summaryrefslogtreecommitdiffstats
path: root/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml')
-rw-r--r--kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml120
1 files changed, 120 insertions, 0 deletions
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
new file mode 100644
index 0000000000..31bc4e31de
--- /dev/null
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" ?>
+<!--
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+ -->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+ <!--
+ ================================= TokenAuthRealm ==================================
+ = =
+ = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication =
+ = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm =
+ ===================================================================================
+ -->
+ <main>
+ <pair-key>tokenAuthRealm</pair-key>
+<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
+ <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
+ </main>
+
+
+ <!-- add tokenAuthRealm as the only default realm -->
+ <main>
+ <pair-key>securityManager.realms</pair-key>
+ <pair-value>$tokenAuthRealm</pair-value>
+ </main>
+
+ <!-- Used to support OAuth2 use case. -->
+ <main>
+ <pair-key>authcBasic</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+ </main>
+
+ <!-- in order to track AAA challenge attempts -->
+ <main>
+ <pair-key>accountingListener</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+ </main>
+ <main>
+ <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+ <pair-value>$accountingListener</pair-value>
+ </main>
+
+ <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+ <main>
+ <pair-key>dynamicAuthorization</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+ </main>
+
+
+ <!--
+ ===================================================================================
+ = URLS =
+ = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] =
+ = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions =
+ = For default <pair-value> authcBasic, roles[admin] =
+ ===================================================================================
+ -->
+
+ <!-- restrict access to some endpoints by default -->
+ <urls>
+ <pair-key>/auth/**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/config/aaa-authn-model**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/restconf/operations/cluster-admin**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**</pair-key>
+<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
+ <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
+ </urls>
+</shiro-configuration>
+