Thanh Ha [Mon, 8 Aug 2016 21:50:11 +0000 (17:50 -0400)]
Bump versions by 0.1.0 for next dev cycle
Change-Id: I3af7fbc22b54e10bf4497b344c2137cc59102b30
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Ryan Goulding [Mon, 8 Aug 2016 03:17:23 +0000 (23:17 -0400)]
Remove stale code from aaa-idmlight bundle
There is a bunch of bash scripts and json included in the aaa-idmlight bundle
that are there for historic reasons only. These scripts do not reflect the
new data models that have been used for AAA since Beryllium, and thus are confusing
at best. This change removes this dated code to avoid confusion and clean
up the code base.
Change-Id: Ib698c9823227d9648b65881993276c9c187e3443
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Fri, 5 Aug 2016 14:58:22 +0000 (14:58 +0000)]
Merge "Add groupRolesMap configuration option for ODLJndiLdapRealm"
Ryan Goulding [Thu, 4 Aug 2016 08:45:30 +0000 (04:45 -0400)]
Add groupRolesMap configuration option for ODLJndiLdapRealm
Shiro provides a nice configuration option called groupRolesMap for
ActiveDirectoryRealm. Since JndiLdapRealm provides a default
getAuthorizationInfo() that just returns null, it does not perform
any authorization. ODLJndiLdapRealm was designed to add a useful
getAuthorizationInfo() implementation, which performs LDAP queries
to determine LDAP membership information.
This patch adds the groupRolesMap functionality to ODLJndiLdapRealm
so that raw LDAP results can be mapped to ODL roles. This essentially
allows existing systems to be utilized without either recreating the
group structure in LDAP or role structure in ODL in order to map
correctly.
Change-Id: Id9f3bf5ca8f171e3c51e0c39867e70341eda1901
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 4 Aug 2016 13:59:40 +0000 (13:59 +0000)]
Merge "Store the opendaylight's certificate and network Node's certificates to mdsal"
Mohamed El-Serngawy [Mon, 21 Mar 2016 20:48:23 +0000 (16:48 -0400)]
Store the opendaylight's certificate and network Node's certificates to mdsal
Opendaylight uses java keystore to store certificates. The keystore is used to establish a secure
SSL communication between Opendaylight and different protocols such as openflow and netconf. aaa-cert provides Opendaylight with
the ability to create different keytstores for each protocol and store these keystores into mdsal. As mdsal has its shard
data process across Opendaylight cluster nodes, the keystores will be syncronized across the cluster nodes.
Change-Id: I29ea84e4f2be9d66f7da74727baaf9ba343d1f9f
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Thu, 28 Jul 2016 04:08:51 +0000 (00:08 -0400)]
Bug 6278: Switch to use odlparent's karaf-parent
karaf-parent was moved from controller to odlparent in the following:
https://git.opendaylight.org/gerrit/#/42650/
This change switches karaf to inherit from odlparent's karaf-parent
added in the above commit.
Change-Id: If083aed05dd3b6dffb738180f34f409fde1302fb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 18 Jul 2016 23:19:10 +0000 (19:19 -0400)]
Remove stale documentation from aaa-filterchain javadocs
Documentation stated that Filter bundles may need to be dynamically imported;
since aaa-filterchain dynamically imports bundles anyway, this step is not
necessary.
Change-Id: If4317c8b72a395a22247259286d29c055cb1a72f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Colin Dixon [Wed, 13 Jul 2016 23:34:52 +0000 (19:34 -0400)]
Remove old sssd documentation
It looks like it hasn't been updated since 2014, which means it's unlikely
to be correct and it is causing WARNINGs when we build the docs now that
aaa is included as a submodule of docs.
Change-Id: I0231057683b26de12144e38b974f8b8dcb7eecad
Signed-off-by: Colin Dixon <colin@colindixon.com>
Mohamed El-Serngawy [Tue, 5 Jul 2016 13:45:17 +0000 (13:45 +0000)]
Merge "Upgrade ietf-{inet,yang}-types to 2013-07-15"
Lorand Jakab [Wed, 29 Jun 2016 20:52:35 +0000 (15:52 -0500)]
Upgrade ietf-{inet,yang}-types to 2013-07-15
Change-Id: I7152164eb35516bc78671cb04d378ad98957065e
Signed-off-by: Lorand Jakab <lojakab@cisco.com>
Ryan Goulding [Wed, 29 Jun 2016 19:46:25 +0000 (15:46 -0400)]
Modify Activator output to more accurately define loading state
Change the Activator output to reflect that a service is in the process of being
injected rather than claiming it is missing. This is more accurate since it
reflects that the service is in the process of being resolved.
