Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

MD-SAL Dynamic Authorization fails to work

Description

Two issues noticed here...

a.  The dynamic authorization filter failed to get loaded.

b.  Even after loading it with a workaround, the request if not handed over to the dynamic authorization filter due t the issue AAA-256

 

Workarounds:

  1. Shiro fails to load filters with custom name, ODL uses dynamicAuthoriztion as the name of the filter, which fails to load with the current Shiro release. But the filter gets loaded if we use the name "rest", which is pre-defined filter.

  2. Cookie needs to be disabled to avoid the second problem (workaround for AAA-256)

 

 

Environment

None

Attachments

1

Activity

Venkatrangan Govindarajan April 15, 2023 at 9:42 AM

There are no errors, exceot that the filter is not loaded. The regular karaf.log from CSIT can be used 

I)

Regular karaf log: https://s3-logs.opendaylight.org/logs/releng/vex-yul-odl-jenkins-1/netconf-csit-1node-userfeatures-rfc8040-all-master/251/odl_1/odl1_karaf.log.gz

 

Please note that MDSALDynamic is defined as some other name, but not getting loaded. 

 

II) Modified the aaa-app-config.xml to use rest as the name of the filter. Please find the karaf log attached.

Snippet!!

------8<----------

t data
2023-04-15T09:29:35,002 | INFO  | Blueprint Extender: 2 | AAAShiroProvider                 | 184 - org.opendaylight.aaa.shiro - 0.17.7 | AAAShiroProvider Session Initiated
2023-04-15T09:29:35,129 | INFO  | Blueprint Extender: 2 | ReflectionBuilder                | 183 - org.opendaylight.aaa.repackaged-shiro - 0.17.7 | An instance with name 'rest' already exists.  Redefining this object as a new instance of type org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
2023-04-15T09:29:35,130 | INFO  | Blueprint Extender: 2 | IniSecurityManagerFactory        | 183 - org.opendaylight.aaa.repackaged-shiro - 0.17.7 | Realms have been explicitly set on the SecurityManager instance - auto-setting of realms will not occur.
2023-04-15T09:29:35,169 | INFO  | paxweb-config-3-thread-1 | ServerModel                      | 340 - org.ops4j.pax.web.pax-web-spi - 8.0.15 | Created new ServletContextModel{id=ServletContextModel-8,contextPath='/auth'}
2023-04-15T09:29:35,169 | INFO  | paxweb-config-3-thread-1 | JettyServerController            | 337 - org.ops4j.pax.web.pax-web-jetty - 8.0.15 | Receiving Batch{"Registration of OsgiContextModel{WB,id=OCM-7,name='OpenDaylight IDM realm management',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=275, osgi.http.whiteboard.context.name=OpenDaylight IDM realm management, service.bundleid=184, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}}", size=2}
2023-04-15T09:29:35,170 | INFO  | paxweb-config-3-thread-1 | JettyServerWrapper               | 337 - org.ops4j.pax.web.pax-web-jetty - 8.0.15 | Creating new Jetty context for

 

-------8<------------

 

 

Robert Varga March 27, 2023 at 8:00 AM

Can you provide logs to substantiate the first issue?

Details

Assignee

Reporter

Priority

Created March 21, 2023 at 5:57 AM
Updated April 17, 2023 at 7:42 AM