1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
#
# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved.
# Additions copyright (C) 2018 AT&T Intellectual Property
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v1.0 which accompanies this distribution,
# and is available at http://www.eclipse.org/legal/epl-v10.html
#
###############################################################################
# shiro.ini #
# #
# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
# implementations include: #
# - TokenAuthRealm (enabled by default) #
# - ODLJndiLdapRealm (disabled by default) #
# - ODLJndiLdapRealmAuthNOnly (disabled by default) #
# Basic user configuration through shiro.ini is disabled for security #
# purposes. #
###############################################################################
[main]
###############################################################################
# realms #
# #
# This section is dedicated to setting up realms for OpenDaylight. Realms #
# are essentially different methods for providing AAA. ODL strives to provide#
# highly-configurable AAA by providing pluggable infrastructure. By deafult, #
# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
# mechanisms). More than one realm can be enabled, and the realms are #
# tried Round-Robin until: #
# 1) a realm successfully authenticates the incoming request #
# 2) all realms are exhausted, and 401 is returned #
###############################################################################
# ODL provides a few LDAP implementations, which are disabled out of the box.
# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
# extracted through and LDAP search. This requires a bit of knowledge about
# how your LDAP system is setup. An example is provided below:
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
# Abstraction to map LDAP extracted groups to ODL roles
#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
#ldapRealm.ldapAttributeForComparison = objectClass
# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
# access through AAAFilter to any user that can authenticate against the
# provided LDAP server.
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
#adRealm.searchBase = "CN=Users,DC=example,DC=com"
#adRealm.systemUsername = aduser@example.com
#adRealm.systemPassword = adpassword
#adRealm.url = ldaps://adserver:636
# the groupRolesMap maps an AD query to a particular role.
#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
# ODL provides a slightly customized version of Shiro's JdbcRealm, which
# can be used to integrate with an existing JDBC-supporting data source. This
# helps ease deployment configuration with existing OSS systems. Setting up
# the ODLJdbcRealm requires instantiation of two abstractions; the data source
# and the realm.
# ds, which stands for data source, defines a data source which can be used
# for JDBC connections.
#ds = com.mysql.jdbc.Driver
#ds.serverName = localhost
#ds.user = user
#ds.password = password
#ds.databaseName = db_name
# jdbcRealm is used to manipulate realm instance properties, specifically the
# queries required to extract information from a JDBC data source.
#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
#jdbcRealm.dataSource = $ds
#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
# This realm is enabled by default, and utilizes h2-store by default.
tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
# AT&T
# Use this class for AAF Realm, must also use AAF permission format for URL's
#tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm
# The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To
# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
# to the securityManager.realms list below
#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
#moonAuthRealm.moonServerURL = http://<host>:<port>
# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack
# Keystone (v3) instance. At this time the authentication is 'unscoped' and
# authorization is not supported.
#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
#keystoneAuthRealm.url = https://<host>:<port>
#keystoneAuthRealm.sslVerification = true
# Default domain to use if not specified within the provided credentials.
#keystoneAuthRealm.defaultDomain = Default
# The CSV list of enabled realms. In order to enable a realm, add it to the
# list below:
securityManager.realms = $tokenAuthRealm
# adds a custom AuthenticationFilter to support OAuth2 for backwards
# compatibility. To disable OAuth2 access, just comment out the next line
# and authcBasic will default to BasicHttpAuthenticationFilter, a
# Shiro-provided class.
authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
# OAuth2 Filter for moon token AuthN
#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
# add in AuthenticationListener, a Listener that records whether
# authentication attempts are successful or unsuccessful. This audit
# information is disabled by default, to avoid log flooding. To enable,
# issue the following in karaf:
# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
securityManager.authenticator.authenticationListeners = $accountingListener
# Filter to support dynamic urls rules based on md-sal model
dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
[urls]
###############################################################################
# url authorization section #
# #
# This section is dedicated to defining url-based authorization according to: #
# http://shiro.apache.org/web.html #
# #
# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! #
###############################################################################
# Temporarily added authorization endpoints; will be removed when MDSAL based
# Model can be initialized from file.
/v1/** = authcBasic, roles[admin], dynamicAuthorization
# Restrict AAA-Certificate REST APIs to Admin role
/config/aaa-cert-mdsal** = authcBasic, roles[admin]
/operational/aaa-cert-mdsal** = authcBasic, roles[admin]
/operations/aaa-cert-rpc** = authcBasic, roles[admin]
# Access to the credential store is limited to the valid users who have the
# admin role. The following line is only needed if the mdsal store is enabled
#(the mdsal store is disabled by default).
/config/aaa-authn-model** = authcBasic, roles[admin]
/operational/aaa-authn-model** = authcBasic, roles[admin]
# Uncomment the line below to enable the Moon AuthenticatingFilter
#/token = rest
# General access through AAAFilter requires valid credentials (AuthN only).
/** = authcBasic, dynamicAuthorization
# AT&T
# use this format for AAF, must use AAF Realm for authcBasic realm
#/** = authcBasic, roles[org.onap.appc.odl|odl-api|*]
# use this format for no security
#/** = noauth
|