Change-Id: I6e126f2a3f2c43afc60e52fdf4b5e585afcda34b
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
melserngawy [Wed, 29 Jun 2016 04:38:35 +0000 (00:38 -0400)]
update openflowplugin dependency for aaa-cert feature
Change-Id: I025615f2a000da37db153028e5de9785bad98313
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Ryan Goulding [Tue, 21 Jun 2016 14:22:08 +0000 (14:22 +0000)]
Merge "Fix for Bug 6082 - idpmapping will failed for the case sensitivity"
Vratko Polak [Tue, 21 Jun 2016 11:12:56 +0000 (13:12 +0200)]
Add config POM modules back
Otherwise Boron autorelease fails on this:
[WARNING] The POM for org.opendaylight.aaa:aaa-authn-mdsal-config:xml:config:0.4.0-Boron is missing, no dependency information available
Change-Id: I59d01c3811f318b980eddaaa6a0478f411aee2b7
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
Suvitha Balu [Tue, 21 Jun 2016 07:57:36 +0000 (13:27 +0530)]
Fix for Bug 6082 - idpmapping will failed for the case sensitivity
Change-Id: Iec3f09e32e0ce0daa15314ae63088e8ac3024861
Signed-off-by: Suvitha Balu <suvitha.balu@tcs.com>
Alexis de Talhouët [Thu, 5 May 2016 22:45:45 +0000 (18:45 -0400)]
Use odlparent-lite for aggregator
Change-Id: I33cfd551dcd28f0a9261e83887e0dc9520099a34
Signed-off-by: Alexis de Talhouët <adetalhouet@inocybe.com>
Ryan Goulding [Mon, 23 May 2016 13:53:21 +0000 (09:53 -0400)]
Modify idmtool insecure option to work with older versions of requests
The idmtool script utilizes the requests library to interact with the AAA
REST endpoints. Older versions of the requests library are not setup to
utilize certain urllib3 packages, which results in the following error
message when the script is run with --insecure mode enabled:
Traceback (most recent call last):
File "idmtool", line 236, in <module>
requests.packages.urllib3.disable_warnings()
AttributeError: 'module' object has no attribute 'packages'
This change utilizes standard system libraries (warnings) to disable SSL
Error output. The attempt is made at "best-effort"; that is, if the attempt
to disable fails, the script will still work, but some verbose output will be
rendered to stdout. This is a much more robust way of implementing the
verbosity control logic within the idmtool script context.
Change-Id: Ia32736d27a6f351170bae895832c056f7d8f84a5
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Sharon Aicler [Wed, 27 Apr 2016 00:38:13 +0000 (17:38 -0700)]
Encryption Service For AAA that uses a unified key to encryp and decrypt string for usage in ODL
Change-Id: Ic2d576c3c8ed42f3f7fc42afeac3af78a847febd
Signed-off-by: Sharon Aicler <saichler@cisco.com>
Ryan Goulding [Fri, 20 May 2016 00:57:04 +0000 (00:57 +0000)]
Merge "Cassandra Store for AAA"
Ryan Goulding [Tue, 17 May 2016 19:42:14 +0000 (15:42 -0400)]
Enhance idmtool to allow disabling https certificate verification
Adds the capability to disable https certificate verification through
the "-k" or "--insecure" flag. This vernacular was chosen to closely
mimic curl's interface. If this mode is enabled, then an appropriate
warning message is printed to make it painfully obvious that HTTPS
certificates are not verified. This behavior is completely optional,
and is not enabled by default.
Additionally, exception reporting was improved to isolate SSLError(s);
if an SSLError is encountered then it is reported as a possible SSL
issue instead of with the standard "Are you sure the controller is up?"
message.
Change-Id: Ibc138d073d170d76164e928eb0d0cc99f704514c
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
77d2cba2257e306c2c00eb151d69692e2da7a296)
Sharon Aicler [Sun, 29 Nov 2015 17:22:15 +0000 (09:22 -0800)]
Cassandra Store for AAA
Change-Id: I01a500594c55c5cac163642653164b5390f57b76
Signed-off-by: Sharon Aicler <saichler@cisco.com>
Ryan Goulding [Tue, 17 May 2016 17:26:51 +0000 (13:26 -0400)]
Bug 5901 Add in explicit version for aaa-authz-model
https://git.opendaylight.org/gerrit/#/c/38481/4/aaa-authz/aaa-authz-model/pom.xml
broke the build by not overriding the parent version in favor
of the AAA version.
