SDC provides a set of external API's that are exposed from our side SDC API.

This API's are authenticated using basic authentication.

In order to integrate with other components, consumers are configured per component. This operation is performed as an integral part of executing the Backend Docker.

The following users are predefined:

  • appc
  • vid
  • dcae
  • aai
  • sdnc
  • mso

For the purposes of this document the manual consumer configuration process is described.

To create new SDC consumers:

you will need to compile our security utiles project, the project has a set of functionalities for hashing password using SHA-256.

  1. clone the SDC project:

    git clone http://gerrit.onap.org/r/sdc
  2. Under the cloned project go to security-utils.

  3. Run:

    mvn clean install
    • If you get the error message "No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK?" try running sudo apt-get install openjdk-8-jdk, then redo the mvn command.

  4. This will generate a security-utils-<version>.jar under the target dir.

  5. Executed the jar with the password you want to generate a hash for:

    java -cp /tmp/security-utils-*.jar org.openecomp.sdc.security.Passwords password


In beijing relase please use  security-utils-*-jar-with-dependencies.jar
  6. The jar will return the salt and the hash generated by adding the salt to the provided password before hashing it. the response format is <salt>:<hash>
  7. Now that we have the salt we need to create a consumer in SDC.

  8. To create a consumer execute the following curl command towards the SDC backend server:

    curl -X POST -i -H "Accept: application/json; charset=UTF-8" -H "Content-Type: application/json" -H "USER_ID: jh0003" http://<ip of the server you want to accses>:8080/sdc2/rest/v1/consumers/ -d '{"consumerName": '<consumer name>', "consumerSalt": '<salt>',"consumerPassword": '<hash>'}'
  9. The CURL creates the consumer in the SDC DB. from this moment you can access our external API's using the consumer name and the password used for the hash generation.
  10. the hash function is a one way so if you forget the password SDC will not be able to recreate it and you will need to delete the consumer and create a new one.
  11. This information should be added to the API call as a basic authentication header.

  12. You can check if the created user exists by calling:

    curl -X GET -i -H "Accept: application/json; charset=UTF-8" -H "Content-Type: application/json" -H "USER_ID: jh0003" http://localhost:8080/sdc2/rest/v1/consumers/<consumer name>
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=1ahpyqpjjgfblahos4f03qun9;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
X-ECOMP-RequestID: 6e47cbde-44e8-4b82-8f17-c6a731bf0081
Vary: Accept-Encoding, User-Agent
Content-Length: 268
Server: Jetty(9.3.12.v20160915)

{"consumerName":"<consumer name>","consumerPassword":"<counsumer hashed password>","consumerSalt":"eaa62d9681d8f803ac05db342e3c9cc0","consumerLastAuthenticationTime":0,"consumerDetailsLastupdatedtime":1481211500749,"lastModfierUserId":"jh0003"}

In Linux you can use this commands:

  1. Run the following commands, providing consumer specific values for the parameters that are inside <>:

    consumerName=<Consumer user name> (For example: appc )
user_pass=<Consumer password> (For example: appcos )
IP=localhost <OR Docker IP>
enc_pass=`java -cp <jar locataion>/security-utils-*.jar org.openecomp.sdc.security.Passwords $user_pass |tr '[]' ' '|awk '{print $1}'`
salt=`echo $enc_pass |awk -F: '{print $1}'
pass=`echo $enc_pass |awk -F: '{print $2}'

curl -X POST -i -H "Accept: application/json; charset=UTF-8" -H "Content-Type: application/json" -H "USER_ID: jh0003" http://$IP:8080/sdc2/rest/v1/consumers/ -d '{"consumerName": '$consumerName', "consumerSalt": '$salt',"consumerPassword": '$pass'}'

    Note: Repeat the consumer creation process for each consumer, providing Consumer specificconsumerNameand user_pass


    For Eample:

    consumerName=appc
user_pass=appcos
enc_pass=`java -cp /tmp/security-utils-1702.0.11.jar org.openecomp.sdc.security.Passwords $user_pass |tr '[]' ' '|awk '{print $1}'`
salt=`echo $enc_pass |awk -F: '{print $1}'`
pass=`echo $enc_pass |awk -F: '{print $2}'`

curl -X POST -i -H "Accept: application/json; charset=UTF-8" -H "Content-Type: application/json" -H "USER_ID: jh0003" http://localhost:8080/sdc2/rest/v1/consumers/ -d '{"consumerName": '$consumerName', "consumerSalt": '$salt',"consumerPassword": '$pass'}'

