Ryan Goulding [Wed, 18 Jan 2017 00:02:42 +0000 (19:02 -0500)]
Remove unused Realms
These were never implemented, and the person interested in implementing them
has left the project. These can easily be re-added in the future.
Change-Id: I89709c633cbe0af809db7a31e5acb0e6f5ff95bf
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 17 Jan 2017 22:50:55 +0000 (17:50 -0500)]
Remove an unused public constant
Change-Id: I5793fe8a3ddf2f7adab08bdae04c89118c589b9f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Tue, 17 Jan 2017 20:21:49 +0000 (20:21 +0000)]
Merge "Update README.md to current status of AAA project"
Mohamed El-Serngawy [Tue, 17 Jan 2017 20:20:43 +0000 (20:20 +0000)]
Merge "Migrate aaa-shiro to utilize archetype setup"
Ryan Goulding [Tue, 17 Jan 2017 19:50:07 +0000 (19:50 +0000)]
Merge "Fix Md-SAL store configuration"
Ryan Goulding [Tue, 17 Jan 2017 19:49:25 +0000 (19:49 +0000)]
Merge "Add CLI for managing aaa data model"
Ryan Goulding [Thu, 5 Jan 2017 20:52:47 +0000 (15:52 -0500)]
Migrate aaa-shiro to utilize archetype setup
This change addresses the fact that the archetype was not used to
create the aaa-shiro module. This is due to the fact that it was
much heavier weight than what was needed at the time. However,
utilization of the archetype does allow for many advantages including:
1) Explicit separation of api and impl into two separate locations.
Since prior to this change mostly Apache Shiro abstractions were used
instead of homegrown ones, this wasn't particularly useful. However,
with aaa-shiro growing, this is becoming increasingly necessary.
2) Dependence on config-parent for bundles. This gets us a lot for
free, including genericizising on best practices.
3) The possibility to create aaa-shiro features/karaf/IT/commands more
easily. For now, this patch comments out the features & karaf
section as they are pretty much duplicates of the existing top-level
odl-aaa-shiro feature which is already defined. In the future, it
would be nice to enumerate some of the archetype-oriented features:
- ui
- rest
- api
This change is mostly cleaning up and preparing for expansion of the
aaa-shiro bundle. Existing functionality was stuck in the aaa-shiro module,
but the package names were not updated to utilize impl. Likewise, the module
is called "aaa-shiro" and not "aaa-shiro-impl" since other projects already depend
on the former name. The package names were not updated to utilize impl
as the names are used in configuration of the module itself, and
changing them would cause forwards/backwards compatibility issues. In the future,
we may want to move them but provide existing classes that extend the impl ones.
Change-Id: I16f1efed8b83e764362ae6d19b0a69d1b1c6cbec
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Tue, 17 Jan 2017 18:36:46 +0000 (18:36 +0000)]
Merge "Add TLS protocol configuration"
Mohamed El-Serngawy [Mon, 16 Jan 2017 21:57:35 +0000 (16:57 -0500)]
Add TLS protocol configuration
Add the the supported TLS protocols as configuration
to the certificate manager service to be same across
all the tls communications
Change-Id: Ie42344e20ff43dba21b42e58fb141e2871a925f1
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 17 Jan 2017 15:58:11 +0000 (10:58 -0500)]
Update README.md to current status of AAA project
A much needed cleaning of the AAA README.md file. This is not
perfect, but it is much more accurate than the existing file.
This can be enhanced more in the future, although the proper docs
are also a great resource.
Change-Id: I3e657b963c2617ae92094ae8943a904fbd395e61
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Wed, 14 Dec 2016 22:29:20 +0000 (17:29 -0500)]
Add CLI for managing aaa data model
Add CLI commands to add and remove aaa data model
users,roles, domain and grants. It also authorize
the admin users only to be able to manage aaa.
Change-Id: Ia34901dcced7603bbdcfd6fa5afcfa9a283e8ed2
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Thu, 8 Dec 2016 21:19:23 +0000 (16:19 -0500)]
Fix Md-SAL store configuration
add aaa-mdsal-config.xml file to make the md-sal datastore
configuration editable by the end user.
