SDN administrative REST API

The main SDN Controller daemon (SDNC) is accompanied by an ancillary daemon process (sdna), which runs under user sdnadmin in order to grant it access to some elevated privileges.

The administrative REST API can be used to securely perform various management functions in a privileged context. It would be undesirable for the main SDN Controller process to possess those privileges as it might be hosting execution of third-party code.

The SDN Administrator daemon can be accessed via the REST API vi HTTPS on port 8081. The access is secured through either token-based authentication or basic authentication, against the locally running keystone server, which is the same as the main SDN Controller REST API.

The following set of features are accessible through the administrative REST API:

The install process adds a number of sudoers entries for the sdnadmin user. These are as follows:

All, or any, of the above entries can be blocked or removed from the sudoers configuration. The /sbin/ifconfig entry is only required when running in teamed mode. Otherwise the controller cannot migrate the team IP address from node to node as team leader changes. The /sbin/iptables is also required in teamed mode to secure team communication.

The sdna daemon can be completely disabled by stopping the daemon by using the sudo service sdna stop command and then removing the /etc/init/sdna.conf file.