Configure ODL NB API user/pass

[dfarrell07]

This is a feature request from OPNFV.

We need to add knobs to configure ODL Karaf's username and password.

This wiki has some docs about how to do this, but neither option (REST calls or DB updates) seems great for Puppet.

This bug this is an independent but related feature request from ODL's main security guy, David Jorm.

[dfarrell07]

I think OPNFV didn't actually need this.

I didn't find an elegant way to do it via Puppet. "Best" option seems to be to start ODL, then use a REST call to update the user/pass, then restart ODL.

[trozet]

This is going to be required for OSP-D deployments.

On Fri, Jan 29, 2016 at 12:39 PM, Daniel Farrell [email protected]
wrote:

I think OPNFV didn't actually need this.

I didn't find an elegant way to do it via Puppet. "Best" option seems to
be to start ODL, then use a REST call to update the user/pass, then restart
ODL.

—
Reply to this email directly or view it on GitHub
#89 (comment)
.

[dfarrell07]

This is going to be required for OSP-D deployments.

Good feedback. I guess we'll have to do the not-so-great REST option described above.

[dfarrell07]

Actually we need to config ODL NB API password, not Karaf shell password.

[vorburger]

https://git.opendaylight.org/gerrit/#/c/48372/

[dfarrell07]

@vorburger's patch to add logic for a JAR that provides this functionally to AAA has been merged. Thanks @vorburger, @trozet and Ryan! Great cross-community collaboration.

[trozet]

Why is this closed? We still need to patch puppet-opendaylight to configure the user/password. I was going to work on this tomorrow.

[dfarrell07]

@vorburger's password-changing JAR is packed in pre-release Carbon RPMs.

# Exact RPM will change over time, see parent dir for current-latest
sudo dnf install -y http://cbs.centos.org/repos/nfv7-opendaylight-6-testing/x86_64/os/Packages/opendaylight-6.0.0-0.1.20170120rel1652.el7.noarch.rpm
java -jar /opt/opendaylight/bin/aaa-cli-jar-0.5.0-Carbon.jar -h

# Above exact RPM will be replaced, can use .repo file to always grab latest or see 6-testing dir for new-latest
sudo curl -o /etc/yum.repos.d/opendaylight-6-testing.repo https://git.opendaylight.org/gerrit/gitweb?p=integration/packaging.git;a=blob_plain;f=rpm/example_repo_configs/opendaylight-6-testing.repo;hb=HEAD
sudo dnf install -y opendaylight
java -jar /opt/opendaylight/bin/aaa-cli-jar-0.5.0-Carbon.jar -h

See this ODL wiki and the help output for docs.

Option                       Description                          
------                       -----------                          
-?, -h                       Show help                            
-X, --debug                  Produce execution debug output       
-a                           New User(s) added with 'admin' role  
--changeUser, --cu <String>  Existing user name to change password
--dbd <File: path>           databaseDirectory (default: .)       
-l, --listUsers              List all existing users              
--newUser, --nu <String>     New user to create                   
-p, --passwd <String>        New password                         

It doesn't seem like the Gerrit was merged to sable/boron, only master (pre-release carbon). Until/unless it's cherry-picked, it will not be in Boron packages.

Still need to expose this via puppet-opendaylight and ansible-opendaylight param/config knobs.