Change-Id: Ic4886a3958fbbdf96cbf97b734605a8af669a63b
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Michael Vorburger [Fri, 13 May 2016 13:52:17 +0000 (15:52 +0200)]
Bump Checkstyle version from 6.2 to 6.16
Java 8 lamda / closure intendentation rule changed in Checkstyle!
Change-Id: I00e7e506f320833b6c8b3f450ab3d372bdc2725d
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Fri, 13 May 2016 14:30:54 +0000 (10:30 -0400)]
Remove unused geronimo dependencies
Just removes the geronimo JTA dependencies as they aren't used.
Change-Id: Ib1fbad93d25a908a2102ac2428e0b07b44ff602f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Michael Vorburger [Thu, 12 May 2016 11:37:49 +0000 (13:37 +0200)]
Git ignore .checkstyle file create by Eclipse Checkstyle plugin
Change-Id: Ia85e023fb839abdb813eca00a5bbb33f85bc2c92
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Fri, 6 May 2016 19:23:54 +0000 (19:23 +0000)]
Merge "Use binding-parent for api"
Ryan Goulding [Fri, 6 May 2016 19:20:32 +0000 (19:20 +0000)]
Merge "Remove useless version in dependencies"
Ryan Goulding [Fri, 6 May 2016 17:31:01 +0000 (17:31 +0000)]
Merge "Fix the compilation error"
Alexis de Talhouët [Thu, 5 May 2016 22:46:01 +0000 (18:46 -0400)]
Remove useless version in dependencies
Change-Id: Iae0c325dc411a9c46476f1bf8c5c2cefc4472192
Signed-off-by: Alexis de Talhouët <adetalhouet@inocybe.com>
Alexis de Talhouët [Thu, 5 May 2016 22:45:00 +0000 (18:45 -0400)]
Use binding-parent for api
Change-Id: Ic2489d93ae46db1aaa1004fb56790fb167585d96
Signed-off-by: Alexis de Talhouët <adetalhouet@inocybe.com>
Mohamed El-Serngawy [Fri, 6 May 2016 16:18:43 +0000 (12:18 -0400)]
Fix the compilation error
fix jetty-servlet-tester dependancy with org.mortbay.jetty to avoid
conflict with org.eclipse.jetty dependancy and ignore aaa-authn-federation
for now
Change-Id: I2d7bb080e625c10016a5d66d43ac40846bde36a3
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Alexis de Talhouët [Fri, 6 May 2016 15:56:32 +0000 (11:56 -0400)]
Ignore failing tests due to jetty
Change-Id: I591a0ea079f80fd8499fec58872fbc470f5c050d
Signed-off-by: Alexis de Talhouët <adetalhouet@inocybe.com>
Ryan Goulding [Mon, 25 Apr 2016 20:15:43 +0000 (20:15 +0000)]
Merge "Remove the odl-aaa-keystone-plugin feature"
Ryan Goulding [Mon, 25 Apr 2016 16:57:37 +0000 (12:57 -0400)]
Remove the odl-aaa-keystone-plugin feature
Since this feature doesn't do anything, the AAA team has chosen to directly
remove it. Since the feature never did anything, there is no need to wait
the extra release cycle. The advantage to removing this earlier is less
queries surrounding a feature which doesn't work. Prior to this commit,
the inclusion of this non-functional feature was misleading.
Change-Id: I24136b81dda6a45b13e6edccfb9ffac4468f83bb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 25 Apr 2016 14:42:41 +0000 (10:42 -0400)]
Bug 5801 aaa distribution-karaf should inherit from karaf-parent, not aaa-parent
This changes the parent for AAA karaf distribution from aaa-parent
to karaf-parent. distribution-karaf was renamed "karaf" which is
more consistent with how other projects name their local karaf
distributions.
Change-Id: I478fa4b7da710351c871ee792611934576e30635
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 25 Apr 2016 19:38:46 +0000 (19:38 +0000)]
Merge "Inherit nexusproxy property from odlparent"
Ryan Goulding [Mon, 25 Apr 2016 19:22:46 +0000 (19:22 +0000)]
Revert "Bug 5801 aaa distribution-karaf should inherit from karaf-parent, not aaa-parent"
This will be redone with inclusion of correct groupId
This reverts commit
190996d1d2fc7e941edede025b27b40bb59a21aa.
