+++ /dev/null
-<?xml version="1.0" ?>
-<!--
-###
-# ============LICENSE_START=======================================================
-# APPC
-# ================================================================================
-# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2018 Amdocs,Bell Canada
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-###
- -->
-
-<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
-
- <!--
- ================================= TokenAuthRealm ==================================
- = =
- = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication =
- = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm =
- ===================================================================================
- -->
- <main>
- <pair-key>tokenAuthRealm</pair-key>
-<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
- </main>
-
-
- <!-- add tokenAuthRealm as the only default realm -->
- <main>
- <pair-key>securityManager.realms</pair-key>
- <pair-value>$tokenAuthRealm</pair-value>
- </main>
-
- <!-- Used to support OAuth2 use case. -->
- <main>
- <pair-key>authcBasic</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
- </main>
-
- <!-- in order to track AAA challenge attempts -->
- <main>
- <pair-key>accountingListener</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
- </main>
- <main>
- <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
- <pair-value>$accountingListener</pair-value>
- </main>
-
- <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
- <main>
- <pair-key>dynamicAuthorization</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
- </main>
-
-
- <!--
- ===================================================================================
- = URLS =
- = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*] =
- = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions =
- = For default <pair-value> authcBasic, roles[admin] =
- ===================================================================================
- -->
-
- <!-- restrict access to some endpoints by default -->
- <urls>
- <pair-key>/auth/**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/config/aaa-authn-model**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/restconf/operations/cluster-admin**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
- <urls>
- <pair-key>/**</pair-key>
-<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
- <pair-value>authcBasic, roles[org.onap.appc.odl:odl-api:*]</pair-value>
- </urls>
-</shiro-configuration>
-