Update AAF configuration for ODL Nitrogen

Change-Id: I79455114a585f637a80be34beb9ae358dce4b9b1
Signed-off-by: Ryan Young <ry303t@att.com>
Issue-ID: APPC-404

4 files changed, 123 insertions, 173 deletions

diff --git a/installation/appc/pom.xml b/installation/appc/pom.xml
index 2daad09..efaed22 100644
--- a/installation/appc/pom.xml
+++ b/installation/appc/pom.xml
@@ -112,7 +112,7 @@ limitations under the License.
 										<include>*.dump</include>
 										<include>*.sh</include>
 										<include>*.cfg</include>
-										<include>*.ini</include>
+										<include>*.xml</include>
 									</includes>
 									<filtering>false</filtering>
 								</resource>
diff --git a/installation/appc/src/main/resources/aaa-app-config.xml b/installation/appc/src/main/resources/aaa-app-config.xml
new file mode 100644
index 0000000..0fea77e
--- /dev/null
+++ b/installation/appc/src/main/resources/aaa-app-config.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" ?>
+<!-- 
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#      http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+ -->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+    <!--
+      ================================= TokenAuthRealm ==================================
+      =                                                                                 =
+      = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication               =
+      = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm                             =
+      ===================================================================================
+    -->
+    <main>
+        <pair-key>tokenAuthRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
+<!--         <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
+    </main>
+
+
+    <!-- add tokenAuthRealm as the only default realm -->
+    <main>
+        <pair-key>securityManager.realms</pair-key>
+        <pair-value>$tokenAuthRealm</pair-value>
+    </main>
+    
+    <!-- Used to support OAuth2 use case. -->
+    <main>
+        <pair-key>authcBasic</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+    </main>
+
+    <!-- in order to track AAA challenge attempts -->
+    <main>
+        <pair-key>accountingListener</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+    </main>
+    <main>
+        <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+        <pair-value>$accountingListener</pair-value>
+    </main>
+
+    <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+    <main>
+        <pair-key>dynamicAuthorization</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+    </main>
+
+
+    <!--
+      ===================================================================================
+      =                                      URLS                                       =
+      = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*]         =
+      = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions          =
+      = For default <pair-value> authcBasic, roles[admin]                               =
+      ===================================================================================
+    -->
+
+    <!-- restrict access to some endpoints by default -->
+    <urls>
+        <pair-key>/auth/**</pair-key>
+        <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/config/aaa-authn-model**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/restconf/operations/cluster-admin**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
+    </urls>
+    <urls>
+        <pair-key>/**</pair-key>
+        <pair-value>authcBasic, roles[admin]</pair-value>
+<!--         <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
+    </urls>
+</shiro-configuration>
+
diff --git a/installation/appc/src/main/resources/shiro.ini b/installation/appc/src/main/resources/shiro.ini
deleted file mode 100644
index 4a1928f..0000000
--- a/installation/appc/src/main/resources/shiro.ini
+++ /dev/null
@@ -1,170 +0,0 @@
-#
-# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others.  All rights reserved.
-# Additions copyright (C) 2018 AT&T Intellectual Property
-#
-# This program and the accompanying materials are made available under the
-# terms of the Eclipse Public License v1.0 which accompanies this distribution,
-# and is available at http://www.eclipse.org/legal/epl-v10.html
-#
-
-###############################################################################
-# shiro.ini                                                                   #
-#                                                                             #
-# Configuration of OpenDaylight's aaa-shiro feature.  Provided Realm          #
-# implementations include:                                                    #
-# - TokenAuthRealm (enabled by default)                                       #
-# - ODLJndiLdapRealm (disabled by default)                                    #
-# - ODLJndiLdapRealmAuthNOnly (disabled by default)                           #
-# Basic user configuration through shiro.ini is disabled for security         #
-# purposes.                                                                   #
-###############################################################################
-
-
-
-[main]
-###############################################################################
-# realms                                                                      #
-#                                                                             #
-# This section is dedicated to setting up realms for OpenDaylight.  Realms    #
-# are essentially different methods for providing AAA.  ODL strives to provide#
-# highly-configurable AAA by providing pluggable infrastructure.  By deafult, #
-# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
-# mechanisms).  More than one realm can be enabled, and the realms are        #
-# tried Round-Robin until:                                                    #
-# 1) a realm successfully authenticates the incoming request                  #
-# 2) all realms are exhausted, and 401 is returned                            #
-###############################################################################
-
-
-# ODL provides a few LDAP implementations, which are disabled out of the box.
-# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
-# extracted through and LDAP search.  This requires a bit of knowledge about
-# how your LDAP system is setup.  An example is provided below:
-#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
-#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