Change-Id: Icfc3b16066dab510a8cc661c07ee905fe48347de
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 25 Apr 2016 18:40:55 +0000 (14:40 -0400)]
Inherit nexusproxy property from odlparent
Inherit the "nexusproxy" property from odlparent instead of overriding
with our own, which is prone to becoming out of date.
Change-Id: I11e17bcccfa6f7c51e7a8233162f3434a9930ae4
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 25 Apr 2016 14:42:41 +0000 (10:42 -0400)]
Bug 5801 aaa distribution-karaf should inherit from karaf-parent, not aaa-parent
This changes the parent for AAA karaf distribution from aaa-parent
to karaf-parent. distribution-karaf was renamed "karaf" which is
more consistent with how other projects name their local karaf
distributions.
Change-Id: Ib3a7bebcc68da7326745a591a0479b0f1924b6a4
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 21 Apr 2016 21:21:57 +0000 (21:21 +0000)]
Merge "Revert "Revert "Inherit metatype dependency version from odlparent"""
Ryan Goulding [Wed, 20 Apr 2016 15:59:54 +0000 (15:59 +0000)]
Revert "Revert "Inherit metatype dependency version from odlparent""
This reverts commit
30e384b2eb6b53b887d7b69c09a1a0235de1caff.
Change-Id: I1c72ff78d47da399cd00201e611e302fad8f59c8
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 19 Apr 2016 21:44:53 +0000 (17:44 -0400)]
Depend on odlparent version of logback
Downstream dependencies should centralize dependency management
in odlparent. This change technically temporarily downgrades
logback to 1.1.3, which is the one included with odlparent. This
way, when logback is upgraded in odlparent, we get it for free.
Change-Id: Ibce99e34bc65db678390d37169c5cd924113f389
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 19 Apr 2016 16:37:51 +0000 (16:37 +0000)]
Merge "Revert "Inherit metatype dependency version from odlparent""
Ryan Goulding [Tue, 19 Apr 2016 15:58:26 +0000 (15:58 +0000)]
Revert "Inherit metatype dependency version from odlparent"
This reverts commit
c4a0cb5bd32f59076749affffb98906c860ea22b.
Change-Id: Ib0ef4e7298f6afd88d441b411bf79a343ef21a84
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 19 Apr 2016 15:35:13 +0000 (15:35 +0000)]
Merge "Add a generic ShiroFilter for use with non-RESTCONF servlets"
Ryan Goulding [Tue, 19 Apr 2016 14:03:56 +0000 (10:03 -0400)]
Add a generic ShiroFilter for use with non-RESTCONF servlets
AAAFilter is geared towards supporting RESTCONF and its noauth
functionality. AAAShiroFilter differs in that it cannot be
disabled outside of AAA. AAAFilter should only be used with
RESTCONF, while AAAShiroFilter should be used for all other
Servlet endpoints in ODL.
Change-Id: I000ba808eebed5a16d8449188eeca4ef9a9289e7
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 19 Apr 2016 13:45:33 +0000 (09:45 -0400)]
Inherit metatype dependency version from odlparent
Instead of maintaining a separate metatype version in AAA, depend on
the common one from odlparent.
Change-Id: Iabc64bdd00bfe864ae44cdc28cd2f64d60d43736
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 14 Apr 2016 16:42:15 +0000 (16:42 +0000)]
Merge "Add unit test for aaa-idmlight using jersey test framework"
Mohamed El-Serngawy [Tue, 12 Apr 2016 21:14:01 +0000 (17:14 -0400)]
Add unit test for aaa-idmlight using jersey test framework
Change-Id: I8a15afb6d17daea406086139c5c4c6ddd78a136d
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Fri, 8 Apr 2016 23:41:16 +0000 (19:41 -0400)]
Lower log level for unsuccessful OAuth2 Requests to debug
Sometimes, this somewhat harmful sounding error message is triggered
based on the fact that not all AAA bundles have initialized. The
message is somewhat useful, so its level was lowered, but now it
shouldn't appear by default.
To re-enable this audit message, please issue the following command
on the karaf shell:
> log:set DEBUG org.opendaylight.aaa.shiro.realm.TokenAuthRealm
Change-Id: I6739ae073dac7d75c293d4172bd4c1e014a5c9af
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 8 Apr 2016 23:06:18 +0000 (23:06 +0000)]
Merge "Fix ant paths so that subpaths are represented"
Ryan Goulding [Fri, 8 Apr 2016 21:32:45 +0000 (17:32 -0400)]
Fix ant paths so that subpaths are represented
Shiro urls use ant-style paths. Prior to this change, extensions
off the default urls were not supported. For example, auth/users
was protected but auth/users/1 (admin user) was not protected.
