From: Ryan Goulding <ryandgoulding@gmail.com>
Date: Thu, 8 Feb 2018 19:04:53 +0000 (-0500)
Subject: AAA-147: Jolokia credentials are backed by AAA
X-Git-Tag: release/oxygen~9
X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?p=controller.git;a=commitdiff_plain;h=b4aada8443c60b359aa871171d3794704843530a

AAA-147: Jolokia credentials are backed by AAA

Upgrade jolokia-osgi to enable use of "authMode=service-all".  This
was added by:

https://github.com/rhuss/jolokia/commit/ \
1441b0df476e7bb5728d32210e13d18aaaa783cb

A corresponding patch is added in AAA to add an Authenticator to the
OSGi service registry which is backed by ODL AAA.

This closes the vulnerability of using plaintext credentials for
odl-jolokia, and also centralizes credential management.

Change-Id: I5d3a63e47adefbcae96f3794b51da69a3f4980c5
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
---

diff --git a/features/extras/odl-jolokia/pom.xml b/features/extras/odl-jolokia/pom.xml
index 340e3d7360..45c80d180b 100644
--- a/features/extras/odl-jolokia/pom.xml
+++ b/features/extras/odl-jolokia/pom.xml
@@ -33,6 +33,8 @@
         <dependency>
             <groupId>org.jolokia</groupId>
             <artifactId>jolokia-osgi</artifactId>
+            <!-- TODO: remove once the version upgrade makes it to odlparent -->
+            <version>1.5.0</version>
         </dependency>
         <dependency>
             <!-- finalname="/etc/org.jolokia.osgi.cfg" -->
diff --git a/opendaylight/commons/jolokia/src/main/resources/org.jolokia.osgi.cfg b/opendaylight/commons/jolokia/src/main/resources/org.jolokia.osgi.cfg
index fdad9e9a2b..bb9c367597 100644
--- a/opendaylight/commons/jolokia/src/main/resources/org.jolokia.osgi.cfg
+++ b/opendaylight/commons/jolokia/src/main/resources/org.jolokia.osgi.cfg
@@ -1,4 +1,13 @@
 #ODL Default Jolokia Configuration File
-org.jolokia.authMode=basic
-org.jolokia.user=admin
-org.jolokia.password=admin
+
+# The default strategy is to use "service-all", which requires AAA to be installed to access
+# Jolokia REST endpoints at runtime.  AAA is responsible for creating and registering the
+# Authenticator service with the OSGi service registry.
+org.jolokia.authMode=service-all
+
+# The below may be uncommented by the operator to enable basic authentication for Jolokia. Prior
+# to the Oxygen release, only basic authentication was available.  This is provided to show how
+# backwards compatibility can be achieved.
+#org.jolokia.authMode=basic
+#org.jolokia.user=admin
+#org.jolokia.password=admin