#opendaylight-meeting: tws

Meeting started by tbachman at 16:59:42 UTC (full logs).

Meeting summary

  1. Agenda (alagalah, 17:01:56)
    1. https://wiki.opendaylight.org/view/Tech_Work_Stream:Main#Upcoming_Meeting_Agendas (alagalah, 17:01:59)

  2. AAA presentation (tbachman, 17:04:30)
    1. https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing Slides for AAA presentation (tbachman, 17:05:37)
    2. Conributors are HP, Cisco, Red Hat, and Inocybe (tbachman, 17:06:28)
    3. Helium has token-based authentication, HTTP basic authentication, built-in IdMLight for managing users/roles/domains, federation with Linux SSSD, AuthZ policies data model + API + AuthZ Broker Infrastrucutre and configuration (tbachman, 17:07:35)
    4. Fully-functional MD-SAL AuthZ service, Federation with Openstack Keyston, and application security didn’t make it into Helium release (tbachman, 17:08:03)
    5. token-based authentication supports direct authentication, where user presents credentials and receives an access token scoped to a set of resources, and uses that token to access those resources (tbachman, 17:11:21)
    6. The token is valid for 1hr by default, and is revokable (tbachman, 17:11:44)
    7. alagalah asks if there are any open source projects in use here (tbachman, 17:13:32)
    8. liemmn says that there are some (e.g. Apache open source project for authentication) (tbachman, 17:13:48)
    9. a domain is a grouping of resources for the purpose of access control (tbachman, 17:15:47)
    10. dbainbri asks if it’s a configuration to default to basic authentication (tbachman, 17:17:49)
    11. liemmn says it’s not a configuration item today (tbachman, 17:17:59)
    12. liemmn says you can disable the basic auth bundle (tbachman, 17:19:06)
    13. Federated authentication is where the authentication is delegated to an external identity provider (IdP) (tbachman, 17:22:32)
    14. This allows support of different authentication schemes (SSSD, LDAP, Radius, SAML, etc.) via plugins (tbachman, 17:23:02)
    15. alagalah asks what happens if the controller can’t talk to the IdP (tbachman, 17:27:05)
    16. liemmn says it depends on the case (tbachman, 17:27:13)
    17. if you’re using a UUID in OpenStack (e.g. keystone); if it can’t contact keystone, then the request will fail (tbachman, 17:27:36)
    18. There is a configuration for keystone that allows the controller to decrypt the token and perform authentication without involving keyston3 (tbachman, 17:28:06)
    19. CRUD operations are supported on domains, users, and roles (tbachman, 17:33:20)
    20. model allows for netsted authorization policies (tbachman, 17:34:15)
    21. jmedved asks where liemmn sees enforcing these policies (e.g. on top of MD-SAL)? (tbachman, 17:36:15)
    22. liemmn says that they inject in an Auth-Z aware MD-SAL broker, which limits things right there (tbachman, 17:36:48)
    23. jmedved says there are multiple brokers — and asks if we’re planning to modify all of them (i.e. put in every broker)? (tbachman, 17:37:36)
    24. liemmn says there’s a plan for data brokers for all of them (tbachman, 17:37:46)
    25. dbainbri asks if there’s been thought about controlling access by devices contacting the controller, rather than the other way around (controller contacting devices) (tbachman, 17:39:25)
    26. liemmn says AAA is focused just on the northbound for now (tbachman, 17:39:52)
    27. liemmn says they’d like to see more token-based authentication being used (tbachman, 17:46:25)
    28. https://wiki.opendaylight.org/view/AAA:Main (liemmn, 17:48:26)
    29. dlenrow points out that the SNBI and HP’s device drivers project may support dbainbri’s needs (tbachman, 17:51:03)
    30. https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd (alagalah, 17:52:24)
    31. https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd Draft Lithium Release plan (tbachman, 17:52:51)
    32. alagalah says that some of the pain points identified in helium have been addressed in the Draft Lithium Release Plan (tbachman, 17:53:27)


Meeting ended at 17:55:04 UTC (full logs).

Action items

  1. (none)


People present (lines said)

  1. tbachman (41)
  2. odl_meetbot (7)
  3. alagalah (5)
  4. liemmn (2)
  5. dlenrow (1)
  6. icbts (1)
  7. dbainbri (1)


Generated by MeetBot 0.1.4.