Change-Id: I0b540008501c037ee8c50e21ea518a6eec7df960
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 7 Apr 2016 15:17:40 +0000 (11:17 -0400)]
Add support for generic JDBC for AAA
Just wraps the default Shiro implementation. This allows for enhanced logging
as well as aggregation of all realm implementations to a single package,
making it easier for importing Servlets.
Instructions on how to set up and configure the realm are included right in the
shiro initialization file, shiro.ini.
This abstraction is particularly useful for systems integrators who wish to
leverage an existing JDBC-supporting system for ODL AAA.
Change-Id: I58257a4704e9c302689ef46155972c5ce06dd155
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Wed, 6 Apr 2016 23:24:22 +0000 (19:24 -0400)]
Add support for Active Directory to AAA
Just wraps the default Shiro implementation. One of the many added benefits
from moving to Shiro is being able to utilize built in realm support.
AAA has taken the approach of wrapping Shiro abstracations in order to add
logging and to centralize realm implementations in one package, making it
so consuming servlets only need to import one package to get all the
available realm implementations.
Change-Id: I1e4fbcb97463e9b05ed38754ab62d0beb0f8e61a
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Sharon Aicler [Mon, 4 Apr 2016 17:24:42 +0000 (10:24 -0700)]
Fix bug 5654 - SHA256 hashing sometimes output a string that contains illegal characters
Change-Id: I3d1e98e66bce7e6dc4873d15a8617e4bb13cc192
Signed-off-by: Sharon Aicler <saichler@cisco.com>
Ryan Goulding [Tue, 29 Mar 2016 22:26:00 +0000 (22:26 +0000)]
Merge "Remove deprecated/dead Version endpoint code"
Thanh Ha [Wed, 16 Mar 2016 23:23:23 +0000 (19:23 -0400)]
Do not install or deploy the karaf artifact
The karaf artifact is only used for testing. It does not need to be
released to the world.
Change-Id: Ic6ac45e1ca649668c9f6755dbe2d0c0beee49529
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Ryan Goulding [Tue, 22 Mar 2016 20:45:55 +0000 (16:45 -0400)]
Remove deprecated/dead Version endpoint code
This code is removed as it was deprecated in Beryllium and scheduled
for removal in Boron.
Change-Id: I9f0ee0ba0a960e2594e2ca7dd0152ddf9622bac2
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 24 Mar 2016 15:49:22 +0000 (15:49 +0000)]
Merge "Deprecate odl-aaa-keystone feature"
Ryan Goulding [Fri, 18 Mar 2016 18:48:56 +0000 (14:48 -0400)]
Add filterchain bundle to odl-aaa-shiro feature
Allows filterchaining for anything that imports odl-aaa-shiro.
Change-Id: I5e70bb92e0b69c85b61c4af165cd53d7c5d3f825
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 18 Mar 2016 18:00:55 +0000 (18:00 +0000)]
Merge "Dynamic Filter Injection for Java REST Servlets"
Ryan Goulding [Thu, 10 Mar 2016 13:35:15 +0000 (08:35 -0500)]
Dynamic Filter Injection for Java REST Servlets
Add support to dynamically configure servlet Filter chains at runtime.
Recreates the Filter chain-of-responsiblity pattern to allow injection of chain
links on top of the CustomFilterAdapter javax.servlet.Filter. Thus, web.xml
creators can use org.opendaylight.aaa.filterchian.CustomFilterAdapater to
dynamically adjust links in the chain at runtime. This framework allows
pre/post-processing on HTTP/S requests from REST endpoints. Importantly,
since the Filter is added to the Servlet definition, the requests are viewed
after SSL decryption, allowing for true inspection. An example of how to
configure this for a REST endpoint is illustrated in this patch for the AAA
idmlight endpoints at aaa-idmlight/src/main/resources/web.xml.
A configuration admin managed service is introduced to track changes to the
"etc/org.opendaylight.aaa.filterchain.cfg" file. This file supports one
key/value combination, namely;
customFilterList=a.b.c.Filter1,c.d.e.Filter2,x.y.zFilterN
The value is a csv list of filters. Optionally, the user may specify a Filter
configuration file to introduce key/value init-params normally specified in
web.xml. An example is:
customFilterList=a.b.c.Filter1$etc/filter1.cfg,d.e.f.Filter2
If the desired filter is not included in the Imported aaa packages, it may be
dynamically imported to allow access:
karaf> bundle:dynamic-import <ID>
Where <ID> refers to the bundle ID of the bundle that houses the desired
Filter implementation.
