diff options
Diffstat (limited to 'kubernetes/appc/resources')
-rwxr-xr-x | kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh | 12 | ||||
-rw-r--r-- | kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml | 120 |
2 files changed, 130 insertions, 2 deletions
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index a990739d55..18a2783c5f 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -55,6 +55,9 @@ APPC_HOME=${APPC_HOME:-/opt/onap/appc} SLEEP_TIME=${SLEEP_TIME:-120} MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.dbRootPassword}}} ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} +ENABLE_AAF=${ENABLE_AAF:-false} +AAF_EXT_IP=${AAF_EXT_IP:-{{.Values.config.aafExtIP}}} +AAF_EXT_FQDN=${AAF_EXT_FQDN:-{{.Values.config.aafExtFQDN}}} appcInstallStartTime=$(date +%s) @@ -143,8 +146,13 @@ then echo "" >> ${ODL_HOME}/etc/system.properties echo "Copying the aaa shiro configuration into opendaylight" - cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml - + if $ENABLE_AAF + then + echo "${AAF_EXT_IP} ${AAF_EXT_FQDN}" >> /etc/hosts + cp ${APPC_HOME}/data/properties/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml + else + cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml + fi echo "Restarting OpenDaylight" ${ODL_HOME}/bin/stop diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml new file mode 100644 index 0000000000..31bc4e31de --- /dev/null +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" ?> +<!-- +### +# ============LICENSE_START======================================================= +# APPC +# ================================================================================ +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + --> + +<shiro-configuration xmlns="urn:opendaylight:aaa:app:config"> + + <!-- + ================================= TokenAuthRealm ================================== + = = + = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication = + = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm = + =================================================================================== + --> + <main> + <pair-key>tokenAuthRealm</pair-key> +<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> --> + <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> + </main> + + + <!-- add tokenAuthRealm as the only default realm --> + <main> + <pair-key>securityManager.realms</pair-key> + <pair-value>$tokenAuthRealm</pair-value> + </main> + + <!-- Used to support OAuth2 use case. --> + <main> + <pair-key>authcBasic</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value> + </main> + + <!-- in order to track AAA challenge attempts --> + <main> + <pair-key>accountingListener</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value> + </main> + <main> + <pair-key>securityManager.authenticator.authenticationListeners</pair-key> + <pair-value>$accountingListener</pair-value> + </main> + + <!-- Model based authorization scheme supporting RBAC for REST endpoints --> + <main> + <pair-key>dynamicAuthorization</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value> + </main> + + + <!-- + =================================================================================== + = URLS = + = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] = + = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions = + = For default <pair-value> authcBasic, roles[admin] = + =================================================================================== + --> + + <!-- restrict access to some endpoints by default --> + <urls> + <pair-key>/auth/**</pair-key> +<!-- <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/config/aaa-authn-model**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/operational/aaa-authn-model**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/restconf/operations/cluster-admin**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> + </urls> + <urls> + <pair-key>/**</pair-key> +<!-- <pair-value>authcBasic, roles[admin]</pair-value> --> + <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> + </urls> +</shiro-configuration> + |