========================== #opendaylight-meeting: tws ========================== Meeting started by tbachman at 16:59:42 UTC. The full logs are available at http://meetings.opendaylight.org/opendaylight-meeting/2014/tws/opendaylight-meeting-tws.2014-10-27-16.59.log.html . Meeting summary --------------- * Agenda (alagalah, 17:01:56) * LINK: https://wiki.opendaylight.org/view/Tech_Work_Stream:Main#Upcoming_Meeting_Agendas (alagalah, 17:01:59) * AAA presentation (tbachman, 17:04:30) * LINK: https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing Slides for AAA presentation (tbachman, 17:05:37) * Conributors are HP, Cisco, Red Hat, and Inocybe (tbachman, 17:06:28) * Helium has token-based authentication, HTTP basic authentication, built-in IdMLight for managing users/roles/domains, federation with Linux SSSD, AuthZ policies data model + API + AuthZ Broker Infrastrucutre and configuration (tbachman, 17:07:35) * Fully-functional MD-SAL AuthZ service, Federation with Openstack Keyston, and application security didn’t make it into Helium release (tbachman, 17:08:03) * token-based authentication supports direct authentication, where user presents credentials and receives an access token scoped to a set of resources, and uses that token to access those resources (tbachman, 17:11:21) * The token is valid for 1hr by default, and is revokable (tbachman, 17:11:44) * alagalah asks if there are any open source projects in use here (tbachman, 17:13:32) * liemmn says that there are some (e.g. Apache open source project for authentication) (tbachman, 17:13:48) * a domain is a grouping of resources for the purpose of access control (tbachman, 17:15:47) * dbainbri asks if it’s a configuration to default to basic authentication (tbachman, 17:17:49) * liemmn says it’s not a configuration item today (tbachman, 17:17:59) * liemmn says you can disable the basic auth bundle (tbachman, 17:19:06) * Federated authentication is where the authentication is delegated to an external identity provider (IdP) (tbachman, 17:22:32) * This allows support of different authentication schemes (SSSD, LDAP, Radius, SAML, etc.) via plugins (tbachman, 17:23:02) * alagalah asks what happens if the controller can’t talk to the IdP (tbachman, 17:27:05) * liemmn says it depends on the case (tbachman, 17:27:13) * if you’re using a UUID in OpenStack (e.g. keystone); if it can’t contact keystone, then the request will fail (tbachman, 17:27:36) * There is a configuration for keystone that allows the controller to decrypt the token and perform authentication without involving keyston3 (tbachman, 17:28:06) * CRUD operations are supported on domains, users, and roles (tbachman, 17:33:20) * model allows for netsted authorization policies (tbachman, 17:34:15) * jmedved asks where liemmn sees enforcing these policies (e.g. on top of MD-SAL)? (tbachman, 17:36:15) * liemmn says that they inject in an Auth-Z aware MD-SAL broker, which limits things right there (tbachman, 17:36:48) * jmedved says there are multiple brokers — and asks if we’re planning to modify all of them (i.e. put in every broker)? (tbachman, 17:37:36) * liemmn says there’s a plan for data brokers for all of them (tbachman, 17:37:46) * dbainbri asks if there’s been thought about controlling access by devices contacting the controller, rather than the other way around (controller contacting devices) (tbachman, 17:39:25) * liemmn says AAA is focused just on the northbound for now (tbachman, 17:39:52) * liemmn says they’d like to see more token-based authentication being used (tbachman, 17:46:25) * LINK: https://wiki.opendaylight.org/view/AAA:Main (liemmn, 17:48:26) * dlenrow points out that the SNBI and HP’s device drivers project may support dbainbri’s needs (tbachman, 17:51:03) * LINK: https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd (alagalah, 17:52:24) * LINK: https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd Draft Lithium Release plan (tbachman, 17:52:51) * alagalah says that some of the pain points identified in helium have been addressed in the Draft Lithium Release Plan (tbachman, 17:53:27) Meeting ended at 17:55:04 UTC. People present (lines said) --------------------------- * tbachman (41) * odl_meetbot (7) * alagalah (5) * liemmn (2) * dlenrow (1) * icbts (1) * dbainbri (1) Generated by `MeetBot`_ 0.1.4