  2. Check that the consumer was successfully created in SDC:

    curl -X GET -i -H "Accept: application/json; charset=UTF-8" -H "Content-Type: application/json" -H "USER_ID: jh0003" http://localhost:8080/sdc2/rest/v1/consumers/<consumerName>
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=1ahpyqpjjgfblahos4f03qun9;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
X-ECOMP-RequestID: 6e47cbde-44e8-4b82-8f17-c6a731bf0081
Vary: Accept-Encoding, User-Agent
Content-Length: 268
Server: Jetty(9.3.12.v20160915)

{"consumerName":"vid","consumerPassword":"3936abc03d50693c90ec68a4a60427d6bdde8b085d60314333c9e58a270ff6f3","consumerSalt":"eaa62d9681d8f803ac05db342e3c9cc0","consumerLastAuthenticationTime":0,"consumerDetailsLastupdatedtime":1481211500749,"lastModfierAtuid":"jh0003"}

  • No labels

13 Comments

  1. maopeng zhang

     Could SDC add the vfc as the predefined user in R1?  Thanks

  2. Michael Lando

    no problem please open a task on me and we will handle it.

  3. Matthew Davis

    I'm having trouble with step 5. (I've never run a java executable before)

    Why does that command refer to a non-existent file in /tmp?

    java -cp /tmp/security-utils-*.jar org.openecomp.sdc.security.Passwords password
    java -cp /tmp/security-utils-1.2.0.jar org.openecomp.sdc.security.Passwords password
    java -cp /tmp/security-utils-1.2.0-SNAPSHOT.jar org.openecomp.sdc.security.Passwords password

    All give the error:

    Error: Could not find or load main class org.openecomp.sdc.security.Passwords


    If I use the actual file, I get a different error:

    $ java -cp security-utils-1.2.0-SNAPSHOT.jar org.openecomp.sdc.security.Passwords password
    Exception in thread "main" java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
            at org.openecomp.sdc.security.Passwords.<clinit>(Passwords.java:36)
    Caused by: java.lang.ClassNotFoundException: org.slf4j.LoggerFactory
            at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
            at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
            ... 1 more





    1. Michael Lando

      you are correct this is a bug caused by adding dependencies to the jar.

      published a fix to create a fat jar to allow successful execution  SDC-1346 - Getting issue details... STATUS

    2. Matthew Davis

      Until that patch gets merged, a workaround is to run the following from the ./sdc folder:

      java -cp ./openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/target/onboarding-be-1.2.0-SNAPSHOT/WEB-INF/lib/slf4j-api-1.7.21.jar:./security-utils/target/security-utils-1.2.0-SNAPSHOT.jar org.openecomp.sdc.security.Passwords password

      1. Michael Lando

        the patch is already merged.

  4. Matthew Davis

    I'm curious, why is this Password jar required? Can't we just do the hash and salt with a couple of bash commands? That seems far simpler than anything involving Java.

    1. Michael Lando

      in order for this to work you need to use the same hashing function and logic so that the creation will be aligned with the logic checking it.

      in order to do thsi the jar is the easiest way it is used for creating the hash and for challenging it.


      you probably can do it in bash but then you need to understand what exactly is done in sdc.

  5. Matthew Davis

    Why does the API call in the final step return the hash of any user? Publicly exposing every password hash and salt with an unauthenticated API call does not seem like a great idea.

    1. Michael Lando

      this is a one way hash it cannot be converted into a password.

      so this is not an issue.

  6. Fiachra Corcoran

    Hi Michael Lando,

    Is this guide still relevant? I have built the SDC project but cannot see the required security-utils jar.

    Thanks,

    Fiachra

    1. Rakesh Girija Ramesan Nair

      Fiachra Corcoran We also ran into the same issue after building the latest code base. We had to use the old version(beijing) to get these jars and then create the consumer. I think it would be great if someone can provide more details based on the latest version.

    2. André Schmid

      Hi Fiachra Corcoran Rakesh Girija Ramesan Nair,

      You can find the jar in the folder: <repo-root>/security-utils/target/security-utils-1.6.0-SNAPSHOT-jar-with-dependencies.jar

      Just followed the process and it worked.