Change-Id: I0861046a1b5644f8c3ecaa3aa9bb5b6432ec9ca5
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Fri, 13 Jan 2017 20:45:58 +0000 (15:45 -0500)]
Update README surrounding accounting
Accounting has been greatly improved since the Beryllium release with
the AuthenticationListener implementation. This updates the README
for accounting only. Further updates will be submitted surrounding
Authentication and Authorization prior to release.
This patch is a canddate for master, Boron and Beryllium, and will
add valuable information for users of each of these releases.
Change-Id: I6f7bc6ce6a4d178eb7c00810102795d8c8b9c987
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 13 Jan 2017 20:20:48 +0000 (15:20 -0500)]
Remove cassandra based store
This is dead code, since there appears to be no way to configure cassandra as
the default backing data store. Thus, the code exists, but is never instantiated.
Even the feature "odl-aaa-cassandra*" does not properly load the cassandra based
backing data store.
Since the feature doesn't appear to work or add anything extra, it is being removed.
We are providing an alternative dropin backed by mdsal instead, which should
be used instead.
Change-Id: I30c5231753544b170fb05bb461734cbc34efec8a
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Hideyuki Tai [Fri, 13 Jan 2017 02:22:24 +0000 (02:22 +0000)]
Added aaa-h2-store bundle.
The artifact "aaa-h2-store:cfg:config" is needed by the feature
odl-aaa-authn-cassandra-cluster. However, the dependency information for
that was mistakenly removed.
Change-Id: Ia6aab62dcc30fc9eb525626b389e6a5097e25342
Signed-off-by: Hideyuki Tai <Hideyuki.Tai@necam.com>
Ryan Goulding [Thu, 12 Jan 2017 16:33:27 +0000 (16:33 +0000)]
Merge "Remove the aaa-authn-federation bundle"
Ryan Goulding [Thu, 12 Jan 2017 16:29:53 +0000 (16:29 +0000)]
Merge "Deprecate aaa-cassandra-store bundle"
Mohamed El-Serngawy [Thu, 22 Dec 2016 19:49:24 +0000 (14:49 -0500)]
Remove the aaa-authn-federation bundle
As we deprecate aaa-authn-federation bundle remove it from
aaa feature
Change-Id: I48bf775a23c8a1a1d52013300b662a4becf7e77c
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Wed, 11 Jan 2017 18:46:42 +0000 (13:46 -0500)]
Remove RBAC rule implementation
RBAC rules were a concept that existed to automatically restrict some endpoints. However,
they were not terrible useful and not mutable. The point was to just restrict a
certain subset of endpoints for security purposes (i.e., the IdM endpoints).
This change removes unused concepts and makes a few minor fixes to existing code:
* make local vars final when appropriate
* better logging
* utilize File.separator instead of hardcoding "/"
Change-Id: If3a1f100e8a2b265be71cfb4722b64c76aacad34
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Tue, 10 Jan 2017 18:57:49 +0000 (13:57 -0500)]
Deprecate aaa-cassandra-store bundle
Deprecate aaa-cassandra-store bundle classes
as we are cleaning up aaa project
Change-Id: Ic4ef01600d73c4e9adac0052edd802f70532c325
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 3 Jan 2017 16:42:55 +0000 (16:42 +0000)]
Merge "Deprecat aaa-authn-idpmapping bundle"
Tom Pantelis [Fri, 23 Dec 2016 15:05:00 +0000 (10:05 -0500)]
Fix missing aaa-h2-store:cfg in dist builds
Added the cfg file as a dependency in he fearures pom.
