From e0c40e9818525ba2f3c66d247960f9b6ab5f3dad Mon Sep 17 00:00:00 2001 From: Ryan Young Date: Fri, 20 Apr 2018 16:10:38 -0400 Subject: Update AAF configuration for ODL Nitrogen Change-Id: I79455114a585f637a80be34beb9ae358dce4b9b1 Signed-off-by: Ryan Young Issue-ID: APPC-404 --- installation/appc/pom.xml | 2 +- .../appc/src/main/resources/aaa-app-config.xml | 120 +++++++++++++++ installation/appc/src/main/resources/shiro.ini | 170 --------------------- installation/appc/src/main/scripts/startODL.sh | 4 +- 4 files changed, 123 insertions(+), 173 deletions(-) create mode 100644 installation/appc/src/main/resources/aaa-app-config.xml delete mode 100644 installation/appc/src/main/resources/shiro.ini diff --git a/installation/appc/pom.xml b/installation/appc/pom.xml index 2daad09..efaed22 100644 --- a/installation/appc/pom.xml +++ b/installation/appc/pom.xml @@ -112,7 +112,7 @@ limitations under the License. *.dump *.sh *.cfg - *.ini + *.xml false diff --git a/installation/appc/src/main/resources/aaa-app-config.xml b/installation/appc/src/main/resources/aaa-app-config.xml new file mode 100644 index 0000000..0fea77e --- /dev/null +++ b/installation/appc/src/main/resources/aaa-app-config.xml @@ -0,0 +1,120 @@ + + + + + + +
+ tokenAuthRealm + org.opendaylight.aaa.shiro.realm.TokenAuthRealm + +
+ + + +
+ securityManager.realms + $tokenAuthRealm +
+ + +
+ authcBasic + org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter +
+ + +
+ accountingListener + org.opendaylight.aaa.shiro.filters.AuthenticationListener +
+
+ securityManager.authenticator.authenticationListeners + $accountingListener +
+ + +
+ dynamicAuthorization + org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter +
+ + + + + + + /auth/** + authcBasic, roles[admin], dynamicAuthorization + + + + /restconf/config/aaa-cert-mdsal** + authcBasic, roles[admin] + + + + /restconf/operational/aaa-cert-mdsal** + authcBasic, roles[admin] + + + + /restconf/operations/aaa-cert-rpc** + authcBasic, roles[admin] + + + + /restconf/config/aaa-authn-model** + authcBasic, roles[admin] + + + + /restconf/operational/aaa-authn-model** + authcBasic, roles[admin] + + + + /restconf/operations/cluster-admin** + authcBasic, roles[admin] + + + + /** + authcBasic, roles[admin] + + + + diff --git a/installation/appc/src/main/resources/shiro.ini b/installation/appc/src/main/resources/shiro.ini deleted file mode 100644 index 4a1928f..0000000 --- a/installation/appc/src/main/resources/shiro.ini +++ /dev/null @@ -1,170 +0,0 @@ -# -# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved. -# Additions copyright (C) 2018 AT&T Intellectual Property -# -# This program and the accompanying materials are made available under the -# terms of the Eclipse Public License v1.0 which accompanies this distribution, -# and is available at http://www.eclipse.org/legal/epl-v10.html -# - -############################################################################### -# shiro.ini # -# # -# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm # -# implementations include: # -# - TokenAuthRealm (enabled by default) # -# - ODLJndiLdapRealm (disabled by default) # -# - ODLJndiLdapRealmAuthNOnly (disabled by default) # -# Basic user configuration through shiro.ini is disabled for security # -# purposes. # -############################################################################### - - - -[main] -############################################################################### -# realms # -# # -# This section is dedicated to setting up realms for OpenDaylight. Realms # -# are essentially different methods for providing AAA. ODL strives to provide# -# highly-configurable AAA by providing pluggable infrastructure. By deafult, # -# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA # -# mechanisms). More than one realm can be enabled, and the realms are # -# tried Round-Robin until: # -# 1) a realm successfully authenticates the incoming request # -# 2) all realms are exhausted, and 401 is returned # -############################################################################### - - -# ODL provides a few LDAP implementations, which are disabled out of the box. -# ODLJndiLdapRealm includes authorization functionality based on LDAP elements -# extracted through and LDAP search. This requires a bit of knowledge about -# how your LDAP system is setup. An example is provided below: -#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm -#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD -#ldapRealm.contextFactory.url = ldap://:389 -#ldapRealm.searchBase = dc=DOMAIN,dc=TLD -# Abstraction to map LDAP extracted groups to ODL roles -#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user" -#ldapRealm.ldapAttributeForComparison = objectClass - -# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows -# access through AAAFilter to any user that can authenticate against the -# provided LDAP server. -#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly -#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD -#ldapRealm.contextFactory.url = ldap://:389 - -# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm. -#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm -#adRealm.searchBase = "CN=Users,DC=example,DC=com" -#adRealm.systemUsername = aduser@example.com -#adRealm.systemPassword = adpassword -#adRealm.url = ldaps://adserver:636 -# the groupRolesMap maps an AD