This patch contains several unit tests, and boasts 88% line unit coverage. The
testing includes null chains, small chains, and quite large chains.
Change-Id: Ifa2994f4c10ae504763f704fa8dc19fd11093108
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 18 Mar 2016 14:20:21 +0000 (10:20 -0400)]
Fix odl-restconf-noauth
Removes OSGi activation of AAAFilter; if you install odl-aaa-shiro
on its own then you will need to manually activate with:
>bundle:install aaa-shiro-act
Change-Id: I6c58314c09ea07bcf47dce1ad19d16e35e4fe983
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Sharon Aicler [Thu, 17 Mar 2016 16:14:59 +0000 (16:14 +0000)]
Merge "Upgrade h2 version from 1.4.185 to 1.4.191"
Sharon Aicler [Thu, 17 Mar 2016 16:14:23 +0000 (16:14 +0000)]
Merge "Upgrade org.apache.felix.metatype from 1.0.10 to 1.1.2"
Ryan Goulding [Wed, 16 Mar 2016 19:44:23 +0000 (19:44 +0000)]
Merge "Bug 5493 idmtool script doesnt honor target-hostname argument"
Sharon Aicler [Wed, 16 Mar 2016 16:23:32 +0000 (16:23 +0000)]
Merge "AAA idmlight REST endpoints should use AAAFilter"
Ryan Goulding [Wed, 16 Mar 2016 15:56:23 +0000 (15:56 +0000)]
Merge "Bug 5474 Accounting Log for Un/Successful Auth Attempts"
Ryan Goulding [Fri, 11 Mar 2016 01:08:20 +0000 (20:08 -0500)]
Deprecate odl-aaa-keystone feature
It appears at some point, someone started work on a keystone plugin
for ODL AAA. However, that appears to be mostly just stub methods
now, and doesn't function properly at all. This deprecates the
interface so it may be removed in Carbon.
Change-Id: I6fd75013122d8a4aa12c98c7f074112fa6cedb16
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 10 Mar 2016 22:00:30 +0000 (17:00 -0500)]
Upgrade org.apache.felix.metatype from 1.0.10 to 1.1.2
Upgrades org.apache.felix.metatype to the latest version.
Change-Id: If03227426373f137d57cf88cd8ae8b8bc5d4afcc
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 10 Mar 2016 21:57:19 +0000 (16:57 -0500)]
Upgrade h2 version from 1.4.185 to 1.4.191
Upgrade h2 database driver to the latest version.
Change-Id: Id9064c748de5f4eea1cf7c968575c88be80bf9c1
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 10 Mar 2016 18:13:57 +0000 (13:13 -0500)]
Bug 5493 idmtool script doesnt honor target-hostname argument
Adds capability to parse target-hostname.
Change-Id: I2d48b300c07b9ab30748809ef1aa014d9ff87833
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 10 Mar 2016 16:42:24 +0000 (11:42 -0500)]
AAA idmlight REST endpoints should use AAAFilter
AAA idmlight rest endpoints currently use TokenAuthFilter, which was
deprecated during the Beryllium cycle. This upgrades the idmlight REST
endpoints such that AAAFilter (the replacement for TokenAuthFilter) is used
instead. The introduction of AAAFilter allows for Shiro based authorization
on idmlight REST endpoints.
Authorization rules were added to the idmlight REST endpoints to allow
only users with the admin role access.
Change-Id: I2f58dc9902f7712942ef9c847b37e1af89a4b1fe
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 7 Mar 2016 21:32:35 +0000 (16:32 -0500)]
Bug 5474 Accounting Log for Un/Successful Auth Attempts
Accounting is currently limited to karaf log output messages, which can be
copied to an external syslog server. Hitherto, AAA plugin didn't report
failed v.s. successful authentication attempts. This change provides the
ability to enable audit events for successful and unsuccessful authentication
attempts. This behavior is disabled by default in order to prevent flooding
karaf logs, but may be enabled if an operator feels this logging is
important.
To enable Un/Successful logging, from the karaf shell just type:
> log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
A good deal of testing was added in order to ensure that audit events are
reported in a sane manner. A utilities class was developed which is
responsible for forming audit log messages. A custom slf4j appender was added
for testing only in order to track karaf log output, and ensure that audit
events are properly logged.
