4 # ============LICENSE_START=======================================================
6 # ================================================================================
7 # Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
8 # Modifications Copyright © 2018 Amdocs,Bell Canada
9 # ================================================================================
10 # Licensed under the Apache License, Version 2.0 (the "License");
11 # you may not use this file except in compliance with the License.
12 # You may obtain a copy of the License at
14 # http://www.apache.org/licenses/LICENSE-2.0
16 # Unless required by applicable law or agreed to in writing, software
17 # distributed under the License is distributed on an "AS IS" BASIS,
18 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 # See the License for the specific language governing permissions and
20 # limitations under the License.
21 # ============LICENSE_END=========================================================
25 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
28 ================================= TokenAuthRealm ==================================
30 = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication =
31 = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm =
32 ===================================================================================
35 <pair-key>tokenAuthRealm</pair-key>
36 <!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
37 <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
41 <!-- add tokenAuthRealm as the only default realm -->
43 <pair-key>securityManager.realms</pair-key>
44 <pair-value>$tokenAuthRealm</pair-value>
47 <!-- Used to support OAuth2 use case. -->
49 <pair-key>authcBasic</pair-key>
50 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
53 <!-- in order to track AAA challenge attempts -->
55 <pair-key>accountingListener</pair-key>
56 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
59 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
60 <pair-value>$accountingListener</pair-value>
63 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
65 <pair-key>dynamicAuthorization</pair-key>
66 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
71 ===================================================================================
73 = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] =
74 = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions =
75 = For default <pair-value> authcBasic, roles[admin] =
76 ===================================================================================
79 <!-- restrict access to some endpoints by default -->
81 <pair-key>/auth/**</pair-key>
82 <!-- <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> -->
83 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
86 <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
87 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
88 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
91 <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
92 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
93 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
96 <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
97 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
98 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
101 <pair-key>/restconf/config/aaa-authn-model**</pair-key>
102 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
103 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
106 <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
107 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
108 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
111 <pair-key>/restconf/operations/cluster-admin**</pair-key>
112 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
113 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
116 <pair-key>/**</pair-key>
117 <!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
118 <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
120 </shiro-configuration>