blob: 65e34db7756d90822643fd9c3f158be0248c0e65 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
<?xml version="1.0" ?>
<!--
~ ============LICENSE_START=======================================================
~ ONAP : ccsdk features
~ ================================================================================
~ Copyright (C) 2021 highstreet technologies GmbH Intellectual Property.
~ All rights reserved.
~ ================================================================================
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
~ ============LICENSE_END=======================================================
~
-->
<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
<main>
<pair-key>tokenAuthRealm</pair-key>
<!--<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>-->
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
</main>
<main>
<pair-key>securityManager.realms</pair-key>
<pair-value>$tokenAuthRealm</pair-value>
</main>
<!-- Used to support OAuth2 use case. -->
<main>
<pair-key>anyroles</pair-key>
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters.AnyRoleHttpAuthenticationFilter</pair-value>
</main>
<main>
<pair-key>authcBearer</pair-key>
<!-- <pair-value>org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter</pair-value>-->
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters.BearerAndBasicHttpAuthenticationFilter</pair-value>
</main>
<!-- in order to track AAA challenge attempts -->
<main>
<pair-key>accountingListener</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
</main>
<main>
<pair-key>securityManager.authenticator.authenticationListeners</pair-key>
<pair-value>$accountingListener</pair-value>
</main>
<!-- Model based authorization scheme supporting RBAC for REST endpoints -->
<main>
<pair-key>dynamicAuthorization</pair-key>
<pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters.CustomizedMDSALDynamicAuthorizationFilter</pair-value>
</main>
<urls>
<pair-key>/**/operations/cluster-admin**</pair-key>
<pair-value>authcBearer, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/**/v1/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/**/config/aaa*/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/oauth/**</pair-key>
<pair-value>anon</pair-value>
</urls>
<urls>
<pair-key>/odlux/**</pair-key>
<pair-value>anon</pair-value>
</urls>
<urls>
<pair-key>/apidoc/**</pair-key>
<pair-value>authcBasic</pair-value>
</urls>
<urls>
<pair-key>/rests/**</pair-key>
<pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
</urls>
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBearer, roles[admin]</pair-value>
</urls>
</shiro-configuration>
|
