On Mon, Apr 9, 2018 at 7:49 PM, Jamo Luhrsen <jluhr...@gmail.com> wrote:
> it's up for interpretation as far as vulnerabilities. > > seems by default, the vulnerability is there. However, one can argue that > users need > to RTFM, go restart their deployment, ya da ya da ya da (hi robert...) to > avoid > the non-authenticated jolokia endpoints. > > JamO > > On 4/9/18 10:44 AM, Ryan Goulding wrote: > >> Cool, so there shouldn't be any gaping vulnerabilities as was originally >> indicated? Not sure what is installed for features by default anymore, but >> "jolokia" is part of the karaf standard features we pull in [0]. Stephen, >> do you know of anyway to strip that out? >> > Ryan & Stephen, this https://issues.apache.org/jira/browse/KARAF-5376?focusedCommentId=16431939&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16431939 may interest you in this regard.. watch also https://issues.apache.org/jira/browse/KARAF-5540. > Thanks, >> >> Ryan >> >> [0] https://github.com/apache/karaf/blob/karaf-4.1.x/assemblies/ >> features/standard/src/main/feature/feature.xml#L1446 >> >> On Mon, Apr 9, 2018 at 1:38 PM, Jamo Luhrsen <jluhr...@gmail.com <mailto: >> jluhr...@gmail.com>> wrote: >> >> ok, yeah. after restarting, it seems the jolokia endpoint is now >> adhering to >> the proper credentials. >> >> I'm confused about the karaf jolokia stuff though. Is there no way to >> dump >> that and only allow our odl-jolokia feature to be available? That was >> pretty confusing to me. I never asked for anything jolokia to be >> installed >> originally, but I guess it was by default. >> >> JamO >> >> >> On 4/7/18 1:07 PM, Ryan Goulding wrote: >> >> Did you restart ODL after installing odl-jolikia? The issue is >> you have jolikia installed from karaf without >> auth, then try to install odl-jolikia which lays down >> org.jolikia.osgi.cfg with authMode set to delegate. That >> managed service won’t actually recognize the update to authmode >> without a restart of Karaf. You want to ONLY >> ever install odl-jolokia!! >> >> Sent from my iPhone >> >> On Apr 7, 2018, at 12:19 PM, Jamo Luhrsen <jluhr...@gmail.com >> <mailto:jluhr...@gmail.com>> wrote: >> >> ok, I verified that carbon sr3 is working as we expect, but >> the recent Fluorine >> snapshot distro I have is not behaving like I expect. >> >> I am able to hit this jolokia/exec/org.opendaylight. >> infrautils.diagstatus:type=SvcStatus/acquireServiceStatus >> endpoint after just installing features-aaa, nothing else. >> The user/password doesn't >> seem to matter. >> >> After installing odl-jolokia, it's the same behavior. >> >> should I open a jira, or what other info can I gather? >> >> Thanks, >> JamO >> >> On 4/5/18 3:45 PM, Ryan Goulding wrote: >> for carbon-sr3 we still hadn't integrated jolokia with >> AAA; it was still backed by >> etc/org.jolokia.osgi.cfg, hencewhy you need to use >> admin/admin after changing the password in AAA. >> How did you install jolokia in Fluorine? You must >> install using "odl-jolokia" feature from controller >> to get protection. Standard off the shelf "jolokia" has >> NO auth by default... >> Regards, >> Ryan Goulding >> On Thu, Apr 5, 2018 at 6:23 PM, Jamo Luhrsen < >> jluhr...@gmail.com <mailto:jluhr...@gmail.com> >> <mailto:jluhr...@gmail.com <mailto:jluhr...