-#ldapRealm.contextFactory.url = ldap://<URL>:389
-#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
-# Abstraction to map LDAP extracted groups to ODL roles
-#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
-#ldapRealm.ldapAttributeForComparison = objectClass
-
-# ODL also provides ODLJndiLdapRealmAuthNOnly.  Essentially, this allows
-# access through AAAFilter to any user that can authenticate against the
-# provided LDAP server.
-#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
-#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
-#ldapRealm.contextFactory.url = ldap://<URL>:389
-
-# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
-#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
-#adRealm.searchBase = "CN=Users,DC=example,DC=com"
-#adRealm.systemUsername = aduser@example.com
-#adRealm.systemPassword = adpassword
-#adRealm.url = ldaps://adserver:636
-# the groupRolesMap maps an AD query to a particular role.
-#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
-
-# ODL provides a slightly customized version of Shiro's JdbcRealm, which
-# can be used to integrate with an existing JDBC-supporting data source.  This
-# helps ease deployment configuration with existing OSS systems. Setting up
-# the ODLJdbcRealm requires instantiation of two abstractions; the data source
-# and the realm.
-# ds, which stands for data source, defines a data source which can be used
-# for JDBC connections.
-#ds = com.mysql.jdbc.Driver
-#ds.serverName = localhost
-#ds.user = user
-#ds.password = password
-#ds.databaseName = db_name
-# jdbcRealm is used to manipulate realm instance properties, specifically the
-# queries required to extract information from a JDBC data source.
-#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
-#jdbcRealm.dataSource = $ds
-#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
-#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
-
-# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
-# This realm is enabled by default, and utilizes h2-store by default.
-tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
-
-# AT&T
-# Use this class for AAF Realm, must also use AAF permission format for URL's 
-#tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm
-
-# The MoonRealm is useful for bridging ODL with the OPNFV Moon project.  To
-# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
-# to the securityManager.realms list below
-#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
-#moonAuthRealm.moonServerURL = http://<host>:<port>
-
-# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack
-# Keystone (v3) instance. At this time the authentication is 'unscoped' and
-# authorization is not supported.
-#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
-#keystoneAuthRealm.url = https://<host>:<port>
-#keystoneAuthRealm.sslVerification = true
-# Default domain to use if not specified within the provided credentials.
-#keystoneAuthRealm.defaultDomain = Default
-
-# The CSV list of enabled realms.  In order to enable a realm, add it to the
-# list below:
-securityManager.realms = $tokenAuthRealm
-
-# adds a custom AuthenticationFilter to support OAuth2 for backwards
-# compatibility.  To disable OAuth2 access, just comment out the next line
-# and authcBasic will default to BasicHttpAuthenticationFilter, a
-# Shiro-provided class.
-authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
-
-# OAuth2 Filter for moon token AuthN
-#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
-
-# add in AuthenticationListener, a Listener that records whether
-# authentication attempts are successful or unsuccessful.  This audit
-# information is disabled by default, to avoid log flooding.  To enable,
-# issue the following in karaf:
-# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
-accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
-securityManager.authenticator.authenticationListeners = $accountingListener
-
-# Filter to support dynamic urls rules based on md-sal model
-dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
-
-
-
-[urls]
-###############################################################################
-# url authorization section                                                   #
-#                                                                             #
-# This section is dedicated to defining url-based authorization according to: #
-# http://shiro.apache.org/web.html                                            #
-#                                                                             #
-# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING!               #
-###############################################################################
-
-# Temporarily added authorization endpoints;  will be removed when MDSAL based
-# Model can be initialized from file.
-/v1/** = authcBasic, roles[admin], dynamicAuthorization
-
-# Restrict AAA-Certificate REST APIs to Admin role
-/config/aaa-cert-mdsal** = authcBasic, roles[admin]
-/operational/aaa-cert-mdsal** = authcBasic, roles[admin]
-/operations/aaa-cert-rpc** = authcBasic, roles[admin]
-
-# Access to the credential store is limited to the valid users who have the
-# admin role. The following line is only needed if the mdsal store is enabled
-#(the mdsal store is disabled by default).
-/config/aaa-authn-model** = authcBasic, roles[admin]
-/operational/aaa-authn-model** = authcBasic, roles[admin]
-
-# Uncomment the line below to enable the Moon AuthenticatingFilter
-#/token = rest
-
-# General access through AAAFilter requires valid credentials (AuthN only).
-/** = authcBasic, dynamicAuthorization
-
-# AT&T
-# use this format for AAF, must use AAF Realm for authcBasic realm 
-#/** = authcBasic, roles[org.onap.appc.odl|odl-api|*]
-# use this format for no security
-#/** = noauth
diff --git a/installation/appc/src/main/scripts/startODL.sh b/installation/appc/src/main/scripts/startODL.sh
index 9330f96..46b81bd 100644
--- a/installation/appc/src/main/scripts/startODL.sh
+++ b/installation/appc/src/main/scripts/startODL.sh
@@ -108,8 +108,8 @@ then
 	echo "cadi_prop_files=${APPC_HOME}/data/properties/cadi.properties" >> ${ODL_HOME}/etc/system.properties
 	echo "" >> ${ODL_HOME}/etc/system.properties
 	
-	echo "Copying a working version of the shiro configuration into the opendaylight etc folder"
- 	cp ${APPC_HOME}/data/shiro.ini ${ODL_HOME}/etc/shiro.ini
+	echo "Copying the aaa shiro configuration into opendaylight"
+    cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
 
     echo "Restarting OpenDaylight"
     ${ODL_HOME}/bin/stop