diff options
Diffstat (limited to 'installation/appc/src/main/resources/shiro.ini')
-rw-r--r-- | installation/appc/src/main/resources/shiro.ini | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/installation/appc/src/main/resources/shiro.ini b/installation/appc/src/main/resources/shiro.ini new file mode 100644 index 0000000..4a1928f --- /dev/null +++ b/installation/appc/src/main/resources/shiro.ini @@ -0,0 +1,170 @@ +# +# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved. +# Additions copyright (C) 2018 AT&T Intellectual Property +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v1.0 which accompanies this distribution, +# and is available at http://www.eclipse.org/legal/epl-v10.html +# + +############################################################################### +# shiro.ini # +# # +# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm # +# implementations include: # +# - TokenAuthRealm (enabled by default) # +# - ODLJndiLdapRealm (disabled by default) # +# - ODLJndiLdapRealmAuthNOnly (disabled by default) # +# Basic user configuration through shiro.ini is disabled for security # +# purposes. # +############################################################################### + + + +[main] +############################################################################### +# realms # +# # +# This section is dedicated to setting up realms for OpenDaylight. Realms # +# are essentially different methods for providing AAA. ODL strives to provide# +# highly-configurable AAA by providing pluggable infrastructure. By deafult, # +# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA # +# mechanisms). More than one realm can be enabled, and the realms are # +# tried Round-Robin until: # +# 1) a realm successfully authenticates the incoming request # +# 2) all realms are exhausted, and 401 is returned # +############################################################################### + + +# ODL provides a few LDAP implementations, which are disabled out of the box. +# ODLJndiLdapRealm includes authorization functionality based on LDAP elements +# extracted through and LDAP search. This requires a bit of knowledge about +# how your LDAP system is setup. An example is provided below: +#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm +#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD +#ldapRealm.contextFactory.url = ldap://<URL>:389 +#ldapRealm.searchBase = dc=DOMAIN,dc=TLD +# Abstraction to map LDAP extracted groups to ODL roles +#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user" +#ldapRealm.ldapAttributeForComparison = objectClass + +# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows +# access through AAAFilter to any user that can authenticate against the +# provided LDAP server. +#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly +#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD +#ldapRealm.contextFactory.url = ldap://<URL>:389 + +# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm. +#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm +#adRealm.searchBase = "CN=Users,DC=example,DC=com" +#adRealm.systemUsername = aduser@example.com +#adRealm.systemPassword = adpassword +#adRealm.url = ldaps://adserver:636 +# the groupRolesMap maps an AD query to a particular role. +#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user" + +# ODL provides a slightly customized version of Shiro's JdbcRealm, which +# can be used to integrate with an existing JDBC-supporting data source. This +# helps ease deployment configuration with existing OSS systems. Setting up +# the ODLJdbcRealm requires instantiation of two abstractions; the data source +# and the realm. +# ds, which stands for data source, defines a data source which can be used +# for JDBC connections. +#ds = com.mysql.jdbc.Driver +#ds.serverName = localhost +#ds.user = user +#ds.password = password +#ds.databaseName = db_name +# jdbcRealm is used to manipulate realm instance properties, specifically the +# queries required to extract information from a JDBC data source. +#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm +#jdbcRealm.dataSource = $ds +#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?" +#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?" + +# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms. +# This realm is enabled by default, and utilizes h2-store by default. +tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm + +# AT&T +# Use this class for AAF Realm, must also use AAF permission format for URL's +#tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm + +# The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To +# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm +# to the securityManager.realms list below +#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm +#moonAuthRealm.moonServerURL = http://<host>:<port> + +# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack +# Keystone (v3) instance. At this time the authentication is 'unscoped' and +# authorization is not supported. +#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm +#keystoneAuthRealm.url = https://<host>:<port> +#keystoneAuthRealm.sslVerification = true +# Default domain to use if not specified within the provided credentials. +#keystoneAuthRealm.defaultDomain = Default + +# The CSV list of enabled realms. In order to enable a realm, add it to the +# list below: +securityManager.realms = $tokenAuthRealm + +# adds a custom AuthenticationFilter to support OAuth2 for backwards +# compatibility. To disable OAuth2 access, just comment out the next line +# and authcBasic will default to BasicHttpAuthenticationFilter, a +# Shiro-provided class. +authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter + +# OAuth2 Filter for moon token AuthN +#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter + +# add in AuthenticationListener, a Listener that records whether +# authentication attempts are successful or unsuccessful. This audit +# information is disabled by default, to avoid log flooding. To enable, +# issue the following in karaf: +# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener +accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener +securityManager.authenticator.authenticationListeners = $accountingListener + +# Filter to support dynamic urls rules based on md-sal model +dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter + + + +[urls] +############################################################################### +# url authorization section # +# # +# This section is dedicated to defining url-based authorization according to: # +# http://shiro.apache.org/web.html # +# # +# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! # +############################################################################### + +# Temporarily added authorization endpoints; will be removed when MDSAL based +# Model can be initialized from file. +/v1/** = authcBasic, roles[admin], dynamicAuthorization + +# Restrict AAA-Certificate REST APIs to Admin role +/config/aaa-cert-mdsal** = authcBasic, roles[admin] +/operational/aaa-cert-mdsal** = authcBasic, roles[admin] +/operations/aaa-cert-rpc** = authcBasic, roles[admin] + +# Access to the credential store is limited to the valid users who have the +# admin role. The following line is only needed if the mdsal store is enabled +#(the mdsal store is disabled by default). +/config/aaa-authn-model** = authcBasic, roles[admin] +/operational/aaa-authn-model** = authcBasic, roles[admin] + +# Uncomment the line below to enable the Moon AuthenticatingFilter +#/token = rest + +# General access through AAAFilter requires valid credentials (AuthN only). +/** = authcBasic, dynamicAuthorization + +# AT&T +# use this format for AAF, must use AAF Realm for authcBasic realm +#/** = authcBasic, roles[org.onap.appc.odl|odl-api|*] +# use this format for no security +#/** = noauth |