@gmail.com>>> >> wrote: >> I don't have access to my setup at the moment. I can >> later. >> but, I think it's based on carbon sr3. >> I do have a recent (2/27) snapshot distro from >> Fluorine though, >> and that actually doesn't even need creds to access >> that >> jolokia diagstatus endpoint. restconf still behaves >> like I >> expect, but the diagstatus endpoint takes any (or no) >> username/password combo. >> JamO >> On 4/5/18 12:06 PM, Ryan Goulding wrote: >> Jamo, can you comment on code version? Thanks! >> Regards, >> Ryan Goulding >> On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding < >> ryandgould...@gmail.com >> <mailto:ryandgould...@gmail.com> <mailto: >> ryandgould...@gmail.com <mailto:ryandgould...@gmail.com>> >> <mailto:ryandgould...@gmail.com <mailto: >> ryandgould...@gmail.com> >> <mailto:ryandgould...@gmail.com <mailto: >> ryandgould...@gmail.com>>>> wrote: >> What version of code? This wasn’t tied to >> AAA until oxygen. Prior it was controlled by >> etc/or.jolokia.osgi.cfg. >> Thanks, >> Ryan >> Sent from my iPhone >> On Apr 5, 2018, at 12:32 AM, Michael >> Vorburger <vorbur...@redhat.com >> <mailto:vorbur...@redhat.com> <mailto: >> vorbur...@redhat.com <mailto:vorbur...@redhat.com>> >> <mailto:vorbur...@redhat.com <mailto: >> vorbur...@redhat.com> <mailto:vorbur...@redhat.com >> <mailto:vorbur...@redhat.com>>>> wrote: >> JamO, +aaa-dev and +controller-dev and >> Stephen FYI: >> On Wed, Apr 4, 2018 at 10:24 PM, Jamo >> Luhrsen <jluhr...@gmail.com >> <mailto:jluhr...@gmail.com> <mailto:jluhr...@gmail.com >> <mailto:jluhr...@gmail.com>> >> <mailto:jluhr...@gmail.com <mailto: >> jluhr...@gmail.com> <mailto:jluhr...@gmail.com >> <mailto:jluhr...@gmail.com>>>>wrote: >> Hi Utility folks, >> I noticed in a local setup I have >> where I've changed the default username >> and password for RESTCONF, that I >> still need to use the admin:admin creds >> to hit the diagstatus endpoint. >> I'm guessing that's just because >> this is not tied in to the magic of >> AAA and/or RESTCONF creds. >> Gotta just live with it, or would >> it be an easy thing to add, just to keep >> things more intuitive? >> This seems like a bug (bad one, >> security wise), but it's not for infrautils-dev - we >> don't actually do >> anything >> re. Jolokia in project infrautils, the >> diagstatus sub-module simply exposes a JMX >> bean... the code >> related to the >> Jolokia integration in ODL which then >> make makes this available via HTTP, and secures >> it with the AAA >> creds (also >> used by RESTCONF; there are no creds in >> RESTCONF itself FYI), is actually in >> controller and/or aaa (I'm >> not 100% >> sure myself what is where)... see >> https://jira.opendaylight.org/browse/AAA-147 >> <https://jira.opendaylight.org/browse/AAA-147> >> <https://jira.opendaylight.org >> /browse/AAA-147 <https://jira.opendaylight.org/browse/AAA-147>> >> <https://jira.opendaylight.or >> g/browse/AAA-147 >> <https://jira.opendaylight.org/browse/AAA-147> < >> https://jira.opendaylight.org/browse/AAA-147 >> <https://jira.opendaylight.org/browse/AAA-147>>> and >> https://jira.opendaylight.org/browse/CONTROLLER-1324 >> <https://jira.opendaylight.org/browse/CONTROLLER-1324> >> <https://jira.opendaylight.org/browse/CONTROLLER-1324 >> <https://jira.opendaylight.org/browse/CONTROLLER-1324>> >> <https://jira.opendaylight.or >> g/browse/CONTROLLER-1324 >> <https://jira.opendaylight.org/browse/CONTROLLER-1324> >> <https://jira.opendaylight.org >> /browse/CONTROLLER-1324 >> <https://jira.opendaylight.org/browse/CONTROLLER-1324>>>. >> If you are right, we have this problem >> (that when changing the default username and >> password you can >> still use the >> previous one) on *ALL* /jolokia/ URLs, >> I'm guessing. >> Would you like to open a (Critical?) >> bug in JIRA against AAA about this? >> Tx, >> M. >> -- >> Michael Vorburger, Red Hat >> vorbur...