SDN administrative REST API

SDN administrative REST API
prev	Chapter 6 SDN Controller security features	next

The main SDN Controller daemon (SDNC) is accompanied by an ancillary daemon process (sdna), which runs under user sdnadmin in order to grant it access to some elevated privileges.

The administrative REST API can be used to securely perform various management functions in a privileged context. It would be undesirable for the main SDN Controller process to possess those privileges as it might be hosting execution of third-party code.

The SDN Administrator daemon can be accessed via the REST API vi HTTPS on port 8081. The access is secured through either token-based authentication or basic authentication, against the locally running keystone server, which is the same as the main SDN Controller REST API.

The following set of features are accessible through the administrative REST API:

SDN Controller daemon (sdnc) stop/start/restart
Adding/removing the team leader IP alias (required only when in team mode)
Configure iptable rules to protect team communication
Downloading the ZIP bundle of log files
Uploading upgrade Debian bundles and installing/removing Debian packages
Uploading upgrade ZIP bundles and executing upgrade commands
System reboot

The install process adds a number of sudoers entries for the sdnadmin user. These are as follows:

/sbin/ifconfig
/sbin/reboot
/sbin/iptables
/usr/bin/service
/usr/bin/at
/usr/bin/dpkg

All, or any, of the above entries can be blocked or removed from the sudoers configuration. The /sbin/ifconfig entry is only required when running in teamed mode. Otherwise the controller cannot migrate the team IP address from node to node as team leader changes. The /sbin/iptables is also required in teamed mode to secure team communication.

The sdna daemon can be completely disabled by stopping the daemon by using the sudo service sdna stop command and then removing the /etc/init/sdna.conf file.

prev	up	next
Revoking Trust	home	Virgo admin UI access via localhost only