After Robert's explanation - do you still need it to be on the TSC agenda, Daniel (and maybe Luis)?
On Fri, Mar 22, 2019 at 2:03 PM Robert Varga <[email protected]> wrote: > On 21/03/2019 18:07, Luis Gomez wrote: > > Hi Robert, > > > > Can you please explain the impact of this? e.g. can we for instance > change the default user admin/admin or use token authentication after this > change? > > Well, I am just a caretaker trying to get things moving forward. > > From what I remember, user credentials should not be affected, as that > goes through Shiro, which is a separate thing. > > I would suspect that token authentication would be affected, but I do > not know the deployment details. > > Please note this not something new, Ryan has made a call out here: > https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html > and there is a tracker to replace Oltu here: > https://jira.opendaylight.org/browse/AAA-162. Based on the conversation > we have had on this when he was still around, his assessment was that > the feature is not useful in practice. > > I do not claim authority over this matter, nor do I claim Ryan's > assessment is correct. Unfortunately, status quo in this project is > simply untenable for the following reasons: > > 1) JIRA has not been scrubbed for a year. When I scrubbed it, we > immediately got a fix from Richard Kosegi for AAA-174. That issue has > been sitting there for 10 months and it was fixed in about 24 hours. > > 2) there are a few long-standing issues filed, which require fixing in > Oltu. That is just not going to happen in upstream. > > 3) it is a core project, on which we rely for our security. We just > cannot afford it being a security hazard. > > 4) org.json/json dependency, which is coming from Oltu is a real > licensing concern, from what I understood from the conversations we had > (even at the TSC call) around > https://jira.opendaylight.org/browse/ODLPARENT-36 > > That is why I merged the change early in the dev cycle and announced it > very widely, so that there is plenty of time to determine impacts and > discuss alternatives. > > The simplest way to determine it is, and I am kindly asking you to, grab > the latest Karaf distro and test out the functionality you expect to work. > > If it turns out that there are stakeholders who are affected, I think > the proper course is for them (or their proxies) to come forward and > take ownership of the feature: > - it is mere 800LOC of code that got removed > - there are at least 3 bugs filed against token auth > - there are alternative libraries: https://oauth.net/code/java/ > > Thanks, > Robert > > _______________________________________________ > release mailing list > [email protected] > https://lists.opendaylight.org/mailman/listinfo/release >
_______________________________________________ Discuss mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/discuss
