >     >
>     >     >
>     >     >     _______________________________________________
>     >     >     aaa-dev mailing list
>     >     >     aaa-dev@...g <mailto:aaa-dev@...ight.org> <mailto:aaa-dev@...ight.org
>     <mailto:aaa-dev@...light.org>> <mailto:aaa-dev@...ight.org <mailto:aaa-dev@...ight.org>

>     >     <mailto:aaa-dev@...light.org <mailto:aaa-dev@...ight.org>>>
>     >     >     https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>
>     >     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>
>     <https://lists.opendaylight.org/mailman/listinfo/aaa-dev <https://lists.opendaylight.org/mailman/listinfo/aaa-dev>>>
>     >     >
>     >     >
>     >
>     >
>
>