Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authClass configuration option to jolokia-osgi #225

Merged
merged 1 commit into from Jan 23, 2016
Merged

Add authClass configuration option to jolokia-osgi #225

merged 1 commit into from Jan 23, 2016

Conversation

ryandgoulding
Copy link
Contributor

jolokia-jvm has the option to specify an authClass. When specified, authMode
is ignored and authentication responsibility is delegated to authClass. This
change enables the use of any authClass which extends
org.jolokia.osgi.security.Authenticator.

Signed-off-by: Ryan Goulding ryandgoulding@gmail.com

@ryandgoulding
Add authClass configuration option to jolokia-osgi
9f914e1 
jolokia-jvm has the option to specify an authClass.  When specified, authMode
is ignored and authentication responsibility is delegated to authClass.  This
change enables the use of any authClass which extends
org.jolokia.osgi.security.Authenticator.

Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
@ryandgoulding
Copy link
Contributor Author

@rhuss Please let me know your thoughts on this change. Glad to make any modifications you suggest. I am trying to integrate this with OpenDaylight (osgi/karaf based); we have an existing AAA subsystem and I am trying to delegate jolokia authN responsibility to that. I am the Project Technical Leader of AAA in ODL, so let me know if you think there is a better way to do this and I can adapt internally.

@rhuss
Copy link
Member

rhuss commented Nov 1, 2015

Thanks a lot for the PR. In fact an extension point for an restrictor makes much sense. Jolokia 2.0 already has this, but it's still in early development stage.

Since I'm currently on vacations I will take care about this PR after this (2 weeks). Hope this is OK.

@ryandgoulding
Copy link
Contributor Author

Thanks @rhuss and enjoy your vacation!

odl-github pushed a commit to opendaylight/releng-autorelease that referenced this pull request Nov 17, 2015
@ryandgoulding
Updated releng/autorelease
6db3ef5 
Project: controller  fbc126f0ee9f2a50cd6450378976d4ed32c2dce8

Bug 3231 jolokia access should be controlled by aaa

Due to unfortunate lack of support, we are going to have to just use
basic authentication from config file for now.  I have committed this
patch to upstream jolokia:
jolokia/jolokia#225
which will unlock power for us to use AAA.  However, this won't be
available until a new release is cut on Jolokia's end.

The only options for jolokia-osgi bundle for authentication are basic
file authn (which is implemented in this proposed changeset) and JAAS.
ODL's JAAS is unencrypted and generally disregarded, so basic file
authN was chosen.  By default, the credentials are admin/admin.

Change-Id: I35770bcf13b3cb32e59685e9bbf0ef47d73d132f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
odl-github pushed a commit to opendaylight/controller that referenced this pull request Nov 17, 2015
@ryandgoulding
Bug 3231 jolokia access should be controlled by aaa
fbc126f 
Due to unfortunate lack of support, we are going to have to just use
basic authentication from config file for now.  I have committed this
patch to upstream jolokia:
jolokia/jolokia#225
which will unlock power for us to use AAA.  However, this won't be
available until a new release is cut on Jolokia's end.

The only options for jolokia-osgi bundle for authentication are basic
file authn (which is implemented in this proposed changeset) and JAAS.
ODL's JAAS is unencrypted and generally disregarded, so basic file
authN was chosen.  By default, the credentials are admin/admin.

Change-Id: I35770bcf13b3cb32e59685e9bbf0ef47d73d132f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
@rhuss
Copy link
Member

rhuss commented Jan 19, 2016

Sorry for the long delay. However, I'm just about to pick this up now and cut a release before the end of this week,

Would an OSGi Authenticator service help you, too ? I ask because in an OSGi environment this is the canonical way to wire stuff together and we do this already for restrictors which are exposed as OSGi service. That way you could also nicely stack multiple authenticator services (much like for the restrictor).

My suggestion is to use a new authMode with value service in which case in an OSGi context the authentication service is looked at the time of a request. If no such service is available, then the access is restricted. If more than one service is available then all services must pass. An extension could be, to add an extra authRequire option with possible values all or any and allow also multiple, comma separated authMode values.

I think that would fit better in the current implementation (i.e. avoiding Class.forName() lookups in an OSGi environment).

What do you think ?

@rhuss
Copy link
Member

rhuss commented Jan 19, 2016

Seel also http://njbartlett.name/2010/08/30/osgi-readiness-loading-classes.html why using Class.forName() is not the way to go in OSGi ...

@rhuss rhuss merged commit 9f914e1 into jolokia:master Jan 23, 2016
@ryandgoulding
Copy link
Contributor Author

Good points, rhuss. I will look into adding a service interface instead of using Class.forName(...).

ryandgoulding added a commit to ryandgoulding/jolokia that referenced this pull request Nov 14, 2017
@ryandgoulding
Add "service" authMode to jolokia-osgi
3258f91 
Provides the capability to enable "authMode=service" in
org.jolokia.osgi.cfg.  This authentication mode provides the ability
to monitor the OSGi service registry for custom implementations of
the Authenticator interface, resulting in delegation of authentication
to third party implementations.  This is particularly useful for
integrating jolokia into an existing OSGi project.

If "authMode=service" is enabled, authentication only succeeds if
every implementation of Authenticator.authenticate(...) returns true.
If no implementations are provided, then authentication fails (i.e.,
the system defaults to fail-closed).

The initial idea was presented here:
jolokia#225

Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
@ryandgoulding ryandgoulding mentioned this pull request Nov 14, 2017
Merged
rhuss pushed a commit to ryandgoulding/jolokia that referenced this pull request Feb 7, 2018
@ryandgoulding @rhuss
Add "service" authMode to jolokia-osgi
1441b0d 
Provides the capability to enable "authMode=service" in
org.jolokia.osgi.cfg.  This authentication mode provides the ability
to monitor the OSGi service registry for custom implementations of
the Authenticator interface, resulting in delegation of authentication
to third party implementations.  This is particularly useful for
integrating jolokia into an existing OSGi project.

If "authMode=service" is enabled, authentication only succeeds if
every implementation of Authenticator.authenticate(...) returns true.
If no implementations are provided, then authentication fails (i.e.,
the system defaults to fail-closed).

The initial idea was presented here:
jolokia#225

Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ryandgoulding @rhuss