Contents

Major Features

Ideally, the user should only install odl-aaa-shiro, as it provides the best bang for the buck in Beryllium.

  • odl-aaa-shiro - Installs all supported AAA features
  • odl-aaa-authn - Just AAA TokenAuthFilter based implementation without Shiro add-ons
  • odl-aaa-authn-mdsal-cluster - EXPERIMENTAL Uses md-sal store instead of h2 store
  • odl-aaa-sssd-plugin - SSSD integration through TokenAuthRealm
  • odl-aaa-authz - EXPERIMENTAL support for AuthZ Dom Data Broker

Target Environment

Java 7/8 Environments

For Execution

N/A

For Development

Python 2.7+, Sqlite3

Known Issues and Limitations

  • Particular known bugs and workarounds.
    • Bug 4742 - Known workaround; just specify "application/json" regardless.
    • Bug 1835 - Known workaround; just limit fields to 128 characters. Does not cause harm to database as the query will fail.
    • Bug 3855 - Known workaround; do not use password with "%" or ",". Password may be recovered through idmlight script.
      • Testing methodology. How extensive was it? What should be expected to work? What hasn't been tested as much?

Basic authentication and token based authentication in conjunction with ALL features were tested extensively through [1]. Idmlite test plan was added last release, but has not yet run successfully due to resource leaving the project (working to fix this ASAP). Unit Test coverage improved from 21-34%.

Changes Since Previous Releases

      • Shiro Framework Included
      • LDAP integration with and without RBAC
      • Shiro based authorization added
      • TokenAuthRealm added for backwards compatibility
      • Enhanced Logging added
      • Experimental MD-SAL store was added, but disabled by default due to unresolved configuration subsystem issues.

Bugs Fixed in this Release

ID▲ Product Comp Assignee▲ Status▲ Resolution Summary Changed▼

5253 aaa General bugs@lists.opendaylight.org RESO FIXE AAA Delete non-functional 22:16:17

5250 aaa General bugs@lists.opendaylight.org RESO FIXE User update for changing password requires salt Fri 18:53

4782 aaa General ryandgoulding@gmail.com RESO FIXE H2Store tries to create tables multiple times Wed 16:33

5193 aaa General bugs@lists.opendaylight.org RESO FIXE idmlight rest endpoints sometimes fail to load Wed 14:44

5145 aaa General ryandgoulding@gmail.com RESO FIXE ODLJndiLdapRealm does not allow configurable searchBase 2016-02-02

5060 aaa General ryandgoulding@gmail.com RESO FIXE Cannot Delete Users 2016-02-02

5148 aaa General bugs@lists.opendaylight.org RESO FIXE CORS requests stopped early 2016-01-29

5033 aaa General ryandgoulding@gmail.com RESO FIXE AAA sometimes falsely authorizes user to restricted endpoint 2016-01-26

4804 aaa General bugs@lists.opendaylight.org RESO FIXE IDMLight REST endpoints do not redact the salt user field 2015-12-21

2272 aaa General bugs@lists.opendaylight.org RESO FIXE ClaimAuthFilter missing REMOTE_USER_GROUPS 2015-12-18

4766 aaa General bugs@lists.opendaylight.org RESO FIXE AAA does not provide AuthN only LDAP capability 2015-12-18

1855 aaa General pemellquist@gmail.com RESO FIXE IDM Role Handler does not check max field lengths in POST and PUT operations 2015-12-18

4809 aaa General ryandgoulding@gmail.com RESO FIXE AAA versionhandler is out of date and should be deprecated 2015-12-18

4783 aaa General bugs@lists.opendaylight.org RESO FIXE SQLException masked my IDMStoreException, making debugging impossible 2015-12-15

4768 aaa General ryandgoulding@gmail.com RESO FIXE AAA STS ServiceWireTask prone to java.lang.IllegalStateException: BundleContext is no longer valid 2015-12-15

4385 aaa General ryandgoulding@gmail.com RESO FIXE Restconf calls return with 503 Service Unavailable for some non-deterministic amount of time after loading karaf 2015-12-15

