4 # ============LICENSE_START=======================================================
6 # ================================================================================
7 # Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
8 # ================================================================================
9 # Licensed under the Apache License, Version 2.0 (the "License");
10 # you may not use this file except in compliance with the License.
11 # You may obtain a copy of the License at
13 # http://www.apache.org/licenses/LICENSE-2.0
15 # Unless required by applicable law or agreed to in writing, software
16 # distributed under the License is distributed on an "AS IS" BASIS,
17 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 # See the License for the specific language governing permissions and
19 # limitations under the License.
20 # ============LICENSE_END=========================================================
24 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
27 ================================= TokenAuthRealm ==================================
29 = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication =
30 = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm =
31 ===================================================================================
34 <pair-key>tokenAuthRealm</pair-key>
35 <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
36 <!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
40 <!-- add tokenAuthRealm as the only default realm -->
42 <pair-key>securityManager.realms</pair-key>
43 <pair-value>$tokenAuthRealm</pair-value>
46 <!-- Used to support OAuth2 use case. -->
48 <pair-key>authcBasic</pair-key>
49 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
52 <!-- in order to track AAA challenge attempts -->
54 <pair-key>accountingListener</pair-key>
55 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
58 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
59 <pair-value>$accountingListener</pair-value>
62 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
64 <pair-key>dynamicAuthorization</pair-key>
65 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
70 ===================================================================================
72 = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] =
73 = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions =
74 = For default <pair-value> authcBasic, roles[admin] =
75 ===================================================================================
78 <!-- restrict access to some endpoints by default -->
80 <pair-key>/auth/**</pair-key>
81 <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value>
82 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
85 <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
86 <pair-value>authcBasic, roles[admin]</pair-value>
87 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
90 <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
91 <pair-value>authcBasic, roles[admin]</pair-value>
92 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
95 <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
96 <pair-value>authcBasic, roles[admin]</pair-value>
97 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
100 <pair-key>/restconf/config/aaa-authn-model**</pair-key>
101 <pair-value>authcBasic, roles[admin]</pair-value>
102 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
105 <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
106 <pair-value>authcBasic, roles[admin]</pair-value>
107 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
110 <pair-key>/restconf/operations/cluster-admin**</pair-key>
111 <pair-value>authcBasic, roles[admin]</pair-value>
112 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value> -->
115 <pair-key>/**</pair-key>
116 <pair-value>authcBasic, roles[admin]</pair-value>
117 <!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
119 </shiro-configuration>