Change-Id: Ie1726b1ac01acb4c142292c6b4223c5ea23dabd4
Signed-off-by: Tom Pantelis <tpanteli@brocade.com>
Ryan Goulding [Thu, 22 Dec 2016 20:20:33 +0000 (20:20 +0000)]
Merge "Deprecate aaa-authn-store bundle"
Mohamed El-Serngawy [Thu, 22 Dec 2016 20:20:16 +0000 (20:20 +0000)]
Merge "Deprecate the authz model"
Ryan Goulding [Thu, 22 Dec 2016 20:20:11 +0000 (20:20 +0000)]
Merge "Move the default tokenStore service to aaa-h2 bundle"
Ryan Goulding [Thu, 22 Dec 2016 20:19:16 +0000 (20:19 +0000)]
Merge "Deprecate aaa-authn-federation bundle"
Ryan Goulding [Thu, 22 Dec 2016 20:19:05 +0000 (20:19 +0000)]
Merge "Deprecate aaa-authn-sssd bundle"
Mohamed El-Serngawy [Thu, 22 Dec 2016 20:08:57 +0000 (15:08 -0500)]
Deprecat aaa-authn-idpmapping bundle
Deprecat aaa-authn-idpmapping bundle as we are using shiro
for federation
Change-Id: I1c7e88cbc72f92562aa2092c49957e0268fae14f
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Thu, 22 Dec 2016 19:37:54 +0000 (14:37 -0500)]
Deprecate aaa-authn-federation bundle
Deprecate aaa-authn-federation bundle as we are using
shiro for federation.
Change-Id: I07016fd9e185da4f60f5aef260a14bad540f48ed
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Thu, 22 Dec 2016 18:59:30 +0000 (13:59 -0500)]
Deprecate aaa-authn-sssd bundle
Deprecate aaa-authn-sssd bundle as we will move to use
shiro for federation
Change-Id: Icb01dcee936b35a1e0e95621ff333b424481b279
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Thu, 22 Dec 2016 18:50:50 +0000 (13:50 -0500)]
Deprecate aaa-authn-store bundle
The aaa-authn-store bundle implementation has been
moved to aaa-h2-store bundle to be in consist with
other datastores.
https://git.opendaylight.org/gerrit/#/c/49271/
Change-Id: Ia96b9650e20c4647753c7f9ca26d53c1ad9dd611
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Thu, 22 Dec 2016 18:42:49 +0000 (13:42 -0500)]
Deprecate aaa-credential-store-api bundle
The aaa-credential-store-api bundle only has the yang model
and has no implementation.
Change-Id: I5ad4776ac96bfa3d537321105f4858e8fcacc4aa
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 22 Dec 2016 18:20:23 +0000 (13:20 -0500)]
Deprecate the authz model
The authz model causes confusion in the community; several people want to use
authorization functionality but it was never implemented correctly. The original
contributor has since stopped participating in upstream AAA. The model does not
work correctly.
The AAA team does want to add authz other than shiro based, but this will have to
be handled by severely changing the existing model, such that keeping it around is
quite silly since it never worked properly in the first place.
Change-Id: Id3035ca71ec483e8d8c887179a635439898b7e64
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Wed, 21 Dec 2016 22:41:45 +0000 (22:41 +0000)]
Merge "Add MD-SAL authn model to shiro.ini"
Mohamed El-Serngawy [Mon, 12 Dec 2016 20:27:34 +0000 (15:27 -0500)]
Move the default tokenStore service to aaa-h2 bundle
The default tokenStore service exist outside
of the default dataStore bundle aaa-h2. As each
data store has its own tokenStore service, I moved
the default tokenStore to the aaa-h2 bundle to prevent
conflicts with other data stores.
Change-Id: I1cb241a479c5f8d86dcfc032bff4eb955c0561a1
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Robert Varga [Tue, 20 Dec 2016 13:02:37 +0000 (14:02 +0100)]
Eliminate dependencies on slf4j-{api,simple}
These are already present in odlparent, no need to repeat
them here.
Change-Id: I367c78b1f8548aa5b5c8d0a590783b073beca27f
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Tue, 20 Dec 2016 12:42:42 +0000 (13:42 +0100)]
Eliminate use of bundle.plugin.version
The plugin has a managed version, remove the dependency
on its version being defined in a property.
Change-Id: I9c3fe7ee9ce11f81edad244c66050eab870af3d5
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Tue, 20 Dec 2016 12:43:20 +0000 (13:43 +0100)]
Remove duplicate dependencies
Cleanup features/shiro/pom.xml to not include
multiple dependency declarations.
