3 Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
5 This program and the accompanying materials are made available under the
6 terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 and is available at http://www.eclipse.org/legal/epl-v10.html
11 ///////////////////////////////////////////////////////////////////////////////////////
12 // clustered-app-config instance responsible for AAA configuration. In the future, //
13 // this will contain all AAA related configuration. //
14 ///////////////////////////////////////////////////////////////////////////////////////
17 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
20 ///////////////////////////////////////////////////////////////////////////////////
21 // shiro-configuration is the model based container that contains all shiro //
22 // related information used in ODL AAA configuration. It is the sole pain of //
23 // glass for shiro related configuration, and is how to configure shiro concepts //
27 // * security manager settings //
29 // In general, you really shouldn't muck with the settings in this file. The //
30 // way an operator should configure AAA shiro settings is through one of ODL's //
31 // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
32 // defaults if no values are specified in MD-SAL. The reason this file is so //
33 // verbose is for two reasons: //
34 // 1) to demonstrate payload examples for plausible configuration scenarios //
35 // 2) to allow bootstrap of the controller (first time start) since otherwise //
36 // configuration becomes a chicken and the egg problem. //
38 ///////////////////////////////////////////////////////////////////////////////////
42 ===================================================================================
48 ===================================================================================
52 ===================================================================================
53 ============================ ODLJndiLdapRealmAuthNOnly ============================
54 ===================================================================================
56 = Description: A Realm implementation aimed at federating with an external LDAP =
57 = server for authentication only. For authorization support, refer =
58 = to ODLJndiLdapRealm. =
59 ===================================================================================
61 <!-- Start ldapRealm commented out
63 <pair-key>ldapRealm</pair-key>
64 <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
67 <pair-key>ldapRealm.userDnTemplate</pair-key>
68 <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
71 <pair-key>ldapRealm.contextFactory.url</pair-key>
72 <pair-value>ldap://<URL>:389</pair-value>
75 <pair-key>ldapRealm.searchBase</pair-key>
76 <pair-value>dc=DOMAIN,dc=TLD</pair-value>
79 <pair-key>ldapRealm.groupRolesMap</pair-key>
80 <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
83 <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
84 <pair-value>objectClass</pair-value>
86 End ldapRealm commented out-->
89 ===================================================================================
90 ============================= ODLActiveDirectoryRealm =============================
91 ===================================================================================
93 = Description: A Realm implementation aimed at federating with an external AD =
95 ===================================================================================
97 <!-- Start adRealm commented out
99 <pair-key>adRealm</pair-key>
100 <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
103 <pair-key>adRealm.searchBase</pair-key>
104 <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
107 <pair-key>adRealm.systemUsername</pair-key>
108 <pair-value>aduser@example.com</pair-value>
111 <pair-key>adRealm.systemPassword</pair-key>
112 <pair-value>adpassword</pair-value>
115 <pair-key>adRealm.url</pair-key>
116 <pair-value>ldaps://adserver:636</pair-value>
119 <pair-key>adRealm.groupRolesMap</pair-key>
120 <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
122 End adRealm commented out-->
125 ===================================================================================
126 ================================== ODLJdbcRealm ===================================
127 ===================================================================================
129 = Description: A Realm implementation aimed at federating with an external JDBC =
131 ===================================================================================
133 <!-- Start jdbcRealm commented out
135 <pair-key>ds</pair-key>
136 <pair-value>com.mysql.jdbc.Driver</pair-value>
139 <pair-key>ds.serverName</pair-key>
140 <pair-value>localhost</pair-value>
143 <pair-key>ds.user</pair-key>
144 <pair-value>user</pair-value>
147 <pair-key>ds.password</pair-key>
148 <pair-value>password</pair-value>
151 <pair-key>ds.databaseName</pair-key>
152 <pair-value>db_name</pair-value>
155 <pair-key>jdbcRealm</pair-key>
156 <pair-value>ODLJdbcRealm</pair-value>
159 <pair-key>jdbcRealm.dataSource</pair-key>
160 <pair-value>$ds</pair-value>
163 <pair-key>jdbcRealm.authenticationQuery</pair-key>
164 <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
167 <pair-key>jdbcRealm.userRolesQuery</pair-key>
168 <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
170 End jdbcRealm commented out-->
173 ===================================================================================
174 ================================= TokenAuthRealm ==================================
175 ===================================================================================
177 = Description: A Realm implementation utilizing a per node H2 database store. =
178 ===================================================================================
181 <pair-key>tokenAuthRealm</pair-key>
182 <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
183 <!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
187 ===================================================================================
188 =================================== MdsalRealm ====================================
189 ===================================================================================
191 = Description: A Realm implementation utilizing the aaa.yang model. =
192 ===================================================================================
194 <!-- Start mdsalRealm commented out
196 <pair-key>mdsalRealm</pair-key>
197 <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
199 End mdsalRealm commented out-->
202 ===================================================================================
203 ================================= MoonAuthRealm ===================================
204 ===================================================================================
206 = Description: A Realm implementation aimed at federating with OPNFV Moon. =
207 ===================================================================================
209 <!-- Start moonAuthRealm commented out
211 <pair-key>moonAuthRealm</pair-key>
212 <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
215 <pair-key>moonAuthRealm.moonServerURL</pair-key>
216 <pair-value>http://<host>:<port></pair-value>
218 End moonAuthRealm commented out-->
221 ===================================================================================
222 ================================= KeystoneAuthRealm == ============================
223 ===================================================================================
225 = Description: A Realm implementation aimed at federating with an OpenStack =
227 ===================================================================================
229 <!-- Start keystoneAuthRealm commented out
231 <pair-key>keystoneAuthRealm</pair-key>
232 <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
235 <pair-key>keystoneAuthRealm.url</pair-key>
236 <pair-value>https://<host>:<port></pair-value>
239 <pair-key>keystoneAuthRealm.sslVerification</pair-key>
240 <pair-value>true</pair-value>
243 <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
244 <pair-value>Default</pair-value>
249 Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
252 <pair-key>securityManager.realms</pair-key>
253 <pair-value>$tokenAuthRealm</pair-value>
255 <!-- Used to support OAuth2 use case. -->
257 <pair-key>authcBasic</pair-key>
258 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
261 <!-- Start moonAuthRealm commented out
263 <pair-key>rest</pair-key>
264 <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
266 End moonAuthRealm commented out-->
268 <!-- in order to track AAA challenge attempts -->
270 <pair-key>accountingListener</pair-key>
271 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
274 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
275 <pair-value>$accountingListener</pair-value>
278 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
280 <pair-key>dynamicAuthorization</pair-key>
281 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
286 ===================================================================================
292 ===================================================================================
294 <!-- Start moonAuthRealm commented out
296 <pair-key>/token</pair-key>
297 <pair-value>rest</pair-value>
299 End moonAuthRealm commented out-->
300 <!-- URLS comment out
302 <pair-key>/operations/cluster-admin**</pair-key>
303 <pair-value>authcBasic, roles[admin]</pair-value>
306 <pair-key>/v1/**</pair-key>
307 <pair-value>authcBasic, roles[admin]</pair-value>
310 <pair-key>/config/aaa*/**</pair-key>
311 <pair-value>authcBasic, roles[admin]</pair-value>
313 End URLS commented out -->
315 <pair-key>/**</pair-key>
316 <!-- <pair-value>authcBasic</pair-value> -->
317 <pair-value>authcBasic, rest[org.onap.sdnc.odl:odl-api]</pair-value>
319 </shiro-configuration>