Changing user authentication
OpenDaylight's security is, in part, provided by the AAA project, which implements mechanisms to bring:
- Authentication: Used to authenticate the users
- Authorization: Used to authorize access to resources for a given user
- Accounting: Used to record user's access to resources
By default, when you install any features, AAA authentication will be installed. It provides two users by default:
- User
adminwith passwordadmin - User
userwith passworduser
Getting ready
This recipe does not require anything more than OpenDaylight itself.
The sample code for this recipe is available at:
https://github.com/jgoodyear/OpenDaylightCookbook/tree/master/chapter1/chapter1-recipe7
How to do it...
Perform the following steps:
- Start your OpenDaylight distribution using the
karafscript. Using this script will give you access to the Karaf CLI:
$ ./bin/karaf- Install the user-facing feature, responsible for pulling in all dependencies needed to enable user authentication:
opendaylight-user@root>feature:install odl-aaa-authnIt might take a few minutes to complete the installation.
- To retrieve the list of existing users, send the following request:
- Type:
GET - Headers:
Authorization: Basic YWRtaW46YWRtaW4=
- URL:
http://localhost:8181/auth/v1/users
{
"users": [
{
"userid": "admin@sdn",
"name": "admin",
"description": "admin user",
"enabled": true,
"email": "",
"password": "**********",
"salt": "**********",
"domainid": "sdn"
},
{
"userid": "user@sdn",
"name": "user",
"description": "user user",
"enabled": true,
"email": "",
"password": "**********",
"salt": "**********",
"domainid": "sdn"
}
]
} - Update the configuration of a user.
First, you need the userid that can be retrieved using the previous request. For this tutorial, we will use userid=user@sdn.
To update the password for this user, do the following request:
- Type:
PUT - Headers:
Authorization: Basic YWRtaW46YWRtaW4=
This is the basic admin/admin authorization. We will not modify this one.
- Payload:
{
"userid": "user@sdn",
"name": "user",
"description": "user user",
"enabled": true,
"email": "",
"password": "newpassword",
"domainid": "sdn"
} - URL:
http://localhost:8181/auth/v1/users/user@sdn
Once sent, you will receive the acknowledged payload.
- Try your new user's password. Open your browser and go here
http://localhost:8181/auth/v1/users, you should be asked for credentials. Use:Username:userPassword:newpassword
You should now be logged in with the new, updated password for the user.
How it works...
The AAA project supports role-based access control (RBAC) based on the Apache Shiro permissions system. It defines a REST application used to interact with the h2 database. Each table has its own REST endpoint that can be used using a REST client to modify the h2 database content, such as the user information.