Change-Id: I5bdb88523460da2e616ca82a0029db73531199fd
Signed-off-by: Robert Varga <rovarga@cisco.com>
Ryan Goulding [Wed, 14 Dec 2016 22:40:13 +0000 (22:40 +0000)]
Merge "Fix the Password option at cert commands"
Mohamed El-Serngawy [Wed, 7 Dec 2016 21:17:20 +0000 (16:17 -0500)]
Fix the Password option at cert commands
Use the stream input to hide the password characters and use
printstream to print label at the console instead of system.out
Change-Id: Id970d50265f48ebca44732173feb0b27c6ab955f
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 13 Dec 2016 17:59:06 +0000 (17:59 +0000)]
Merge "aaa-h2-store file size reduced by 1.7 MB"
Michael Vorburger [Mon, 12 Dec 2016 22:50:25 +0000 (23:50 +0100)]
aaa-cli-jar file size significantly reduced from 12 MB to 2.5 MB
it's now simply called aaa-cli-jar-*.jar instead of
aaa-cli-jar-*-jar-with-dependencies.jar
instead of the current 12 MB JAR file size, by assembling it using
maven-shade-plugin instead of the maven-assembly-plugin, which even
without minimizeJar leads to a 5.7, and with some clever minimizeJar
tweaking lets us make this just 2.5 MB.
Change-Id: I687605b62101d4136e02350efba0af4ddbfbbfa7
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 12 Dec 2016 23:02:31 +0000 (00:02 +0100)]
aaa-h2-store file size reduced by 1.7 MB
by avoid to include H2 JAR in this bundle JAR; this should be not
required, because the class files of the H2 JAR are already in this
bundle JAR ("inlined"); they don't have to be there twice...
read also
http://felix.apache.org/documentation/subprojects/apache-felix-maven-bundle-plugin-bnd.html#embed-dependency-and-export-package
for more background about this
Change-Id: I660a8edf26ba793af1a859aae24bd6b5778d3cc8
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
melserngawy [Fri, 2 Dec 2016 21:19:59 +0000 (16:19 -0500)]
Add MD-SAL authn model to shiro.ini
Set the MD-SAL authn-model REST url at shiro.in
to be accessible by admin role only
Change-Id: I84d6cd7adb3054dbb9673868d2c14cb5d84bd7cd
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Wed, 10 Aug 2016 15:31:25 +0000 (11:31 -0400)]
Clean the aaa features
- Remove odl-aaa-authn-no-cluster feature same as odl-aaa-authn feature
- Remove odl-aaa-authn-sssd-no-cluster feature as it was depend on
odl-aaa-authn-no-cluster
Change-Id: Ie70b968530e4dba2c5b41262e1447918fa15f532
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 29 Nov 2016 18:54:37 +0000 (18:54 +0000)]
Merge "New AAA CLI standalone JAR to create users and set passwords"
Michael Vorburger [Mon, 21 Nov 2016 15:43:45 +0000 (16:43 +0100)]
Introduce IdMServiceImpl, refactoring IdmLightProxy
This would make it easier to re-use this code from other places, such as
the planned new CLI utility.
Change-Id: I3c2c5d210d6c34602ecf41a7e84a3a1fb4d9d6aa
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 15 Nov 2016 18:04:37 +0000 (19:04 +0100)]
New AAA CLI standalone JAR to create users and set passwords
This creates a (new) "executable fat JAR", which is NOT an OSGi bundle,
allowing installation tools such as the one used by Tim Rozet for OPNFV,
to create users and set passwords, without requiring ODL REST API to
run, and (more importantly) without knowing the current password.
As discussed and agreed with Ryan Goulding and others during the weekly
"Kernel call" on Tuesday Nov 15th this is still secure, as it's based on
physical access to the database file.
https://wiki.opendaylight.org/view/AAA:Changing_Account_Passwords has
end-user facing documentation (which may be updated as this gets
merged, perhaps later packaged, etc.)
