summaryrefslogtreecommitdiffstats
path: root/installation
diff options
context:
space:
mode:
authorMichael DÜrre <michael.duerre@highstreet-technologies.com>2021-03-13 16:21:13 +0100
committerMichael D�rre <michael.duerre@highstreet-technologies.com>2021-03-15 15:15:54 +0000
commit4c02840e6e6bf09656fccb5f61d228018a109585 (patch)
treeeb468bc606c6964549a611cc135a9c11fe13d133 /installation
parent8f5bd0b18beb59f558d53db24f36477b71ef0e5f (diff)
fixed license issue in oam
fix license for aaa config xml Issue-ID: SDNC-1502 Signed-off-by: Michael DÜrre <michael.duerre@highstreet-technologies.com> Change-Id: I919ed325e2ec2eb37ccc0382a48fb71ec0553089 Signed-off-by: Michael DÜrre <michael.duerre@highstreet-technologies.com> (cherry picked from commit 112731f8890db0614e664c6b8f653b49c9838b1d [formerly 7757aeb27528612096db8267e5efbcad43c156b1]) Former-commit-id: 30c83e0081824cf2ba25cd73813edda0e4490a53
Diffstat (limited to 'installation')
-rw-r--r--installation/sdnc/src/main/resources/oauth-aaa-app-config.xml293
1 files changed, 23 insertions, 270 deletions
diff --git a/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml
index a8c44d32..643ed4de 100644
--- a/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml
+++ b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml
@@ -1,256 +1,34 @@
<?xml version="1.0" ?>
<!--
- Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
-
- This program and the accompanying materials are made available under the
- terms of the Eclipse Public License v1.0 which accompanies this distribution,
- and is available at http://www.eclipse.org/legal/epl-v10.html
--->
-
-<!--
- ///////////////////////////////////////////////////////////////////////////////////////
- // clustered-app-config instance responsible for AAA configuration. In the future, //
- // this will contain all AAA related configuration. //
- ///////////////////////////////////////////////////////////////////////////////////////
--->
+ ~ ============LICENSE_START=======================================================
+ ~ ONAP : ccsdk features
+ ~ ================================================================================
+ ~ Copyright (C) 2021 highstreet technologies GmbH Intellectual Property.
+ ~ All rights reserved.
+ ~ ================================================================================
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~ ============LICENSE_END=======================================================
+ ~
+ -->
<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
- <!--
- ///////////////////////////////////////////////////////////////////////////////////
- // shiro-configuration is the model based container that contains all shiro //
- // related information used in ODL AAA configuration. It is the sole pain of //
- // glass for shiro related configuration, and is how to configure shiro concepts //
- // such as: //
- // * realms //
- // * urls //
- // * security manager settings //
- // //
- // In general, you really shouldn't muck with the settings in this file. The //
- // way an operator should configure AAA shiro settings is through one of ODL's //
- // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
- // defaults if no values are specified in MD-SAL. The reason this file is so //
- // verbose is for two reasons: //
- // 1) to demonstrate payload examples for plausible configuration scenarios //
- // 2) to allow bootstrap of the controller (first time start) since otherwise //
- // configuration becomes a chicken and the egg problem. //
- // //
- ///////////////////////////////////////////////////////////////////////////////////
- -->
- <!--
- ===================================================================================
- = =
- = =
- = MAIN =
- = =
- = =
- ===================================================================================
- -->
-
- <!--
- ===================================================================================
- ============================ ODLJndiLdapRealmAuthNOnly ============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external LDAP =
- = server for authentication only. For authorization support, refer =
- = to ODLJndiLdapRealm. =
- ===================================================================================
- -->
- <!-- Start ldapRealm commented out
- <main>
- <pair-key>ldapRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.userDnTemplate</pair-key>
- <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.contextFactory.url</pair-key>
- <pair-value>ldap://&lt;URL&gt;:389</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.searchBase</pair-key>
- <pair-value>dc=DOMAIN,dc=TLD</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.groupRolesMap</pair-key>
- <pair-value>&quot;person&quot;:&quot;admin&quot;, &quot;organizationalPerson&quot;:&quot;user&quot;</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
- <pair-value>objectClass</pair-value>
- </main>
- End ldapRealm commented out-->
-
- <!--
- ===================================================================================
- ============================= ODLActiveDirectoryRealm =============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external AD =
- = IDP server. =
- ===================================================================================
- -->
- <!-- Start adRealm commented out
- <main>
- <pair-key>adRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
- </main>
- <main>
- <pair-key>adRealm.searchBase</pair-key>
- <pair-value>&quot;CN=Users,DC=example,DC=com&quot;</pair-value>
- </main>
- <main>
- <pair-key>adRealm.systemUsername</pair-key>
- <pair-value>aduser@example.com</pair-value>
- </main>
- <main>
- <pair-key>adRealm.systemPassword</pair-key>
