ok, I verified that carbon sr3 is working as we expect, but the recent Fluorine
snapshot distro I have is not behaving like I expect.

I am able to hit this 
jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
endpoint after just installing features-aaa, nothing else. The user/password 
doesn't
seem to matter.

After installing odl-jolokia, it's the same behavior.

should I open a jira, or what other info can I gather?

Thanks,
JamO

On 4/5/18 3:45 PM, Ryan Goulding wrote:
for carbon-sr3 we still hadn't integrated jolokia with AAA;  it was still backed by etc/org.jolokia.osgi.cfg, hencewhy you need to use admin/admin after changing the password in AAA.

How did you install jolokia in Fluorine?  You must install using "odl-jolokia" feature from controller to get protection.  Standard off the shelf "jolokia" has NO auth by default...

Regards,

Ryan Goulding

On Thu, Apr 5, 2018 at 6:23 PM, Jamo Luhrsen <jluhr...@gmail.com 
<mailto:jluhr...@gmail.com>> wrote:

    I don't have access to my setup at the moment. I can later.

    but, I think it's based on carbon sr3.

    I do have a recent (2/27) snapshot distro from Fluorine though,
    and that actually doesn't even need creds to access that
    jolokia diagstatus endpoint. restconf still behaves like I
    expect, but the diagstatus endpoint takes any (or no)
    username/password combo.

    JamO

    On 4/5/18 12:06 PM, Ryan Goulding wrote:

        Jamo, can you comment on code version?  Thanks!

        Regards,

        Ryan Goulding

        On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding <ryandgould...@gmail.com 
<mailto:ryandgould...@gmail.com>
        <mailto:ryandgould...@gmail.com <mailto:ryandgould...@gmail.com>>> 
wrote:

             What version of code? This wasn’t tied to AAA until oxygen. Prior 
it was controlled by etc/or.jolokia.osgi.cfg.

             Thanks,
             Ryan

             Sent from my iPhone

             On Apr 5, 2018, at 12:32 AM, Michael Vorburger <vorbur...@redhat.com 
<mailto:vorbur...@redhat.com>
        <mailto:vorbur...@redhat.com <mailto:vorbur...@redhat.com>>> wrote:

                 JamO, +aaa-dev and +controller-dev and Stephen FYI:

                 On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen <jluhr...@gmail.com 
<mailto:jluhr...@gmail.com>
            <mailto:jluhr...@gmail.com <mailto:jluhr...@gmail.com>>>wrote:

                     Hi Utility folks,

                     I noticed in a local setup I have where I've changed the 
default username
                     and password for RESTCONF, that I still need to use the 
admin:admin creds
                     to hit the diagstatus endpoint.

                     I'm guessing that's just because this is not tied in to 
the magic of
                     AAA and/or RESTCONF creds.

                     Gotta just live with it, or would it be an easy thing to 
add, just to keep
                     things more intuitive?


                 This seems like a bug (bad one, security wise), but it's not 
for infrautils-dev - we don't actually do
            anything
                 re. Jolokia in project infrautils, the diagstatus sub-module 
simply exposes a JMX bean... the code
            related to the
                 Jolokia integration in ODL which then make makes this 
available via HTTP, and secures it with the AAA
            creds (also
                 used by RESTCONF; there are no creds in RESTCONF itself FYI), 
is actually in controller and/or aaa (I'm
            not 100%
                 sure myself what is where)... see 
https://jira.opendaylight.org/browse/AAA-147
            <https://jira.opendaylight.org/browse/AAA-147>
                 <https://jira.opendaylight.org/browse/AAA-147 
<https://jira.opendaylight.org/browse/AAA-147>> and
            https://jira.opendaylight.org/browse/CONTROLLER-1324 
<https://jira.opendaylight.org/browse/CONTROLLER-1324>
                 <https://jira.opendaylight.org/browse/CONTROLLER-1324
            <https://jira.opendaylight.org/browse/CONTROLLER-1324>>.

                 If you are right, we have this problem (that when changing the 
default username and password you can
            still use the
                 previous one) on *ALL* /jolokia/ URLs, I'm guessing.

                 Would you like to open a (Critical?) bug in JIRA against AAA 
about this?

                 Tx,
                 M.
                 --
                 Michael Vorburger, Red Hat
            vorbur...@redhat.com <mailto:vorbur...@redhat.com> 
<mailto:vorbur...@redhat.com
            <mailto:vorbur...@redhat.com>>| IRC: vorburger @freenode | ~ = 
http://vorburger.ch
                 <http://vorburger.ch/>

                     example curl:

                     curl -u "admin:admin"
            
http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
            
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
            
<http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>>

                     Thanks,
                     JamO
                     _______________________________________________
                     infrautils-dev mailing list
            infrautils-...@lists.opendaylight.org 
<mailto:infrautils-...@lists.opendaylight.org>
            <mailto:infrautils-...@lists.opendaylight.org 
<mailto:infrautils-...@lists.opendaylight.org>>
            https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
            <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>
                     
<https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
            <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>>


                 _______________________________________________
                 controller-dev mailing list
            controller-dev@lists.opendaylight.org 
<mailto:controller-dev@lists.opendaylight.org>
            <mailto:controller-dev@lists.opendaylight.org 
<mailto:controller-dev@lists.opendaylight.org>>
            https://lists.opendaylight.org/mailman/listinfo/controller-dev
            <https://lists.opendaylight.org/mailman/listinfo/controller-dev>
                 <https://lists.opendaylight.org/mailman/listinfo/controller-dev
            <https://lists.opendaylight.org/mailman/listinfo/controller-dev>>




_______________________________________________
controller-dev mailing list
controller-dev@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/controller-dev

Reply via email to