Change-Id: I0f9f991520128b53460b3ee80dbbe0b4b824ca5b
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 22 Nov 2016 12:49:45 +0000 (13:49 +0100)]
StoreBuilder improvements for re-use from Main CLI, and security
Change-Id: Ic10b8dce469a279ac6bb98e6313ee3b82932e299
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Mon, 21 Nov 2016 21:53:57 +0000 (21:53 +0000)]
Merge "De-static-ify H2Store's IdmLightConfig and intro. proper design"
Ryan Goulding [Mon, 21 Nov 2016 21:53:35 +0000 (21:53 +0000)]
Merge "Move StoreBuilder from idmlight to api"
Michael Vorburger [Mon, 21 Nov 2016 15:51:09 +0000 (16:51 +0100)]
Move StoreBuilder from idmlight to api
This makes it easier to re-use this code from other places, such as the
planned new CLI utility (in which I'd like to avoid a dependency to
idmlight, which is full of OSGi and REST related code).
Change-Id: If46ebb5929208ddd2583426df88200edf61b0b53
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 21 Nov 2016 16:30:29 +0000 (17:30 +0100)]
IdmLightConfig use File.separatorChar instead of '/'
This was always already a '/' in the original code before my recent
refactorings (and, presumably, never caused issues on Windows), but as
requested by Ryan in
https://git.opendaylight.org/gerrit/#/c/48372/8/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java@121
Change-Id: Ibe08409a71d58fd099c4c653c6053627e35229ec
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 15 Nov 2016 19:54:01 +0000 (20:54 +0100)]
De-static-ify H2Store's IdmLightConfig and intro. proper design
This is required to be able to configure a H2Store with an
IdmLightConfig, e.g. from the upcoming new CLI tool.
The intention then is to use this to subsequently introduce a real JDBC
Connection Pool on top of this new API. As a first step, the changes
introduced here (should, hopefully) functionally still make it behave
exactly as the current implementation.
Change-Id: Ia28f5eb9c154c5c74fcef7ad285eee8b6be32ffb
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 15 Nov 2016 18:18:42 +0000 (19:18 +0100)]
H2Store IdmLightConfig made configurable (immutable)
Change-Id: I13a93fa6bd8e72617ba7831fbc408580145c0807
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Fri, 11 Nov 2016 22:20:47 +0000 (22:20 +0000)]
Merge "Revert "Fix the unit Test""
Ryan Goulding [Fri, 11 Nov 2016 21:14:34 +0000 (21:14 +0000)]
Revert "Fix the unit Test"
This reverts commit
359f27de1b5ba0c75bd488f84e797a24122172a1.
Change-Id: Ia8ca62266513ddd58e8518bd88f71b39b094c495
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 11 Nov 2016 14:21:48 +0000 (14:21 +0000)]
Merge "Add change ODL user password command"
Ryan Goulding [Fri, 11 Nov 2016 14:20:58 +0000 (14:20 +0000)]
Merge "Fix the unit Test"
Mohamed El-Serngawy [Wed, 9 Nov 2016 21:56:40 +0000 (16:56 -0500)]
Add change ODL user password command
Change-Id: I2303a70e1edb38f30a7e02a6c68a3844e1fad8a9
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 10 Nov 2016 17:08:23 +0000 (17:08 +0000)]
Merge "Update the rpc description with the right names"
Ryan Goulding [Thu, 10 Nov 2016 16:56:06 +0000 (16:56 +0000)]
Merge "Add get-cipher-suites command"
Mohamed El-Serngawy [Wed, 9 Nov 2016 18:43:25 +0000 (13:43 -0500)]
Update the rpc description with the right names
Change-Id: I4d7d98c27e5d8200e1b1bdaf5c459860cf9c76b2
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Wed, 9 Nov 2016 19:09:38 +0000 (14:09 -0500)]
Add get-cipher-suites command
Change-Id: Ib5e0f75ef38a9885b3007165eb8fe8092576644e
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Michael Vorburger [Thu, 10 Nov 2016 14:39:15 +0000 (15:39 +0100)]
Checkstyle configuration clean-up, removing what is now in odlparent
This is more consistent with how other projects do it now, and more
importantly makes Checkstlye work under Eclipse for AAA (kinda, see
below), to correctly ignore generated code (which without this change it
doesn't, and you get lots of red). It also helps avoid a major
confusion at least I just had when debugging this problem.. ;-)
It's actually not EXACTLY the same configuration as the one in
odlparent; in aaa someone had come up with a "trick" using
<sourceDirectory>${project.basedir}, presumable to scan not just src/**
but even root and other directories; this technically looses that, but I
think in the short term for consistency that's better. In the medium
term, maybe I'll try to see if that approach could be generally applied
to odlparent.