1977 aaa General jdennis@redhat.com RESO FIXE AJP protocol not supported with current Jetty, servlet attributes not populated 2015-12-15

4773 aaa General ryandgoulding@gmail.com RESO FIXE Package uses conflict between authn and restconf 2015-12-15

4723 aaa General bugs@lists.opendaylight.org RESO FIXE AAA StoreBuilder init times out too early 2015-12-14

4741 aaa General ryandgoulding@gmail.com RESO FIXE AAA ServiceWireTask thread blocks pax exam shutdown, causing long running singleFeatureTests 2015-12-14

4749 aaa General ryandgoulding@gmail.com RESO FIXE odl-aaa-shiro feature doesn't import some runtime dependencies 2015-12-10

4732 aaa General saichler@cisco.com RESO FIXE AAA sometimes fails to load due to aaa-idmlight using Activator instead of CSS 2015-12-09

3925 aaa General bugs@lists.opendaylight.org RESO FIXE aaa h2 data store code does not utilize transactions 2015-11-12

4042 aaa General ryandgoulding@gmail.com RESO FIXE AuthN fails for users that aren't granted permission with default sdn domain 2015-11-12

4588 aaa General ryandgoulding@gmail.com RESO FIXE aaa-authn-api causing stack overflow for sfc tests 2015-11-12

4523 aaa General bugs@lists.opendaylight.org RESO FIXE aaa-authn-api JDK8 build failure due to javadoc generation 2015-10-31

4515 aaa General bugs@lists.opendaylight.org RESO FIXE [lithium] aaa-authn cannot resolve aaa-authn-api 2015-10-24

4430 aaa General ryandgoulding@gmail.com RESO FIXE Unclear error message when Basic Authentication has a bad header format 2015-10-08

4289 aaa General ryandgoulding@gmail.com RESO FIXE AuthZ config subsystem files are loaded to the wrong place 2015-09-30

4313 aaa General bugs@lists.opendaylight.org RESO FIXE aaa still depends on netconf 2015-09-17

4216 aaa General tcere@cisco.com RESO FIXE Build cycle between aaa - controller - netconf 2015-09-03

3924 aaa General saichler@cisco.com RESO FIXE aaa passwords are stored in clear text 2015-08-25

4170 aaa General ryandgoulding@gmail.com RESO FIXE odl-aaa-authz AuthzReadOnlyTransaction returns null in some cases 2015-08-25

4146 aaa General ryandgoulding@gmail.com RESO FIXE odl-aaa-authz does not work for Write or ReadWrite Transactions 2015-08-25

4054 aaa General ryandgoulding@gmail.com RESO FIXE Federation RuleProcessor utilizes System.out which interferes with karaf 2015-08-24

4020 aaa General ryandgoulding@gmail.com RESO FIXE AAA fails to perform federated authentication responsibilities if sssd lookup fails 2015-08-23

4038 aaa General ryandgoulding@gmail.com RESO FIXE Grant Creation is Broken 2015-08-23

4168 aaa General ryandgoulding@gmail.com RESO FIXE Innapropriate use of stringbuilder in certain places in AAA code 2015-08-23

1910 aaa General ryandgoulding@gmail.com RESO FIXE Enforce domain name uniqueness 2015-08-23

4023 aaa General ryandgoulding@gmail.com RESO FIXE AAA does not enforce unique role names 2015-08-23

1911 aaa General ryandgoulding@gmail.com RESO FIXE Updating user info will result in an un-redacted password field returned in the response 2015-07-21

3519 aaa General ryandgoulding@gmail.com RESO FIXE Stop creating static exception instances 2015-07-21

3858 aaa General bugs@lists.opendaylight.org RESO FIXE Default token expiry setting is too low 2015-07-21

Migration from Previous Releases

Since the AAA schema was changed, it is recommended to remove "idmlight.db.mv.db" and start with a fresh IdM database, or export the database and manually update fields.

Compatibility with Previous Releases

Functionality is fully backwards compatible, but since the schema changed it is recommended to start with a fresh idmlight.db.

Deprecated, End of Lifed, and/or Retired Features/APIs

    VersionHandler was deprecated this release.
  • No labels