blob: 682fa3728f3b58ad1433c4df93a13fa92a9b63ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
<?xml version="1.0" ?>
<!--
Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
This program and the accompanying materials are made available under the
terms of the Eclipse Public License v1.0 which accompanies this distribution,
and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License,
Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0
SPDX-License-Identifier: EPL-1.0 OR Apache-2.0
-->
<!--
///////////////////////////////////////////////////////////////////////////////////////
// clustered-app-config instance responsible for AAA configuration. In the future, //
// this will contain all AAA related configuration. //
///////////////////////////////////////////////////////////////////////////////////////
-->
<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
</main>
<main>
<pair-key>securityManager.realms</pair-key>
<pair-value>$tokenAuthRealm</pair-value>
</main>
<!-- Used to support OAuth2 use case. -->
<main>
<pair-key>authcBasic</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
</main>
<main>
<pair-key>anyroles</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
</main>
<main>
<pair-key>authcBearer</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
</main>
<!-- in order to track AAA challenge attempts -->
<main>
<pair-key>accountingListener</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
</main>
<main>
<pair-key>securityManager.authenticator.authenticationListeners</pair-key>
<pair-value>$accountingListener</pair-value>
</main>
<!-- Model based authorization scheme supporting RBAC for REST endpoints -->
<main>
<pair-key>dynamicAuthorization</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
</main>
<urls>
<pair-key>/**/operations/cluster-admin**</pair-key>
<pair-value>dynamicAuthorization</pair-value>
</urls>
<urls>
<pair-key>/**/v1/**</pair-key>
<pair-value>authcBearer, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/**/config/aaa*/**</pair-key>
<pair-value>authcBearer, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/oauth/**</pair-key>
<pair-value>anon</pair-value>
</urls>
<urls>
<pair-key>/odlux/**</pair-key>
<pair-value>anon</pair-value>
</urls>
<urls>
<pair-key>/apidoc/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/test123/**</pair-key>
<pair-value>authcBasic</pair-value>
</urls>
<urls>
<pair-key>/rests/**</pair-key>
<pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
</urls>
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
</urls>
</shiro-configuration>
|
