3 Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
5 This program and the accompanying materials are made available under the
6 terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License,
8 Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0
10 SPDX-License-Identifier: EPL-1.0 OR Apache-2.0
14 ///////////////////////////////////////////////////////////////////////////////////////
15 // clustered-app-config instance responsible for AAA configuration. In the future, //
16 // this will contain all AAA related configuration. //
17 ///////////////////////////////////////////////////////////////////////////////////////
20 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
23 ///////////////////////////////////////////////////////////////////////////////////
24 // shiro-configuration is the model based container that contains all shiro //
25 // related information used in ODL AAA configuration. It is the sole pain of //
26 // glass for shiro related configuration, and is how to configure shiro concepts //
30 // * security manager settings //
32 // In general, you really shouldn't muck with the settings in this file. The //
33 // way an operator should configure AAA shiro settings is through one of ODL's //
34 // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
35 // defaults if no values are specified in MD-SAL. The reason this file is so //
36 // verbose is for two reasons: //
37 // 1) to demonstrate payload examples for plausible configuration scenarios //
38 // 2) to allow bootstrap of the controller (first time start) since otherwise //
39 // configuration becomes a chicken and the egg problem. //
41 ///////////////////////////////////////////////////////////////////////////////////
45 ===================================================================================
51 ===================================================================================
55 ===================================================================================
56 ============================ ODLJndiLdapRealmAuthNOnly ============================
57 ===================================================================================
59 = Description: A Realm implementation aimed at federating with an external LDAP =
60 = server for authentication only. For authorization support, refer =
61 = to ODLJndiLdapRealm. =
62 ===================================================================================
64 <!-- Start ldapRealm commented out
66 <pair-key>ldapRealm</pair-key>
67 <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
70 <pair-key>ldapRealm.userDnTemplate</pair-key>
71 <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
74 <pair-key>ldapRealm.contextFactory.url</pair-key>
75 <pair-value>ldap://<URL>:389</pair-value>
78 <pair-key>ldapRealm.searchBase</pair-key>
79 <pair-value>dc=DOMAIN,dc=TLD</pair-value>
82 <pair-key>ldapRealm.groupRolesMap</pair-key>
83 <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
86 <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
87 <pair-value>objectClass</pair-value>
89 End ldapRealm commented out-->
92 ===================================================================================
93 ============================= ODLActiveDirectoryRealm =============================
94 ===================================================================================
96 = Description: A Realm implementation aimed at federating with an external AD =
98 ===================================================================================
100 <!-- Start adRealm commented out
102 <pair-key>adRealm</pair-key>
103 <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
106 <pair-key>adRealm.searchBase</pair-key>
107 <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
110 <pair-key>adRealm.systemUsername</pair-key>
111 <pair-value>aduser@example.com</pair-value>
114 <pair-key>adRealm.systemPassword</pair-key>
115 <pair-value>adpassword</pair-value>
118 <pair-key>adRealm.url</pair-key>
119 <pair-value>ldaps://adserver:636</pair-value>
122 <pair-key>adRealm.groupRolesMap</pair-key>
123 <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
125 End adRealm commented out-->
128 ===================================================================================
129 ================================== ODLJdbcRealm ===================================
130 ===================================================================================
132 = Description: A Realm implementation aimed at federating with an external JDBC =
134 ===================================================================================
136 <!-- Start jdbcRealm commented out
138 <pair-key>ds</pair-key>
139 <pair-value>com.mysql.jdbc.Driver</pair-value>
142 <pair-key>ds.serverName</pair-key>
143 <pair-value>localhost</pair-value>
146 <pair-key>ds.user</pair-key>
147 <pair-value>user</pair-value>
150 <pair-key>ds.password</pair-key>
151 <pair-value>password</pair-value>
154 <pair-key>ds.databaseName</pair-key>
155 <pair-value>db_name</pair-value>
158 <pair-key>jdbcRealm</pair-key>
159 <pair-value>ODLJdbcRealm</pair-value>
162 <pair-key>jdbcRealm.dataSource</pair-key>
163 <pair-value>$ds</pair-value>
166 <pair-key>jdbcRealm.authenticationQuery</pair-key>
167 <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
170 <pair-key>jdbcRealm.userRolesQuery</pair-key>
171 <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
173 End jdbcRealm commented out-->
176 ===================================================================================
177 ================================= TokenAuthRealm ==================================
178 ===================================================================================
180 = Description: A Realm implementation utilizing a per node H2 database store. =
181 ===================================================================================
184 <pair-key>tokenAuthRealm</pair-key>
185 <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
186 <!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
190 ===================================================================================
191 =================================== MdsalRealm ====================================
192 ===================================================================================
194 = Description: A Realm implementation utilizing the aaa.yang model. =
195 ===================================================================================
197 <!-- Start mdsalRealm commented out
199 <pair-key>mdsalRealm</pair-key>
200 <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
202 End mdsalRealm commented out-->
205 ===================================================================================
206 ================================= MoonAuthRealm ===================================
207 ===================================================================================
209 = Description: A Realm implementation aimed at federating with OPNFV Moon. =
210 ===================================================================================
212 <!-- Start moonAuthRealm commented out
214 <pair-key>moonAuthRealm</pair-key>
215 <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
218 <pair-key>moonAuthRealm.moonServerURL</pair-key>
219 <pair-value>http://<host>:<port></pair-value>
221 End moonAuthRealm commented out-->
224 ===================================================================================
225 ================================= KeystoneAuthRealm == ============================
226 ===================================================================================
228 = Description: A Realm implementation aimed at federating with an OpenStack =
230 ===================================================================================
232 <!-- Start keystoneAuthRealm commented out
234 <pair-key>keystoneAuthRealm</pair-key>
235 <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
238 <pair-key>keystoneAuthRealm.url</pair-key>
239 <pair-value>https://<host>:<port></pair-value>
242 <pair-key>keystoneAuthRealm.sslVerification</pair-key>
243 <pair-value>true</pair-value>
246 <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
247 <pair-value>Default</pair-value>
252 Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
255 <pair-key>securityManager.realms</pair-key>
256 <pair-value>$tokenAuthRealm</pair-value>
258 <!-- Used to support OAuth2 use case. -->
260 <pair-key>authcBasic</pair-key>
261 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
264 <!-- Start moonAuthRealm commented out
266 <pair-key>rest</pair-key>
267 <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
269 End moonAuthRealm commented out-->
271 <!-- in order to track AAA challenge attempts -->
273 <pair-key>accountingListener</pair-key>
274 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
277 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
278 <pair-value>$accountingListener</pair-value>
281 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
283 <pair-key>dynamicAuthorization</pair-key>
284 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
289 ===================================================================================
295 ===================================================================================
297 <!-- Start moonAuthRealm commented out
299 <pair-key>/token</pair-key>
300 <pair-value>rest</pair-value>
302 End moonAuthRealm commented out-->
303 <!-- URLS comment out
305 <pair-key>/operations/cluster-admin**</pair-key>
306 <pair-value>authcBasic, roles[admin]</pair-value>
309 <pair-key>/v1/**</pair-key>
310 <pair-value>authcBasic, roles[admin]</pair-value>
313 <pair-key>/config/aaa*/**</pair-key>
314 <pair-value>authcBasic, roles[admin]</pair-value>
316 End URLS commented out -->
318 <pair-key>/**</pair-key>
319 <!-- <pair-value>authcBasic</pair-value> -->
320 <pair-value>authcBasic, rest[org.onap.sdnc.odl:odl-api]</pair-value>
322 </shiro-configuration>