2 # Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved.
3 # Additions copyright (C) 2018 AT&T Intellectual Property
5 # This program and the accompanying materials are made available under the
6 # terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 # and is available at http://www.eclipse.org/legal/epl-v10.html
10 ###############################################################################
13 # Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
14 # implementations include: #
15 # - TokenAuthRealm (enabled by default) #
16 # - ODLJndiLdapRealm (disabled by default) #
17 # - ODLJndiLdapRealmAuthNOnly (disabled by default) #
18 # Basic user configuration through shiro.ini is disabled for security #
20 ###############################################################################
25 ###############################################################################
28 # This section is dedicated to setting up realms for OpenDaylight. Realms #
29 # are essentially different methods for providing AAA. ODL strives to provide#
30 # highly-configurable AAA by providing pluggable infrastructure. By deafult, #
31 # TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
32 # mechanisms). More than one realm can be enabled, and the realms are #
33 # tried Round-Robin until: #
34 # 1) a realm successfully authenticates the incoming request #
35 # 2) all realms are exhausted, and 401 is returned #
36 ###############################################################################
39 # ODL provides a few LDAP implementations, which are disabled out of the box.
40 # ODLJndiLdapRealm includes authorization functionality based on LDAP elements
41 # extracted through and LDAP search. This requires a bit of knowledge about
42 # how your LDAP system is setup. An example is provided below:
43 #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
44 #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
45 #ldapRealm.contextFactory.url = ldap://<URL>:389
46 #ldapRealm.searchBase = dc=DOMAIN,dc=TLD
47 # Abstraction to map LDAP extracted groups to ODL roles
48 #ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
49 #ldapRealm.ldapAttributeForComparison = objectClass
51 # ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
52 # access through AAAFilter to any user that can authenticate against the
53 # provided LDAP server.
54 #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
55 #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
56 #ldapRealm.contextFactory.url = ldap://<URL>:389
58 # ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
59 #adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
60 #adRealm.searchBase = "CN=Users,DC=example,DC=com"
61 #adRealm.systemUsername = aduser@example.com
62 #adRealm.systemPassword = adpassword
63 #adRealm.url = ldaps://adserver:636
64 # the groupRolesMap maps an AD query to a particular role.
65 #adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
67 # ODL provides a slightly customized version of Shiro's JdbcRealm, which
68 # can be used to integrate with an existing JDBC-supporting data source. This
69 # helps ease deployment configuration with existing OSS systems. Setting up
70 # the ODLJdbcRealm requires instantiation of two abstractions; the data source
72 # ds, which stands for data source, defines a data source which can be used
73 # for JDBC connections.
74 #ds = com.mysql.jdbc.Driver
75 #ds.serverName = localhost
77 #ds.password = password
78 #ds.databaseName = db_name
79 # jdbcRealm is used to manipulate realm instance properties, specifically the
80 # queries required to extract information from a JDBC data source.
81 #jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
82 #jdbcRealm.dataSource = $ds
83 #jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
84 #jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
86 # Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
87 # This realm is enabled by default, and utilizes h2-store by default.
88 tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
91 # Use this class for AAF Realm, must also use AAF permission format for URL's
92 #tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm
94 # The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To
95 # enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
96 # to the securityManager.realms list below
97 #moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
98 #moonAuthRealm.moonServerURL = http://<host>:<port>
100 # ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack
101 # Keystone (v3) instance. At this time the authentication is 'unscoped' and
102 # authorization is not supported.
103 #keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
104 #keystoneAuthRealm.url = https://<host>:<port>
105 #keystoneAuthRealm.sslVerification = true
106 # Default domain to use if not specified within the provided credentials.
107 #keystoneAuthRealm.defaultDomain = Default
109 # The CSV list of enabled realms. In order to enable a realm, add it to the
111 securityManager.realms = $tokenAuthRealm
113 # adds a custom AuthenticationFilter to support OAuth2 for backwards
114 # compatibility. To disable OAuth2 access, just comment out the next line
115 # and authcBasic will default to BasicHttpAuthenticationFilter, a
116 # Shiro-provided class.
117 authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
119 # OAuth2 Filter for moon token AuthN
120 #rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
122 # add in AuthenticationListener, a Listener that records whether
123 # authentication attempts are successful or unsuccessful. This audit
124 # information is disabled by default, to avoid log flooding. To enable,
125 # issue the following in karaf:
126 # >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
127 accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
128 securityManager.authenticator.authenticationListeners = $accountingListener
130 # Filter to support dynamic urls rules based on md-sal model
131 dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
136 ###############################################################################
137 # url authorization section #
139 # This section is dedicated to defining url-based authorization according to: #
140 # http://shiro.apache.org/web.html #
142 # DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! #
143 ###############################################################################
145 # Temporarily added authorization endpoints; will be removed when MDSAL based
146 # Model can be initialized from file.
147 /v1/** = authcBasic, roles[admin], dynamicAuthorization
149 # Restrict AAA-Certificate REST APIs to Admin role
150 /config/aaa-cert-mdsal** = authcBasic, roles[admin]
151 /operational/aaa-cert-mdsal** = authcBasic, roles[admin]
152 /operations/aaa-cert-rpc** = authcBasic, roles[admin]
154 # Access to the credential store is limited to the valid users who have the
155 # admin role. The following line is only needed if the mdsal store is enabled
156 #(the mdsal store is disabled by default).
157 /config/aaa-authn-model** = authcBasic, roles[admin]
158 /operational/aaa-authn-model** = authcBasic, roles[admin]
160 # Uncomment the line below to enable the Moon AuthenticatingFilter
163 # General access through AAAFilter requires valid credentials (AuthN only).
164 /** = authcBasic, dynamicAuthorization
167 # use this format for AAF, must use AAF Realm for authcBasic realm
168 #/** = authcBasic, roles[org.onap.appc.odl|odl-api|*]
169 # use this format for no security