diff options
Diffstat (limited to 'installation/sdnc/src/main/resources/oauth-aaa-app-config.xml')
| -rw-r--r-- | installation/sdnc/src/main/resources/oauth-aaa-app-config.xml | 347 |
1 files changed, 347 insertions, 0 deletions
diff --git a/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml new file mode 100644 index 00000000..a8c44d32 --- /dev/null +++ b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml @@ -0,0 +1,347 @@ +<?xml version="1.0" ?> +<!-- + Copyright (c) 2017 Inocybe Technologies and others. All rights reserved. + + This program and the accompanying materials are made available under the + terms of the Eclipse Public License v1.0 which accompanies this distribution, + and is available at http://www.eclipse.org/legal/epl-v10.html +--> + +<!-- + /////////////////////////////////////////////////////////////////////////////////////// + // clustered-app-config instance responsible for AAA configuration. In the future, // + // this will contain all AAA related configuration. // + /////////////////////////////////////////////////////////////////////////////////////// +--> + +<shiro-configuration xmlns="urn:opendaylight:aaa:app:config"> + + <!-- + /////////////////////////////////////////////////////////////////////////////////// + // shiro-configuration is the model based container that contains all shiro // + // related information used in ODL AAA configuration. It is the sole pain of // + // glass for shiro related configuration, and is how to configure shiro concepts // + // such as: // + // * realms // + // * urls // + // * security manager settings // + // // + // In general, you really shouldn't muck with the settings in this file. The // + // way an operator should configure AAA shiro settings is through one of ODL's // + // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the // + // defaults if no values are specified in MD-SAL. The reason this file is so // + // verbose is for two reasons: // + // 1) to demonstrate payload examples for plausible configuration scenarios // + // 2) to allow bootstrap of the controller (first time start) since otherwise // + // configuration becomes a chicken and the egg problem. // + // // + /////////////////////////////////////////////////////////////////////////////////// + --> + + <!-- + =================================================================================== + = = + = = + = MAIN = + = = + = = + =================================================================================== + --> + + <!-- + =================================================================================== + ============================ ODLJndiLdapRealmAuthNOnly ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external LDAP = + = server for authentication only. For authorization support, refer = + = to ODLJndiLdapRealm. = + =================================================================================== + --> + <!-- Start ldapRealm commented out + <main> + <pair-key>ldapRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value> + </main> + <main> + <pair-key>ldapRealm.userDnTemplate</pair-key> + <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.contextFactory.url</pair-key> + <pair-value>ldap://<URL>:389</pair-value> + </main> + <main> + <pair-key>ldapRealm.searchBase</pair-key> + <pair-value>dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.groupRolesMap</pair-key> + <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value> + </main> + <main> + <pair-key>ldapRealm.ldapAttributeForComparison</pair-key> + <pair-value>objectClass</pair-value> + </main> + End ldapRealm commented out--> + + <!-- + =================================================================================== + ============================= ODLActiveDirectoryRealm ============================= + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external AD = + = IDP server. = + =================================================================================== + --> + <!-- Start adRealm commented out + <main> + <pair-key>adRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value> + </main> + <main> + <pair-key>adRealm.searchBase</pair-key> + <pair-value>"CN=Users,DC=example,DC=com"</pair-value> + </main> + <main> + <pair-key>adRealm.systemUsername</pair-key> + <pair-value>aduser@example.com</pair-value> + </main> + <main> + <pair-key>adRealm.systemPassword</pair-key> + <pair-value>adpassword</pair-value> + </main> + <main> + <pair-key>adRealm.url</pair-key> + <pair-value>ldaps://adserver:636</pair-value> + </main> + <main> + <pair-key>adRealm.groupRolesMap</pair-key> + <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value> + </main> + End adRealm commented out--> + + <!-- + =================================================================================== + ================================== ODLJdbcRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external JDBC = + = DBMS. = + =================================================================================== + --> + <!