# # Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved. # Additions copyright (C) 2018 AT&T Intellectual Property # # This program and the accompanying materials are made available under the # terms of the Eclipse Public License v1.0 which accompanies this distribution, # and is available at http://www.eclipse.org/legal/epl-v10.html # ############################################################################### # shiro.ini # # # # Configuration of OpenDaylight's aaa-shiro feature. Provided Realm # # implementations include: # # - TokenAuthRealm (enabled by default) # # - ODLJndiLdapRealm (disabled by default) # # - ODLJndiLdapRealmAuthNOnly (disabled by default) # # Basic user configuration through shiro.ini is disabled for security # # purposes. # ############################################################################### [main] ############################################################################### # realms # # # # This section is dedicated to setting up realms for OpenDaylight. Realms # # are essentially different methods for providing AAA. ODL strives to provide# # highly-configurable AAA by providing pluggable infrastructure. By deafult, # # TokenAuthRealm is enabled out of the box (which bridges to the existing AAA # # mechanisms). More than one realm can be enabled, and the realms are # # tried Round-Robin until: # # 1) a realm successfully authenticates the incoming request # # 2) all realms are exhausted, and 401 is returned # ############################################################################### # ODL provides a few LDAP implementations, which are disabled out of the box. # ODLJndiLdapRealm includes authorization functionality based on LDAP elements # extracted through and LDAP search. This requires a bit of knowledge about # how your LDAP system is setup. An example is provided below: #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD #ldapRealm.contextFactory.url = ldap://:389 #ldapRealm.searchBase = dc=DOMAIN,dc=TLD # Abstraction to map LDAP extracted groups to ODL roles #ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user" #ldapRealm.ldapAttributeForComparison = objectClass # ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows # access through AAAFilter to any user that can authenticate against the # provided LDAP server. #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD #ldapRealm.contextFactory.url = ldap://:389 # ODL provides an Active Directory Realm through ODLActiveDirectoryRealm. #adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm #adRealm.searchBase = "CN=Users,DC=example,DC=com" #adRealm.systemUsername = aduser@example.com #adRealm.systemPassword = adpassword #adRealm.url = ldaps://adserver:636 # the groupRolesMap maps an AD query to a particular role. #adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user" # ODL provides a slightly customized version of Shiro's JdbcRealm, which # can be used to integrate with an existing JDBC-supporting data source. This # helps ease deployment configuration with existing OSS systems. Setting up # the ODLJdbcRealm requires instantiation of two abstractions; the data source # and the realm. # ds, which stands for data source, defines a data source which can be used # for JDBC connections. #ds = com.mysql.jdbc.Driver #ds.serverName = localhost #ds.user = user #ds.password = password #ds.databaseName = db_name # jdbcRealm is used to manipulate realm instance properties, specifically the # queries required to extract information from a JDBC data source. #jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm #jdbcRealm.dataSource = $ds #jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?" #jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?" # Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms. # This realm is enabled by default, and utilizes h2-store by default. tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm # AT&T # Use this class for AAF Realm, must also use AAF permission format for URL's #tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm # The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To # enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm # to the securityManager.realms list below #moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm #moonAuthRealm.moonServerURL = http://: # ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack # Keystone (v3) instance. At this time the authentication is 'unscoped' and # authorization is not supported. #keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm #keystoneAuthRealm.url = https://: #keystoneAuthRealm.sslVerification = true # Default domain to use if not specified within the provided credentials. #keystoneAuthRealm.defaultDomain = Default # The CSV list of enabled realms. In order to enable a realm, add it to the # list below: securityManager.realms = $tokenAuthRealm # adds a custom AuthenticationFilter to support OAuth2 for backwards # compatibility. To disable OAuth2 access, just comment out the next line # and authcBasic will default to BasicHttpAuthenticationFilter, a # Shiro-provided class. authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter # OAuth2 Filter for moon token AuthN #rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter # add in AuthenticationListener, a Listener that records whether # authentication attempts are successful or unsuccessful. This audit # information is disabled by default, to avoid log flooding. To enable, # issue the following in karaf: # >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener securityManager.authenticator.authenticationListeners = $accountingListener # Filter to support dynamic urls rules based on md-sal model dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter [urls] ############################################################################### # url authorization section # # # # This section is dedicated to defining url-based authorization according to: # # http://shiro.apache.org/web.html # # # # DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! # ############################################################################### # Temporarily added authorization endpoints; will be removed when MDSAL based # Model can be initialized from file. /v1/** = authcBasic, roles[admin], dynamicAuthorization # Restrict AAA-Certificate REST APIs to Admin role /config/aaa-cert-mdsal** = authcBasic, roles[admin] /operational/aaa-cert-mdsal** = authcBasic, roles[admin] /operations/aaa-cert-rpc** = authcBasic, roles[admin] # Access to the credential store is limited to the valid users who have the # admin role. The following line is only needed if the mdsal store is enabled #(the mdsal store is disabled by default). /config/aaa-authn-model** = authcBasic, roles[admin] /operational/aaa-authn-model** = authcBasic, roles[admin] # Uncomment the line below to enable the Moon AuthenticatingFilter #/token = rest # General access through AAAFilter requires valid credentials (AuthN only). /** = authcBasic, dynamicAuthorization # AT&T # use this format for AAF, must use AAF Realm for authcBasic realm #/** = authcBasic, roles[org.onap.appc.odl|odl-api|*] # use this format for no security #/** = noauth