Change-Id: I21b8dc4ef5b137cf7f968c284a6725da7b02134a
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Mohamed El-Serngawy [Fri, 4 Mar 2016 19:20:17 +0000 (14:20 -0500)]
Bug 1835 - No length checking on POST and PUT fields in idm REST interface for /users
Validate the user fields length in PUT Rest API
Change-Id: I20c23d872ddfb476bc7dd8b0edec42fbb80fd0ce
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
melserngawy [Wed, 2 Mar 2016 22:28:26 +0000 (17:28 -0500)]
fix changes in openflowjava interface TlsConfiguration.
Change-Id: I718103f6f7e401cbb3bfc89de30a813ffb1c4761
Signed-off-by: melserngawy <melserngawy@inocybe.com>
Ryan Goulding [Wed, 24 Feb 2016 23:25:16 +0000 (18:25 -0500)]
Bug 5425 AAAFilter always assumes the default domain
This change allows another domain to be specified as part of the
username. Just use "username"@"domain". If no @domain is specified,
then the default domain "sdn" is assumed.
Change-Id: Ia7cdd06fbc92f9fef3723260950ef9f6682dabfa
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Wed, 24 Feb 2016 16:53:43 +0000 (17:53 +0100)]
Drop the dependency on jaxrs-api
The dependency appears to be unnecessary, remove it (instead of
upgrading it in odlparent).
Change-Id: Ifc41090520921440bde00e6c5f848e75832e636f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 23 Feb 2016 16:02:09 +0000 (17:02 +0100)]
Pull in PowerMock from odlparent
The Mockito upgrade breaks PowerMock 1.5.2; odlparent now provides the
necessary dependency management for PowerMock and will ensure that
Mockito and PowerMock versions are upgraded in sync.
Change-Id: I569f10df433ed8d0894c1dbc97aa9f9cbb8fbe5b
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Fri, 19 Feb 2016 11:18:29 +0000 (12:18 +0100)]
Drop dependency on javax.annotation-api
This appears to be unused and may be contributing to issues with newer
versions of jsr305. (jsr305 3.0.0 doesn't provide any OSGi bundle
information, but 3.0.1 does, and the information provided conflicts
with the bundle information in javax.annotation-api.)
Change-Id: I39a22901e86220be5bc1da15975b39db11a6f426
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Mohamed El-Serngawy [Tue, 24 Nov 2015 23:16:22 +0000 (18:16 -0500)]
adding command-line and certificate functionalities
Change-Id: I0d5ffe7d004146fdcc92b3cf06cf45762b99cbd2
Signed-off-by: Mohamed El-Serngawy <melserngawy@inocybe.com>
Ryan Goulding [Wed, 10 Feb 2016 19:20:15 +0000 (14:20 -0500)]
Convert to use yangtools-artifacts
Changes feature poms dependencyManagement to import yangtools-artifacts.
Change-Id: I9da547d519684b455a4a0a86f83265d313f47326
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 5 Feb 2016 23:13:46 +0000 (18:13 -0500)]
Adds a basic tool for AAA IDM manipulation
Change-Id: Ic38f2f23e4a302ecfca39ceadfe2979faec8aeba
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
f6c87f3cd7eaa6ffc32625546828a2b6cd42722e)
Ryan Goulding [Fri, 5 Feb 2016 18:52:26 +0000 (13:52 -0500)]
Bug 5253 AAA Delete non-functional
Fixes Stores to utilize Statement instead of PreparedStatement
due to limitations in h2 driver. Adds cleansing of input.
Puts a guard around the grant calculation to ensure a grant
referring to a missing role doesn't bomb the store.
Change-Id: I642a945b04fdae95ce67298c051726e8e9e8fe82
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
e0ca55c01badbbfb3ca326373dbfe0000116a34d)
Ryan Goulding [Fri, 5 Feb 2016 15:18:54 +0000 (10:18 -0500)]
Bug 5250 User update for changing password requires salt
Allows re-use of existing salt.
Change-Id: I61bbfd1e7d5839efcee3754f7d29d2c70f3aa5f7
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
da4610b0db64753e627b1ed12182c0581ab87298)
Ryan Goulding [Wed, 3 Feb 2016 14:37:12 +0000 (14:37 +0000)]
Merge "Ensure H2 resources are closed"
Stephen Kitt [Tue, 2 Feb 2016 17:14:04 +0000 (18:14 +0100)]
Ensure H2 resources are closed
This patch uses try-with-resources with all database resources
(connections, statements and result sets) to ensure they're closed
correctly in all cases. It drops the re-used dbConnection since that
seems fragile (two threads accessing the store simultaneously might
get the same connection, and one of the threads will close it before
the other has finished), except for tests.
