OK. On Fri, Mar 22, 2019 at 2:30 PM Daniel De La Rosa < [email protected]> wrote:
> Robert, thank you for the details. Abhijit, i think we still need to > discuss the details during our next TSC meeting since it sounds like there > will be major impact for our customers > > Thanks > > On Fri, Mar 22, 2019 at 2:12 PM Abhijit Kumbhare <[email protected]> > wrote: > >> After Robert's explanation - do you still need it to be on the TSC >> agenda, Daniel (and maybe Luis)? >> >> On Fri, Mar 22, 2019 at 2:03 PM Robert Varga <[email protected]> wrote: >> >>> On 21/03/2019 18:07, Luis Gomez wrote: >>> > Hi Robert, >>> > >>> > Can you please explain the impact of this? e.g. can we for instance >>> change the default user admin/admin or use token authentication after this >>> change? >>> >>> Well, I am just a caretaker trying to get things moving forward. >>> >>> From what I remember, user credentials should not be affected, as that >>> goes through Shiro, which is a separate thing. >>> >>> I would suspect that token authentication would be affected, but I do >>> not know the deployment details. >>> >>> Please note this not something new, Ryan has made a call out here: >>> >>> https://lists.opendaylight.org/pipermail/aaa-dev/2018-February/001606.html >>> and there is a tracker to replace Oltu here: >>> https://jira.opendaylight.org/browse/AAA-162. Based on the conversation >>> we have had on this when he was still around, his assessment was that >>> the feature is not useful in practice. >>> >>> I do not claim authority over this matter, nor do I claim Ryan's >>> assessment is correct. Unfortunately, status quo in this project is >>> simply untenable for the following reasons: >>> >>> 1) JIRA has not been scrubbed for a year. When I scrubbed it, we >>> immediately got a fix from Richard Kosegi for AAA-174. That issue has >>> been sitting there for 10 months and it was fixed in about 24 hours. >>> >>> 2) there are a few long-standing issues filed, which require fixing in >>> Oltu. That is just not going to happen in upstream. >>> >>> 3) it is a core project, on which we rely for our security. We just >>> cannot afford it being a security hazard. >>> >>> 4) org.json/json dependency, which is coming from Oltu is a real >>> licensing concern, from what I understood from the conversations we had >>> (even at the TSC call) around >>> https://jira.opendaylight.org/browse/ODLPARENT-36 >>> >>> That is why I merged the change early in the dev cycle and announced it >>> very widely, so that there is plenty of time to determine impacts and >>> discuss alternatives. >>> >>> The simplest way to determine it is, and I am kindly asking you to, grab >>> the latest Karaf distro and test out the functionality you expect to >>> work. >>> >>> If it turns out that there are stakeholders who are affected, I think >>> the proper course is for them (or their proxies) to come forward and >>> take ownership of the feature: >>> - it is mere 800LOC of code that got removed >>> - there are at least 3 bugs filed against token auth >>> - there are alternative libraries: https://oauth.net/code/java/ >>> >>> Thanks, >>> Robert >>> >>> _______________________________________________ >>> release mailing list >>> [email protected] >>> https://lists.opendaylight.org/mailman/listinfo/release >>> >> _______________________________________________ >> release mailing list >> [email protected] >> https://lists.opendaylight.org/mailman/listinfo/release >> > > > -- > Daniel de la Rosa > Customer Support Manager > Lumina Networks Inc. > e: [email protected] > m: +1 408 7728120 >
_______________________________________________ Discuss mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/discuss