This change does not touch AAA's use of yangtools' checkstyle-logging,
which is currently discouraged because it breaks Eclipse; more about
that perhaps in a separate future Gerrit.
Change-Id: I94acce1111004a287c1566f058fa1a010829266f
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Wed, 9 Nov 2016 14:54:28 +0000 (15:54 +0100)]
target-ide/ on .gitignore
Change-Id: I918c5b51810973f0d91ad935578e54b5243281b7
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Mohamed El-Serngawy [Wed, 2 Nov 2016 19:13:05 +0000 (15:13 -0400)]
Fix the unit Test
update the old unit test classes with the new refactored classes
Change-Id: I43438fcb0a6724c1bbbe6956d169f6b7f93a4b6c
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 1 Nov 2016 14:52:28 +0000 (14:52 +0000)]
Merge "Refactor the aaa-cert bundle"
melserngawy [Fri, 21 Oct 2016 21:27:36 +0000 (17:27 -0400)]
Refactor the aaa-cert bundle
Refactoring the aaa-cert bundle to have one service managing
the certificates and keystores in ODL.
Change-Id: Ie17a1c868fb9d2a22772ffe4dc4237e594b9e87b
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Wed, 26 Oct 2016 21:37:57 +0000 (17:37 -0400)]
Remove the encryption Tag
As the cipher is appended with the encryption tag, if the tag value
modified or changed the encryption service refuse to decrypt the cipher
and actually it is useless.
Change-Id: Iff49bc7a43547d258eccddb695781105af24b3b6
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 20 Oct 2016 20:34:13 +0000 (16:34 -0400)]
Remove stale AAA IDM REST information
The curl commands documented have fallen out of sync with the data model.
The updated documentation is located in the proper docs now. idmtool
is also suggested as a means to manipulate AAA IDM data.
Change-Id: If403f176f6f49b04be6cba92c90dca057e04ea5e
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Thu, 20 Oct 2016 18:59:37 +0000 (18:59 +0000)]
Merge "Fix branding in idmtool script"
Mohamed El-Serngawy [Thu, 20 Oct 2016 18:59:00 +0000 (18:59 +0000)]
Merge "Fix AaaCertMdsalProvider service and AaaCert RPC service"
Mohamed El-Serngawy [Wed, 12 Oct 2016 18:30:35 +0000 (14:30 -0400)]
Fix AaaCertMdsalProvider service and AaaCert RPC service
The aaa-cert blueprint was missing the dependancy service of AaaCertMdsalProvider
(Databroker and EncryptionService) adding them to blueprint.
Adding the AaaCertRPCService to the blueprint and seperate the implementation from
AaaCertProvider
Change-Id: Ic9708e09a0d55eb839c29a6c07d1995cef499be1
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 20 Oct 2016 15:39:46 +0000 (11:39 -0400)]
Fix branding in idmtool script
Change-Id: I5a6a0cee359dde3b273ecba5bcacadc1fc439e30
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Alexis de Talhouët [Tue, 18 Oct 2016 21:20:34 +0000 (17:20 -0400)]
Bug 6956 - Do not wrap Guava as a bundle in the feature definition
Guava should only be provided as a dependency, and don't need to be
provided within the feature definition as a bundle.
Doing so could potentially have bad effect: e.g. DLUX feature pulls in Guava
the same way, which will trigger the Guava bundle to be refresh, thus
the AAA bundles tied to the feature pulling it in will be refreshed as
well, and this is corrupting functionalities as per as the reported
BUG.
Change-Id: If519c51c4a47a5b7e9e76f793ee81bba565d0d16
Signed-off-by: Alexis de Talhouët <adetalhouet@inocybe.com>
Ryan Goulding [Thu, 13 Oct 2016 21:21:51 +0000 (17:21 -0400)]
Moon authentication url should specify http protocol
Since moon communicates using HTTP, specify the protocol as part of
the URL. This change simply changes the template to include the
protocol in the URL since parsing will fail otherwise.
