AAA: Boron: Release Notes
Contents
Major Features
odl-aaa-shiro (encapsulates the old odl-aaa-authn and has since Beryllium)
odl-aaa-authz
odl-aaa-cli
odl-aaa-cert
Target Environment
Any Java-capable environment.
For Execution
Python 2.7+ is needed to use the idmtool utility script for manipulating IDM data. Use of the idmtool script is not necessary for normal operation since there are REST endpoints for manipulating data. The idmtool script is a more convenient way of managing IDM data from the CLI.
For Development
Python 2.7+ and sqlite3
Known Issues and Limitations
Bug 5838: token authentication fails intermittently. This has been an issue since inception, and is easily circumvented by asking for a new token.
Testing methodology
The base feature odl-aaa-shiro, which wraps odl-aaa-authn, is stable and has stood its ground for the Beryllium release.
odl-aaa-cli and odl-aaa-cert are newly added features with unit tests only.
odl-aaa-authz is still only experimental.
Changes Since Previous Releases
Mainly bug fixes.
New Functionality
Included ability to federate with Active Directory through the ODLActiveDirectoryRealm, a simple wrapper around Shiro's activeDirectoryRealm
Added the capability to ODLJndiLdapRealm to map roles extracted from the external IdP to ODL roles (for easier RBAC).
Added the capability to store certificates in CDS through odl-aaa-cert, managed through odl-aaa-cli. These features are optional and are not installed automatically. There are no known consumers yet, and they are provided on an as-is basis.
Bugs Fixed in this Release
[1] Convert idmlight to use blueprint
[2] Convert aaa-mdsal-store to use blueprint
[3] No length checking on put/post for idm rest interface
[4] Accounting Log for Un/Successful Auth Attempts
[5] idmtool script doesnt honor target-hostname argument
[6] SHA256 hashing sometimes output a string that contains illegal characters for h2 datastore
[7] aaa distribution-karaf should inherit from karaf-parent, not aaa-parent
[8] Switch to use odlparent's karaf-parent
Migration from Previous Releases
If upgrading from a version of ODL prior to Beryllium-SR2, the idmlight.db.mv.db database file must be removed as password storage format changed due to Bug 5654. When odl-aaa-shiro is installed next (usually through odl-restconf), then the database will be regenerated with default credentials. Administrators should then change the default credentials as they see fit.
Compatibility with Previous Releases
Yes, compatible with previous releases.
Deprecated, End of Lifed, and/or Retired Features/APIs
odl-aaa-keystone was removed, as it never worked to begin with (stale code from old contributions).