Did you restart ODL after installing odl-jolikia? The issue is you have jolikia 
installed from karaf without auth, then try to install odl-jolikia which lays 
down org.jolikia.osgi.cfg with authMode set to delegate. That managed service 
won’t actually recognize the update to authmode without a restart of Karaf. You 
want to ONLY ever install odl-jolokia!!

Sent from my iPhone

> On Apr 7, 2018, at 12:19 PM, Jamo Luhrsen <jluhr...@gmail.com> wrote:
> 
> ok, I verified that carbon sr3 is working as we expect, but the recent 
> Fluorine
> snapshot distro I have is not behaving like I expect.
> 
> I am able to hit this 
> jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
> endpoint after just installing features-aaa, nothing else. The user/password 
> doesn't
> seem to matter.
> 
> After installing odl-jolokia, it's the same behavior.
> 
> should I open a jira, or what other info can I gather?
> 
> Thanks,
> JamO
> 
>> On 4/5/18 3:45 PM, Ryan Goulding wrote:
>> for carbon-sr3 we still hadn't integrated jolokia with AAA;  it was still 
>> backed by etc/org.jolokia.osgi.cfg, hencewhy you need to use admin/admin 
>> after changing the password in AAA.
>> How did you install jolokia in Fluorine?  You must install using 
>> "odl-jolokia" feature from controller to get protection.  Standard off the 
>> shelf "jolokia" has NO auth by default...
>> Regards,
>> Ryan Goulding
>> On Thu, Apr 5, 2018 at 6:23 PM, Jamo Luhrsen <jluhr...@gmail.com 
>> <mailto:jluhr...@gmail.com>> wrote:
>>    I don't have access to my setup at the moment. I can later.
>>    but, I think it's based on carbon sr3.
>>    I do have a recent (2/27) snapshot distro from Fluorine though,
>>    and that actually doesn't even need creds to access that
>>    jolokia diagstatus endpoint. restconf still behaves like I
>>    expect, but the diagstatus endpoint takes any (or no)
>>    username/password combo.
>>    JamO
>>    On 4/5/18 12:06 PM, Ryan Goulding wrote:
>>        Jamo, can you comment on code version?  Thanks!
>>        Regards,
>>        Ryan Goulding
>>        On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding 
>> <ryandgould...@gmail.com <mailto:ryandgould...@gmail.com>
>>        <mailto:ryandgould...@gmail.com <mailto:ryandgould...@gmail.com>>> 
>> wrote:
>>             What version of code? This wasn’t tied to AAA until oxygen. 
>> Prior it was controlled by etc/or.jolokia.osgi.cfg.
>>             Thanks,
>>             Ryan
>>             Sent from my iPhone
>>             On Apr 5, 2018, at 12:32 AM, Michael Vorburger 
>> <vorbur...@redhat.com <mailto:vorbur...@redhat.com>
>>        <mailto:vorbur...@redhat.com <mailto:vorbur...@redhat.com>>> wrote:
>>                 JamO, +aaa-dev and +controller-dev and Stephen FYI:
>>                 On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen 
>> <jluhr...@gmail.com <mailto:jluhr...@gmail.com>
>>            <mailto:jluhr...@gmail.com <mailto:jluhr...@gmail.com>>>wrote:
>>                     Hi Utility folks,
>>                     I noticed in a local setup I have where I've changed the 
>> default username
>>                     and password for RESTCONF, that I still need to use the 
>> admin:admin creds
>>                     to hit the diagstatus endpoint.
>>                     I'm guessing that's just because this is not tied in to 
>> the magic of
>>                     AAA and/or RESTCONF creds.
>>                     Gotta just live with it, or would it be an easy thing to 
>> add, just to keep
>>                     things more intuitive?
>>                 This seems like a bug (bad one, security wise), but it's not 
>> for infrautils-dev - we don't actually do
>>            anything
>>                 re. Jolokia in project infrautils, the diagstatus sub-module 
>> simply exposes a JMX bean... the code
>>            related to the
>>                 Jolokia integration in ODL which then make makes this 
>> available via HTTP, and secures it with the AAA
>>            creds (also
>>                 used by RESTCONF; there are no creds in RESTCONF itself 
>> FYI), is actually in controller and/or aaa (I'm
>>            not 100%
>>                 sure myself what is where)... see 
>> https://jira.opendaylight.org/browse/AAA-147
>>            <https://jira.opendaylight.org/browse/AAA-147>
>>                 <https://jira.opendaylight.org/browse/AAA-147 
>> <https://jira.opendaylight.org/browse/AAA-147>> and
>>            https://jira.opendaylight.org/browse/CONTROLLER-1324 
>> <https://jira.opendaylight.org/browse/CONTROLLER-1324>
>>                 <https://jira.opendaylight.org/browse/CONTROLLER-1324
>>            <https://jira.opendaylight.org/browse/CONTROLLER-1324>>.
>>                 If you are right, we have this problem (that when changing 
>> the default username and password you can
>>            still use the
>>                 previous one) on *ALL* /jolokia/ URLs, I'm guessing.
>>                 Would you like to open a (Critical?) bug in JIRA against AAA 
>> about this?
>>                 Tx,
>>                 M.
>>                 --
>>                 Michael Vorburger, Red Hat
>>            vorbur...@redhat.com <mailto:vorbur...@redhat.com> 
>> <mailto:vorbur...@redhat.com
>>            <mailto:vorbur...@redhat.com>>| IRC: vorburger @freenode | ~ = 
>> http://vorburger.ch
>>                 <http://vorburger.ch/>
>>                     example curl:
>>                     curl -u "admin:admin"
>>            
>> http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
>>            
>> <http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>
>>                                
>> <http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus
>>            
>> <http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus>>
>>                     Thanks,
>>                     JamO
>>                     _______________________________________________
>>                     infrautils-dev mailing list
>>            infrautils-...@lists.opendaylight.org 
>> <mailto:infrautils-...@lists.opendaylight.org>
>>            <mailto:infrautils-...@lists.opendaylight.org 
>> <mailto:infrautils-...@lists.opendaylight.org>>
>>            https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
>>            <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>
>>                     
>> <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev
>>            <https://lists.opendaylight.org/mailman/listinfo/infrautils-dev>>
>>                 _______________________________________________
>>                 controller-dev mailing list
>>            controller-dev@lists.opendaylight.org 
>> <mailto:controller-dev@lists.opendaylight.org>
>>            <mailto:controller-dev@lists.opendaylight.org 
>> <mailto:controller-dev@lists.opendaylight.org>>
>>            https://lists.opendaylight.org/mailman/listinfo/controller-dev
>>            <https://lists.opendaylight.org/mailman/listinfo/controller-dev>
>>                 
>> <https://lists.opendaylight.org/mailman/listinfo/controller-dev
>>            <https://lists.opendaylight.org/mailman/listinfo/controller-dev>>
_______________________________________________
controller-dev mailing list
controller-dev@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/controller-dev

Reply via email to