Change-Id: I04677a3d18cfcd1d082892780bd26c31c5b8d930
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Thu, 6 Oct 2016 17:31:36 +0000 (17:31 +0000)]
Merge "AAA Moon Authentication Module support"
Alioune [Thu, 15 Sep 2016 21:21:31 +0000 (23:21 +0200)]
AAA Moon Authentication Module support
Adds support for authentication w/ OpenStack through the OPNFV Moon
module. This functionality is optional and turned off by default.
To enable this functionality, reference notes in the shiro.ini file
surrounding moon fundamentals.
Change-Id: Ieae82e7a7f07fe6fc49dd5bd8c29d037eadadf4e
Changea-Id: If8933c66540ecc862ffc6c4d7f9496089664a5e9
Signed-off-by: Alioune BA <alioune.ba@orange.com>
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Wed, 5 Oct 2016 21:39:13 +0000 (17:39 -0400)]
Move aaa-cert to blueprint
Change-Id: I14642474cbf7b8e7e5a34d10f782a376ee038f5c
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Tue, 4 Oct 2016 21:01:31 +0000 (21:01 +0000)]
Merge "Auto-detect secure HTTP in the idmtool script"
Ryan Goulding [Tue, 4 Oct 2016 03:29:01 +0000 (23:29 -0400)]
Auto-detect secure HTTP in the idmtool script
This enables auto-detection of secure HTTP (SSL, TLS) through taking a peek
into org.ops4j.pax.web.cfg. If HTTPS is enabled, then it is preferred over
HTTP. This behavior can still be overridden through the use of the
"--target-host" option during idmtool script invocation. The script attempts
to use the specified HTTPS port from the pax web config. If no such port is
specified (perfectly valid), then the default port, 8443, is utilized. If
HTTPS is not enabled, then HTTP is used.
The value in this is that controllers should run HTTPS on Northbound RESTCONF,
and currently to make this script work with an HTTPS controller the
--target-host option needs to be specified. This makes administering a
controller with HTTPS harder and there are more steps to remember. If anything,
a product should aim to make security easier so it is actually utilized.
Again, if a more advanced configuration is needed, the "--target-host" will
override the default behavior. This simply enforces best security practices
as default, falling back on insecure options if needed.
Change-Id: I544a23d0266cef90cab01f28c8bb970ffcc9ddb6
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Mon, 26 Sep 2016 20:57:42 +0000 (13:57 -0700)]
Use config-parent
This patch switches the relevant POMs to use config-parent instead of
re-specifying the appropriate Maven plugins. It also drops
yang-gen-{config,sal} from .gitignore since they are now in target.
Change-Id: I5d27111d7061cf02d55bad3173e299f289671df1
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Fri, 23 Sep 2016 15:49:19 +0000 (15:49 +0000)]
Merge "move aaa-encrypiotn service to blueprint"
Mohamed El-Serngawy [Thu, 15 Sep 2016 22:00:18 +0000 (18:00 -0400)]
move aaa-encrypiotn service to blueprint
Change-Id: If17c833f11175c16940d9d2e70a8770d90ae8852
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Stephen Kitt [Thu, 11 Aug 2016 12:58:50 +0000 (14:58 +0200)]
BUG-6341: use common Cassandra and Coda Hale Metrics
This depends on https://git.opendaylight.org/gerrit/43717
This patch pulls in the odlparent-defined version of Netty; this is
currently compatible with the Cassandra driver, and future upgrades
will have to bear this in mind.
Change-Id: I4401553b2e529045bf6f9e19ea8c763834f43210
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Mohamed El-Serngawy [Tue, 13 Sep 2016 21:58:04 +0000 (17:58 -0400)]
Re-organize the features module
Combine the aaa-cert and aaa-cli feature modules with the authn feature module
Change-Id: I31b2169bc83b35898f9d23a823e51948274cbd1d
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
melserngawy [Fri, 9 Sep 2016 20:52:41 +0000 (16:52 -0400)]
Re-organize the features module
Combine the api and authz feature modules with the authn feature module
Change-Id: Iafe456adb52dbecedaa56f38c829383b7d3817f2
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Ryan Goulding [Mon, 29 Aug 2016 19:31:42 +0000 (15:31 -0400)]
Bug 6574: Empty groupRolesMap for ODLJndiLdapRealm should map groups directly to roles
If groupRolesMap is not provided in shiro.ini, then the groups extracted
from LDAP are used directly. This is needed for backwards compatability with
Beryllium based behavior.
