AAA: Lithium: Release Review
Contents
- 1 Project Name
- 2 Features
- 3 Non-Code Aspects (user docs, examples, tutorials, articles)
- 4 Architectural Issues
- 5 Security Considerations
- 6 Quality Assurance (test coverage, etc)
- 7 End-of-life (API/Features EOLed in Release)
- 8 Bugzilla (summary of bug situation)
- 9 Standards (summary of standard compliance)
- 10 Schedule (initial schedule and changes over the release cycle)
Project Name
AAA
Features
odl-aaa-authn - AAA Authentication and Token services, IdmLight API, MD-SAL token store, H2 SQL user store
odl-aaa-authn-no-cluster - Previous version of aaa-authn. No MD-SAL token store.
odl-aaa-sssd-plugin - Apache SSSD Federated identity plugin. Pulls in odl-aaa-authn.
odl-aaa-authn-sssd-no-cluster - Previous version of apache SSSD Federated identity plugin. Pulls in odl-aaa-authn-no-cluster
odl-aaa-netconf-plugin - Plugin allowing authentication of Netconf clients. Pulls in odl-aaa-authn.
odl-aaa-authn-sssd-no-cluster - Previous version of Plugin allowing authentication of Netconf clients. Pulls in odl-aaa-authn-no-cluster.
odl-aaa-authz - AAA Authorization Service. Provides Authorization Policiy decisions for RESTCONF API access (Experimental feature)
Migration from Helium is automatic, with previous (MD-SAL less) version retained as backup.
Non-Code Aspects (user docs, examples, tutorials, articles)
AAA docs, in docs project, have been updated to reflect IdmLight usage and features.
Architectural Issues
The MD-SAL Token store is the first step in moving the AAA user-store to use MD-SAL and actually full cluster support. In this release, the SQLite backend was swapped out for H2, which is more portabe and compatible with Java 8, but it still needs to be replicated & synchronized out-of-band to deploy ODL in a cluster. The MD-SAL does not have a "timed entry" capability, thus the token store approximates one. The design decision was taken to flush entries on access, rather than to have a sweeper process. This does mean that stale tokens will show up in the cache, however in all cases only valid tokens will be honored.
Pending the full development of the AuthZ component, any authenticated user into the system has effectively full access rights.
Security Considerations
Any authenticated user, irrespective