AAA: Boron: Release Notes

Contents

Major Features

  • odl-aaa-shiro (encapsulates the old odl-aaa-authn and has since Beryllium)

  • odl-aaa-authz

  • odl-aaa-cli

  • odl-aaa-cert

Target Environment

  • Any Java-capable environment.

For Execution

  • Python 2.7+ is needed to use the idmtool utility script for manipulating IDM data. Use of the idmtool script is not necessary for normal operation since there are REST endpoints for manipulating data. The idmtool script is a more convenient way of managing IDM data from the CLI.

For Development

  • Python 2.7+ and sqlite3

Known Issues and Limitations

  • Bug 5838: token authentication fails intermittently. This has been an issue since inception, and is easily circumvented by asking for a new token.

  • Testing methodology

    • The base feature odl-aaa-shiro, which wraps odl-aaa-authn, is stable and has stood its ground for the Beryllium release.

    • odl-aaa-cli and odl-aaa-cert are newly added features with unit tests only.

    • odl-aaa-authz is still only experimental.

Changes Since Previous Releases

  • Mainly bug fixes.

  • New Functionality

    • Included ability to federate with Active Directory through the ODLActiveDirectoryRealm, a simple wrapper around Shiro's activeDirectoryRealm

    • Added the capability to ODLJndiLdapRealm to map roles extracted from the external IdP to ODL roles (for easier RBAC).

    • Added the capability to store certificates in CDS through odl-aaa-cert, managed through odl-aaa-cli. These features are optional and are not installed automatically. There are no known consumers yet, and they are provided on an as-is basis.

Bugs Fixed in this Release

  • [1] Convert idmlight to use blueprint

  • [2] Convert aaa-mdsal-store to use blueprint

  • [3] No length checking on put/post for idm rest interface

  • [4] Accounting Log for Un/Successful Auth Attempts

  • [5] idmtool script doesnt honor target-hostname argument

  • [6] SHA256 hashing sometimes output a string that contains illegal characters for h2 datastore

  • [7] aaa distribution-karaf should inherit from karaf-parent, not aaa-parent

  • [8] Switch to use odlparent's karaf-parent

Migration from Previous Releases

If upgrading from a version of ODL prior to Beryllium-SR2, the idmlight.db.mv.db database file must be removed as password storage format changed due to Bug 5654. When odl-aaa-shiro is installed next (usually through odl-restconf), then the database will be regenerated with default credentials. Administrators should then change the default credentials as they see fit.

Compatibility with Previous Releases

Yes, compatible with previous releases.

Deprecated, End of Lifed, and/or Retired Features/APIs

  • odl-aaa-keystone was removed, as it never worked to begin with (stale code from old contributions).