/
AAA: Lithium: Release Review

AAA: Lithium: Release Review

Contents

Project Name

AAA

Features

  • odl-aaa-authn - AAA Authentication and Token services, IdmLight API, MD-SAL token store, H2 SQL user store

  • odl-aaa-authn-no-cluster - Previous version of aaa-authn. No MD-SAL token store.

  • odl-aaa-sssd-plugin - Apache SSSD Federated identity plugin. Pulls in odl-aaa-authn.

  • odl-aaa-authn-sssd-no-cluster - Previous version of apache SSSD Federated identity plugin. Pulls in odl-aaa-authn-no-cluster

  • odl-aaa-netconf-plugin - Plugin allowing authentication of Netconf clients. Pulls in odl-aaa-authn.

  • odl-aaa-authn-sssd-no-cluster - Previous version of Plugin allowing authentication of Netconf clients. Pulls in odl-aaa-authn-no-cluster.

  • odl-aaa-authz - AAA Authorization Service. Provides Authorization Policiy decisions for RESTCONF API access (Experimental feature)

Migration from Helium is automatic, with previous (MD-SAL less) version retained as backup.

Non-Code Aspects (user docs, examples, tutorials, articles)

AAA docs, in docs project, have been updated to reflect IdmLight usage and features.

Architectural Issues

The MD-SAL Token store is the first step in moving the AAA user-store to use MD-SAL and actually full cluster support. In this release, the SQLite backend was swapped out for H2, which is more portabe and compatible with Java 8, but it still needs to be replicated & synchronized out-of-band to deploy ODL in a cluster. The MD-SAL does not have a "timed entry" capability, thus the token store approximates one. The design decision was taken to flush entries on access, rather than to have a sweeper process. This does mean that stale tokens will show up in the cache, however in all cases only valid tokens will be honored.

Pending the full development of the AuthZ component, any authenticated user into the system has effectively full access rights.

Security Considerations

Any authenticated user, irrespective