summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron Hay <ah415j@att.com>2018-06-05 13:23:50 -0400
committerAaron Hay <ah415j@att.com>2018-06-27 11:50:45 -0400
commit145818b3aaf7181c7c3ded1d6744047fece4a0ee (patch)
tree648de469e34a5ad64da4d667b78b2298767e71cf
parent56e950f4095f8b1be0705e3471d57dd21af06f5d (diff)
Update OOM APPC chart to enhance AAF support
Added AAF config parameters and files needed to allow AAF to work in an APPC OOM environment. Change-Id: I39f0769e721889a68c6a111adf29d685b9f97dbf Issue-ID: OOM-1124 Signed-off-by: Aaron Hay <ah415j@att.com>
-rwxr-xr-xkubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh12
-rw-r--r--kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml120
-rw-r--r--kubernetes/appc/templates/statefulset.yaml5
-rw-r--r--kubernetes/appc/values.yaml5
4 files changed, 139 insertions, 3 deletions
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
index a990739d55..18a2783c5f 100755
--- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
@@ -55,6 +55,9 @@ APPC_HOME=${APPC_HOME:-/opt/onap/appc}
SLEEP_TIME=${SLEEP_TIME:-120}
MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.dbRootPassword}}}
ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false}
+ENABLE_AAF=${ENABLE_AAF:-false}
+AAF_EXT_IP=${AAF_EXT_IP:-{{.Values.config.aafExtIP}}}
+AAF_EXT_FQDN=${AAF_EXT_FQDN:-{{.Values.config.aafExtFQDN}}}
appcInstallStartTime=$(date +%s)
@@ -143,8 +146,13 @@ then
echo "" >> ${ODL_HOME}/etc/system.properties
echo "Copying the aaa shiro configuration into opendaylight"
- cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
-
+ if $ENABLE_AAF
+ then
+ echo "${AAF_EXT_IP} ${AAF_EXT_FQDN}" >> /etc/hosts
+ cp ${APPC_HOME}/data/properties/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
+ else
+ cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
+ fi
echo "Restarting OpenDaylight"
${ODL_HOME}/bin/stop
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
new file mode 100644
index 0000000000..31bc4e31de
--- /dev/null
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" ?>
+<!--
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+ -->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+ <!--
+ ================================= TokenAuthRealm ==================================
+ = =
+ = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication =
+ = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm =
+ ===================================================================================
+ -->
+ <main>
+ <pair-key>tokenAuthRealm</pair-key>
+<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
+ <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
+ </main>
+
+
+ <!-- add tokenAuthRealm as the only default realm -->
+ <main>
+ <pair-key>securityManager.realms</pair-key>
+ <pair-value>$tokenAuthRealm</pair-value>
+ </main>
+
+ <!-- Used to support OAuth2 use case. -->
+ <main>
+ <pair-key>authcBasic</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+ </main>
+
+ <!-- in order to track AAA challenge attempts -->
+ <main>
+ <pair-key>accountingListener</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+ </main>
+ <main>
+ <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+ <pair-value>$accountingListener</pair-value>
+ </main>
+
+ <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+ <main>
+ <pair-key>dynamicAuthorization</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+ </main>
+
+
+ <!--
+ ===================================================================================
+ = URLS =
+ = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] =
+ = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions =
+ = For default <pair-value> authcBasic, roles[admin] =
+ ===================================================================================
+ -->
+
+ <!-- restrict access to some endpoints by default -->
+ <urls>
+ <pair-key>/auth/**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/config/aaa-authn-model**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operations/cluster-admin**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
+ </urls>
+</shiro-configuration>
+
diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml
index f4409697b3..791d93393e 100644
--- a/kubernetes/appc/templates/statefulset.yaml
+++ b/kubernetes/appc/templates/statefulset.yaml
@@ -62,6 +62,8 @@ spec:
value: "{{ .Values.config.configDir }}"
- name: DMAAP_TOPIC_ENV
value: "{{ .Values.config.dmaapTopic }}"
+ - name: ENABLE_AAF
+ value: "{{ .Values.config.enableAAF }}"
- name: ENABLE_ODL_CLUSTER
value: "{{ .Values.config.enableClustering }}"
- name: APPC_REPLICAS
@@ -82,6 +84,9 @@ spec:
- mountPath: /opt/onap/appc/data/properties/aaiclient.properties
name: onap-appc-data-properties
subPath: aaiclient.properties
+ - mountPath: /opt/onap/appc/data/properties/aaa-app-config.xml
+ name: onap-appc-data-properties
+ subPath: aaa-app-config.xml
- mountPath: /opt/onap/appc/svclogic/config/svclogic.properties
name: onap-appc-svclogic-config
subPath: svclogic.properties
diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml
index 4b47c63a42..1c20977b90 100644
--- a/kubernetes/appc/values.yaml
+++ b/kubernetes/appc/values.yaml
@@ -29,7 +29,7 @@ global:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/appc-image:1.3.0
+image: onap/appc-image:1.4.0-SNAPSHOT-latest
pullPolicy: Always
# flag to enable debugging - application support required
@@ -37,7 +37,10 @@ debugEnabled: false
# application configuration
config:
+ aafExtIP: 127.0.0.1
+ aafExtFQDN: aaf-onap-beijing-test.osaaf.org
dbRootPassword: openECOMP1.0
+ enableAAF: false
enableClustering: true
configDir: /opt/onap/appc/data/properties
dmaapTopic: SUCCESS