- <pair-value>adpassword</pair-value>
- </main>
- <main>
- <pair-key>adRealm.url</pair-key>
- <pair-value>ldaps://adserver:636</pair-value>
- </main>
- <main>
- <pair-key>adRealm.groupRolesMap</pair-key>
- <pair-value>&quot;CN=sysadmin,CN=Users,DC=example,DC=com&quot;:&quot;admin&quot;, &quot;CN=unprivileged,CN=Users,DC=example,DC=com&quot;:&quot;user&quot;</pair-value>
- </main>
- End adRealm commented out-->
-
- <!--
- ===================================================================================
- ================================== ODLJdbcRealm ===================================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external JDBC =
- = DBMS. =
- ===================================================================================
- -->
- <!-- Start jdbcRealm commented out
- <main>
- <pair-key>ds</pair-key>
- <pair-value>com.mysql.jdbc.Driver</pair-value>
- </main>
- <main>
- <pair-key>ds.serverName</pair-key>
- <pair-value>localhost</pair-value>
- </main>
- <main>
- <pair-key>ds.user</pair-key>
- <pair-value>user</pair-value>
- </main>
- <main>
- <pair-key>ds.password</pair-key>
- <pair-value>password</pair-value>
- </main>
- <main>
- <pair-key>ds.databaseName</pair-key>
- <pair-value>db_name</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm</pair-key>
- <pair-value>ODLJdbcRealm</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.dataSource</pair-key>
- <pair-value>$ds</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.authenticationQuery</pair-key>
- <pair-value>&quot;SELECT password FROM users WHERE user_name = ?&quot;</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.userRolesQuery</pair-key>
- <pair-value>&quot;SELECT role_name FROM user_rolesWHERE user_name = ?&quot;</pair-value>
- </main>
- End jdbcRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= TokenAuthRealm ==================================
- ===================================================================================
- = =
- = Description: A Realm implementation utilizing a per node H2 database store. =
- ===================================================================================
- -->
-<!-- <main> -->
-<!-- <pair-key>tokenAuthRealm</pair-key> -->
-<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
-<!-- </main> -->
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
</main>
- <!--
- ===================================================================================
- =================================== MdsalRealm ====================================
- ===================================================================================
- = =
- = Description: A Realm implementation utilizing the aaa.yang model. =
- ===================================================================================
- -->
- <!-- Start mdsalRealm commented out
- <main>
- <pair-key>mdsalRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
- </main>
- End mdsalRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= MoonAuthRealm ===================================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with OPNFV Moon. =
- ===================================================================================
- -->
- <!-- Start moonAuthRealm commented out
- <main>
- <pair-key>moonAuthRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
- </main>
- <main>
- <pair-key>moonAuthRealm.moonServerURL</pair-key>
- <pair-value>http://&lt;host&gt;:&lt;port&gt;</pair-value>
- </main>
- End moonAuthRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= KeystoneAuthRealm == ============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an OpenStack =
- = Keystone. =
- ===================================================================================
- -->
- <!-- Start keystoneAuthRealm commented out
- <main>
- <pair-key>keystoneAuthRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.url</pair-key>
- <pair-value>https://&lt;host&gt;:&lt;port&gt;</pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.sslVerification</pair-key>
- <pair-value>true</pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
- <pair-value>Default</pair-value>
- </main>
- -->
-
- <!--
- Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
- -->
<main>
<pair-key>securityManager.realms</pair-key>
<pair-value>$tokenAuthRealm</pair-value>
@@ -268,13 +46,6 @@
<pair-key>authcBearer</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
</main>
-
- <!-- Start moonAuthRealm commented out
- <main>
- <pair-key>rest</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
- </main>
- End moonAuthRealm commented out-->
<!-- in order to track AAA challenge attempts -->
<main>
@@ -291,26 +62,8 @@
<pair-key>dynamicAuthorization</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
</main>
-<!-- <main> -->
-<!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> -->
-<!-- <pair-value>false</pair-value> -->
-<!-- </main> -->
- <!--
- ===================================================================================
- = =
- = =
- = URLS =
- = =
- = =
- ===================================================================================
- -->
- <!-- Start moonAuthRealm commented out
- <urls>
- <pair-key>/token</pair-key>
- <pair-value>rest</pair-value>
- </urls>
- End moonAuthRealm commented out-->
+
<urls>
<pair-key>/**/operations/cluster-admin**</pair-key>
<pair-value>authcBearer, roles[admin]</pair-value>
@@ -337,11 +90,11 @@
</urls>
<urls>
<pair-key>/rests/**</pair-key>
- <pair-value>authcBearer, roles[admin]</pair-value>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
</urls>
<urls>
<pair-key>/**</pair-key>
- <pair-value>authcBearer, roles[admin]</pair-value>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
</urls>
</shiro-configuration>