query to a particular role. -#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user" - -# ODL provides a slightly customized version of Shiro's JdbcRealm, which -# can be used to integrate with an existing JDBC-supporting data source. This -# helps ease deployment configuration with existing OSS systems. Setting up -# the ODLJdbcRealm requires instantiation of two abstractions; the data source -# and the realm. -# ds, which stands for data source, defines a data source which can be used -# for JDBC connections. -#ds = com.mysql.jdbc.Driver -#ds.serverName = localhost -#ds.user = user -#ds.password = password -#ds.databaseName = db_name -# jdbcRealm is used to manipulate realm instance properties, specifically the -# queries required to extract information from a JDBC data source. -#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm -#jdbcRealm.dataSource = $ds -#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?" -#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?" - -# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms. -# This realm is enabled by default, and utilizes h2-store by default. -tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm - -# AT&T -# Use this class for AAF Realm, must also use AAF permission format for URL's -#tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm - -# The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To -# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm -# to the securityManager.realms list below -#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm -#moonAuthRealm.moonServerURL = http://: - -# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack -# Keystone (v3) instance. At this time the authentication is 'unscoped' and -# authorization is not supported. -#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm -#keystoneAuthRealm.url = https://: -#keystoneAuthRealm.sslVerification = true -# Default domain to use if not specified within the provided credentials. -#keystoneAuthRealm.defaultDomain = Default - -# The CSV list of enabled realms. In order to enable a realm, add it to the -# list below: -securityManager.realms = $tokenAuthRealm - -# adds a custom AuthenticationFilter to support OAuth2 for backwards -# compatibility. To disable OAuth2 access, just comment out the next line -# and authcBasic will default to BasicHttpAuthenticationFilter, a -# Shiro-provided class. -authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter - -# OAuth2 Filter for moon token AuthN -#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter - -# add in AuthenticationListener, a Listener that records whether -# authentication attempts are successful or unsuccessful. This audit -# information is disabled by default, to avoid log flooding. To enable, -# issue the following in karaf: -# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener -accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener -securityManager.authenticator.authenticationListeners = $accountingListener - -# Filter to support dynamic urls rules based on md-sal model -dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter - - - -[urls] -############################################################################### -# url authorization section # -# # -# This section is dedicated to defining url-based authorization according to: # -# http://shiro.apache.org/web.html # -# # -# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! # -############################################################################### - -# Temporarily added authorization endpoints; will be removed when MDSAL based -# Model can be initialized from file. -/v1/** = authcBasic, roles[admin], dynamicAuthorization - -# Restrict AAA-Certificate REST APIs to Admin role -/config/aaa-cert-mdsal** = authcBasic, roles[admin] -/operational/aaa-cert-mdsal** = authcBasic, roles[admin] -/operations/aaa-cert-rpc** = authcBasic, roles[admin] - -# Access to the credential store is limited to the valid users who have the -# admin role. The following line is only needed if the mdsal store is enabled -#(the mdsal store is disabled by default). -/config/aaa-authn-model** = authcBasic, roles[admin] -/operational/aaa-authn-model** = authcBasic, roles[admin] - -# Uncomment the line below to enable the Moon AuthenticatingFilter -#/token = rest - -# General access through AAAFilter requires valid credentials (AuthN only). -/** = authcBasic, dynamicAuthorization - -# AT&T -# use this format for AAF, must use AAF Realm for authcBasic realm -#/** = authcBasic, roles[org.onap.appc.odl|odl-api|*] -# use this format for no security -#/** = noauth diff --git a/installation/appc/src/main/scripts/startODL.sh b/installation/appc/src/main/scripts/startODL.sh index 9330f96..46b81bd 100644 --- a/installation/appc/src/main/scripts/startODL.sh +++ b/installation/appc/src/main/scripts/startODL.sh @@ -108,8 +108,8 @@ then echo "cadi_prop_files=${APPC_HOME}/data/properties/cadi.properties" >> ${ODL_HOME}/etc/system.properties echo "" >> ${ODL_HOME}/etc/system.properties - echo "Copying a working version of the shiro configuration into the opendaylight etc folder" - cp ${APPC_HOME}/data/shiro.ini ${ODL_HOME}/etc/shiro.ini + echo "Copying the aaa shiro configuration into opendaylight" + cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml echo "Restarting OpenDaylight" ${ODL_HOME}/bin/stop -- cgit 1.2.3-korg