You're reading from OpenDaylight Cookbook Deploy and operate software-defined networking in your organization

Product type Paperback

Published in Jun 2017

Publisher Packt

ISBN-13 9781786462305

Length 336 pages

Edition 1st Edition

Tools

OpenDaylight

Concepts

Networking

Authors (6):

Rashmi Pujar

ICARO CAMELO

Mohamed Elserngawy

Jamie Goodyear

Mathieu Lemay

Yrineu Rodrigues

+2 more

View More author details

Changing user authentication

OpenDaylight's security is, in part, provided by the AAA project, which implements mechanisms to bring:

Authentication: Used to authenticate the users
Authorization: Used to authorize access to resources for a given user
Accounting: Used to record user's access to resources

By default, when you install any features, AAA authentication will be installed. It provides two users by default:

User admin with password admin
User user with password user

Getting ready

This recipe does not require anything more than OpenDaylight itself.

The sample code for this recipe is available at:

https://github.com/jgoodyear/OpenDaylightCookbook/tree/master/chapter1/chapter1-recipe7

How to do it...

Perform the following steps:

Start your OpenDaylight distribution using the karaf script. Using this script will give you access to the Karaf CLI:

$ ./bin/karaf

Install the user-facing feature, responsible for pulling in all dependencies needed to enable user authentication:

opendaylight-user@root>feature:install odl-aaa-authn

It might take a few minutes to complete the installation.

To retrieve the list of existing users, send the following request:

Type: GET
Headers:

Authorization: Basic YWRtaW46YWRtaW4=

URL: http://localhost:8181/auth/v1/users

{ 
  "users": [ 
    { 
      "userid": "admin@sdn", 
      "name": "admin", 
      "description": "admin user", 
      "enabled": true, 
      "email": "", 
      "password": "**********", 
      "salt": "**********", 
      "domainid": "sdn" 
    }, 
    { 
      "userid": "user@sdn", 
      "name": "user", 
      "description": "user user", 
      "enabled": true, 
      "email": "", 
      "password": "**********", 
      "salt": "**********", 
      "domainid": "sdn" 
    } 
  ] 
}

Update the configuration of a user.

First, you need the userid that can be retrieved using the previous request. For this tutorial, we will use userid=user@sdn.

To update the password for this user, do the following request:

Type: PUT
Headers:

Authorization: Basic YWRtaW46YWRtaW4=

This is the basic admin/admin authorization. We will not modify this one.

Payload:

{ 
  "userid": "user@sdn", 
  "name": "user", 
  "description": "user user", 
  "enabled": true, 
  "email": "", 
  "password": "newpassword", 
  "domainid": "sdn" 
}

URL: http://localhost:8181/auth/v1/users/user@sdn

Once sent, you will receive the acknowledged payload.

Try your new user's password. Open your browser and go here http://localhost:8181/auth/v1/users, you should be asked for credentials. Use:
- Username: user
- Password: newpassword

You should now be logged in with the new, updated password for the user.

How it works...

The AAA project supports role-based access control (RBAC) based on the Apache Shiro permissions system. It defines a REST application used to interact with the h2 database. Each table has its own REST endpoint that can be used using a REST client to modify the h2 database content, such as the user information.