Change-Id: I39ad01eed55b7e346ff34fa13d93c595c2795739
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Wed, 24 Aug 2016 14:22:53 +0000 (10:22 -0400)]
Bug 6525: Restrict access to AAA-Certificate REST APIs to
Opendaylight Admin role only.
Change-Id: I1b8344f4e8ba64def6f791c68fca0715f176df0d
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Mohamed El-Serngawy [Wed, 10 Aug 2016 21:56:32 +0000 (17:56 -0400)]
Bug 6425: Move aaa-mdsal-store bundle to use blueprint
Change-Id: I3aad96123f70260c12419f956a2ca76fdcb98f25
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
melserngawy [Fri, 5 Aug 2016 15:13:56 +0000 (17:13 +0200)]
Bug 6424: move aaa-idmlight to use blueprint
Change-Id: I7c84ea21204b40e11135bba5a3c52a2901f4a78c
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 9 Aug 2016 15:39:08 +0000 (15:39 +0000)]
Merge "Move aaa-h2-store bundle to use blueprint"
Thanh Ha [Mon, 8 Aug 2016 21:50:11 +0000 (17:50 -0400)]
Bump versions by 0.1.0 for next dev cycle
Change-Id: I3af7fbc22b54e10bf4497b344c2137cc59102b30
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Ryan Goulding [Mon, 8 Aug 2016 03:17:23 +0000 (23:17 -0400)]
Remove stale code from aaa-idmlight bundle
There is a bunch of bash scripts and json included in the aaa-idmlight bundle
that are there for historic reasons only. These scripts do not reflect the
new data models that have been used for AAA since Beryllium, and thus are confusing
at best. This change removes this dated code to avoid confusion and clean
up the code base.
Change-Id: Ib698c9823227d9648b65881993276c9c187e3443
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Fri, 5 Aug 2016 14:58:22 +0000 (14:58 +0000)]
Merge "Add groupRolesMap configuration option for ODLJndiLdapRealm"
Ryan Goulding [Thu, 4 Aug 2016 08:45:30 +0000 (04:45 -0400)]
Add groupRolesMap configuration option for ODLJndiLdapRealm
Shiro provides a nice configuration option called groupRolesMap for
ActiveDirectoryRealm. Since JndiLdapRealm provides a default
getAuthorizationInfo() that just returns null, it does not perform
any authorization. ODLJndiLdapRealm was designed to add a useful
getAuthorizationInfo() implementation, which performs LDAP queries
to determine LDAP membership information.
This patch adds the groupRolesMap functionality to ODLJndiLdapRealm
so that raw LDAP results can be mapped to ODL roles. This essentially
allows existing systems to be utilized without either recreating the
group structure in LDAP or role structure in ODL in order to map
correctly.
Change-Id: Id9f3bf5ca8f171e3c51e0c39867e70341eda1901
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
melserngawy [Thu, 4 Aug 2016 14:36:55 +0000 (16:36 +0200)]
Move aaa-h2-store bundle to use blueprint
Change-Id: I1a5ab1fbca359ba081add9da26be4710179488d7
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 4 Aug 2016 13:59:40 +0000 (13:59 +0000)]
Merge "Store the opendaylight's certificate and network Node's certificates to mdsal"
Mohamed El-Serngawy [Mon, 21 Mar 2016 20:48:23 +0000 (16:48 -0400)]
Store the opendaylight's certificate and network Node's certificates to mdsal
Opendaylight uses java keystore to store certificates. The keystore is used to establish a secure
SSL communication between Opendaylight and different protocols such as openflow and netconf. aaa-cert provides Opendaylight with
the ability to create different keytstores for each protocol and store these keystores into mdsal. As mdsal has its shard
data process across Opendaylight cluster nodes, the keystores will be syncronized across the cluster nodes.
Change-Id: I29ea84e4f2be9d66f7da74727baaf9ba343d1f9f
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>