@redhat.com <mailto:vorbur...@redhat.com> >> <mailto:vorbur...@redhat.com >> <mailto:vorbur...@redhat.com>> <mailto: >> vorbur...@redhat.com <mailto:vorbur...@redhat.com> >> <mailto:vorbur...@redhat.com <mailto: >> vorbur...@redhat.com>>>| IRC: vorburger @freenode | ~ >> >> = http://vorburger.ch >> <http://vorburger.ch/> >> example curl: >> curl -u "admin:admin" >> http://192.168.24.11:8081/jolo >> kia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStat >> us/acquireServiceStatus >> <http://192.168.24.11:8081/jol >> okia/exec/org.opendaylight.infrautils.diagstatus:type=SvcSta >> tus/acquireServiceStatus> >> < >> http://192.168.24.11:8081/jolokia/exec/org.opendaylight.inf >> rautils.diagstatus:type=SvcStatus/acquireServiceStatus >> <http://192.168.24.11:8081/jol >> okia/exec/org.opendaylight.infrautils.diagstatus:type=SvcSta >> tus/acquireServiceStatus>> >> < >> http://192.168.24.11:8081/jolokia/exec/org.opendaylight.inf >> rautils.diagstatus:type=SvcStatus/acquireServiceStatus >> <http://192.168.24.11:8081/jol >> okia/exec/org.opendaylight.infrautils.diagstatus:type=SvcSta >> tus/acquireServiceStatus> >> < >> http://192.168.24.11:8081/jolokia/exec/org.opendaylight.inf >> rautils.diagstatus:type=SvcStatus/acquireServiceStatus >> <http://192.168.24.11:8081/jol >> okia/exec/org.opendaylight.infrautils.diagstatus:type=SvcSta >> tus/acquireServiceStatus>>> >> Thanks, >> JamO >> _____________________________ >> __________________ >> infrautils-dev mailing list >> infrautils-...@lists.opendaylight.org <mailto: >> infrautils-...@lists.opendaylight.org> >> <mailto:infrautils-...@lists.opendaylight.org <mailto: >> infrautils-...@lists.opendaylight.org>> >> <mailto:infrautils-dev@lists.o >> pendaylight.org >> <mailto:infrautils-...@lists.opendaylight.org> <mailto: >> infrautils-...@lists.opendaylight.org >> <mailto:infrautils-...@lists.opendaylight.org>>> >> https://lists.opendaylight.org >> /mailman/listinfo/infrautils-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev> >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev>> >> <https://lists.opendaylight.o >> rg/mailman/listinfo/infrautils-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev> >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/infrautils-dev>>> >> _____________________________ >> __________________ >> controller-dev mailing list >> controller-dev@lists.opendaylight.org <mailto: >> controller-dev@lists.opendaylight.org> >> <mailto:controller-dev@lists.opendaylight.org <mailto: >> controller-dev@lists.opendaylight.org>> >> <mailto:controller-dev@lists.o >> pendaylight.org >> <mailto:controller-dev@lists.opendaylight.org> <mailto: >> controller-dev@lists.opendaylight.org >> <mailto:controller-dev@lists.opendaylight.org>>> >> https://lists.opendaylight.org >> /mailman/listinfo/controller-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev> >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev>> >> <https://lists.opendaylight.o >> rg/mailman/listinfo/controller-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev> >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev >> <https://lists.opendaylight.or >> g/mailman/listinfo/controller-dev>>> >> >> >>
_______________________________________________ controller-dev mailing list controller-dev@lists.opendaylight.org https://lists.opendaylight.org/mailman/listinfo/controller-dev