The initial table check/creation is synchronized to avoid
time-of-check to time-of-use races.
Common code is extracted to an AbstractStore.
Exceptions are logged and re-thrown as StoreExceptions with exception
chaining.
Change-Id: Ia63493fcb1361e53a5f3400ee5e2fdf09bccb574
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Tue, 2 Feb 2016 20:24:54 +0000 (15:24 -0500)]
Bug 5193 Fix idmlight REST endpoints
Clean up feature install ordering.
Change-Id: I41f544185037138bb0119df26be3b11052c0d05b
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
710f46a274b7addae220a0cb8634c69d592d8342)
Ryan Goulding [Fri, 29 Jan 2016 19:03:33 +0000 (14:03 -0500)]
Bug 5145 ODLJndiLdapRealm does not allow configurable searchBase
Add configurable searchBase and ldapAttributeForComparison, which
is needed since the defaults will NOT apply to every LDAP deployment.
Fixes JDK8 incompatibilities in documentation.
Change-Id: Id7f5b5201311f6c7297ff976b777b4aafcccebe9
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
5058c61bf1cfa2b5b6f7f88a6460f9a3445a0dff)
Ryan Goulding [Fri, 29 Jan 2016 21:43:46 +0000 (16:43 -0500)]
Bug 5148 - CORS requests stopped early
Override isAccessAllowed(...) in order to allow through requests
with OPTIONS header, and no Authentication header.
Change-Id: I7344ad0eec573572bd9cd0495b622e09cfecbb8a
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Sat, 23 Jan 2016 01:02:05 +0000 (20:02 -0500)]
Bug 5060 Cannot Delete Users
Fix the sql to delete a user.
Change-Id: Ic3b5273b898fd566a611e26ebeb4f35199b25797
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
372e83ce3e0c74042fa856ce59404179c3769988)
Sai MarapaReddy [Mon, 25 Jan 2016 19:54:00 +0000 (11:54 -0800)]
Fix license header violations
Change-Id: I7f41259477a30e58a88e635f74234366f308c94c
Signed-off-by: Sai MarapaReddy <sai.marapareddy@gmail.com>
Thanh Ha [Thu, 21 Jan 2016 21:21:05 +0000 (16:21 -0500)]
Bump yangtools to 1.0.0-SNAPSHOT
Change-Id: I5bf78cb609a154e26afab5cbbdb68995bc89a172
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Ryan Goulding [Wed, 20 Jan 2016 16:32:21 +0000 (11:32 -0500)]
Bug 5033 AAA sometimes falsely authorizes user to restricted endpoint
This change abstracts a custom principal with appropriate identification
information for the "doGetAuthorizationInfo()" step. The cached user
is elminated due to the fact that there may be interleaving in calls
to "doGetAuthenticationInfo()" and "doGetAuthorizationInfo()" for different
requests.
Change-Id: Ib76681137bb5c5d83493d5f3092a54e668b3c337
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Thanh Ha [Fri, 15 Jan 2016 02:12:52 +0000 (21:12 -0500)]
Bumping versions by 0.1.0 for next dev cycle
Change-Id: Ic0b167430069eb61ea4f06bf420c249806d2008c
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
xsir [Wed, 6 Jan 2016 01:45:21 +0000 (09:45 +0800)]
Fix generator path inconsistent
The generator path of build-helper-plugin is inconsistent with
odl-parent, this caused the Eclipse build path to be missing.
Change-Id: I6d1fa45abaef49d0995549230b7337892abec8ba
Signed-off-by: xsir <xujinchuan@huawei.com>
Robert Varga [Mon, 4 Jan 2016 21:27:53 +0000 (22:27 +0100)]
Fix AAA not advertising its features properly
All artifacts for public consumption need to be made part of the
project's arttifact pom, so they can be imported properly into
downstream projects.
Change-Id: I4eff79d9ebe9be31ceac4682e2a003a18b291cfb
Signed-off-by: Robert Varga <robert.varga@pantheon.sk>
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 29 Dec 2015 13:52:19 +0000 (08:52 -0500)]
Force shiro deps to inherit from odlparent
Shiro dependencies should inherit from odlparent, as they are
used across projects (netconf & AAA), and should be the same
to avoid version skew.
Change-Id: I35a79b9ef5b7e9699e105dfac09376eabc5a0ffb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 28 Dec 2015 13:46:40 +0000 (08:46 -0500)]
Fix javadoc formatting for SHA256Calculator
Change-Id: Ie55998a88943b8d14184d6e0424a644ce9851858
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Code Review / aaa.git / log