-- Start jdbcRealm commented out + <main> + <pair-key>ds</pair-key> + <pair-value>com.mysql.jdbc.Driver</pair-value> + </main> + <main> + <pair-key>ds.serverName</pair-key> + <pair-value>localhost</pair-value> + </main> + <main> + <pair-key>ds.user</pair-key> + <pair-value>user</pair-value> + </main> + <main> + <pair-key>ds.password</pair-key> + <pair-value>password</pair-value> + </main> + <main> + <pair-key>ds.databaseName</pair-key> + <pair-value>db_name</pair-value> + </main> + <main> + <pair-key>jdbcRealm</pair-key> + <pair-value>ODLJdbcRealm</pair-value> + </main> + <main> + <pair-key>jdbcRealm.dataSource</pair-key> + <pair-value>$ds</pair-value> + </main> + <main> + <pair-key>jdbcRealm.authenticationQuery</pair-key> + <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value> + </main> + <main> + <pair-key>jdbcRealm.userRolesQuery</pair-key> + <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value> + </main> + End jdbcRealm commented out--> + + <!-- + =================================================================================== + ================================= TokenAuthRealm ================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing a per node H2 database store. = + =================================================================================== + --> +<!-- <main> --> +<!-- <pair-key>tokenAuthRealm</pair-key> --> +<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> --> +<!-- </main> --> + <main> + <pair-key>tokenAuthRealm</pair-key> + <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value> + </main> + + <!-- + =================================================================================== + =================================== MdsalRealm ==================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing the aaa.yang model. = + =================================================================================== + --> + <!-- Start mdsalRealm commented out + <main> + <pair-key>mdsalRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value> + </main> + End mdsalRealm commented out--> + + <!-- + =================================================================================== + ================================= MoonAuthRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with OPNFV Moon. = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <main> + <pair-key>moonAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value> + </main> + <main> + <pair-key>moonAuthRealm.moonServerURL</pair-key> + <pair-value>http://<host>:<port></pair-value> + </main> + End moonAuthRealm commented out--> + + <!-- + =================================================================================== + ================================= KeystoneAuthRealm == ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an OpenStack = + = Keystone. = + =================================================================================== + --> + <!-- Start keystoneAuthRealm commented out + <main> + <pair-key>keystoneAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.url</pair-key> + <pair-value>https://<host>:<port></pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.sslVerification</pair-key> + <pair-value>true</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.defaultDomain</pair-key> + <pair-value>Default</pair-value> + </main> + --> + + <!-- + Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm. + --> + <main> + <pair-key>securityManager.realms</pair-key> + <pair-value>$tokenAuthRealm</pair-value> + </main> + <!-- Used to support OAuth2 use case. --> + <main> + <pair-key>authcBasic</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value> + </main> + <main> + <pair-key>anyroles</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value> + </main> + <main> + <pair-key>authcBearer</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value> + </main> + + <!-- Start moonAuthRealm commented out + <main> + <pair-key>rest</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value> + </main> + End moonAuthRealm commented out--> + + <!-- in order to track AAA challenge attempts --> + <main> + <pair-key>accountingListener</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value> + </main> + <main> + <pair-key>securityManager.authenticator.authenticationListeners</pair-key> + <pair-value>$accountingListener</pair-value> + </main> + + <!-- Model based authorization scheme supporting RBAC for REST endpoints --> + <main> + <pair-key>dynamicAuthorization</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value> + </main> +<!-- <main> --> +<!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> --> +<!-- <pair-value>false</pair-value> --> +<!-- </main> --> + + <!-- + =================================================================================== + = = + = = + = URLS = + = = + = = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <urls> + <pair-key>/token</pair-key> + <pair-value>rest</pair-value> + </urls> + End moonAuthRealm commented out--> + <urls> + <pair-key>/**/operations/cluster-admin**</pair-key> + <pair-value>authcBearer, roles[admin]</pair-value> + </urls> + <urls> + <pair-key>/**/v1/**</pair-key> + <pair-value>authcBearer, roles[admin]</pair-value> + </urls> + <urls> + <pair-key>/**/config/aaa*/**</pair-key> + <pair-value>authcBearer, roles[admin]</pair-value> + </urls> + <urls> + <pair-key>/oauth/**</pair-key> + <pair-value>anon</pair-value> + </urls> + <urls> + <pair-key>/odlux/**</pair-key> + <pair-value>anon</pair-value> + </urls> + <urls> + <pair-key>/apidoc/**</pair-key> + <pair-value>authcBasic</pair-value> + </urls> + <urls> + <pair-key>/rests/**</pair-key> + <pair-value>authcBearer, roles[admin]</pair-value> + </urls> + <urls> + <pair-key>/**</pair-key> + <pair-value>authcBearer, roles[admin]</pair-value> + </urls> +</shiro-configuration> + |