--- /dev/null
+#
+# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved.
+# Additions copyright (C) 2018 AT&T Intellectual Property
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v1.0 which accompanies this distribution,
+# and is available at http://www.eclipse.org/legal/epl-v10.html
+#
+
+###############################################################################
+# shiro.ini #
+# #
+# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
+# implementations include: #
+# - TokenAuthRealm (enabled by default) #
+# - ODLJndiLdapRealm (disabled by default) #
+# - ODLJndiLdapRealmAuthNOnly (disabled by default) #
+# Basic user configuration through shiro.ini is disabled for security #
+# purposes. #
+###############################################################################
+
+
+
+[main]
+###############################################################################
+# realms #
+# #
+# This section is dedicated to setting up realms for OpenDaylight. Realms #
+# are essentially different methods for providing AAA. ODL strives to provide#
+# highly-configurable AAA by providing pluggable infrastructure. By deafult, #
+# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
+# mechanisms). More than one realm can be enabled, and the realms are #
+# tried Round-Robin until: #
+# 1) a realm successfully authenticates the incoming request #
+# 2) all realms are exhausted, and 401 is returned #
+###############################################################################
+
+
+# ODL provides a few LDAP implementations, which are disabled out of the box.
+# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
+# extracted through and LDAP search. This requires a bit of knowledge about
+# how your LDAP system is setup. An example is provided below:
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
+# Abstraction to map LDAP extracted groups to ODL roles
+#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
+#ldapRealm.ldapAttributeForComparison = objectClass
+
+# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
+# access through AAAFilter to any user that can authenticate against the
+# provided LDAP server.
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+
+# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
+#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
+#adRealm.searchBase = "CN=Users,DC=example,DC=com"
+#adRealm.systemUsername = aduser@example.com
+#adRealm.systemPassword = adpassword
+#adRealm.url = ldaps://adserver:636
+# the groupRolesMap maps an AD query to a particular role.
+#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
+
+# ODL provides a slightly customized version of Shiro's JdbcRealm, which
+# can be used to integrate with an existing JDBC-supporting data source. This
+# helps ease deployment configuration with existing OSS systems. Setting up
+# the ODLJdbcRealm requires instantiation of two abstractions; the data source
+# and the realm.
+# ds, which stands for data source, defines a data source which can be used
+# for JDBC connections.
+#ds = com.mysql.jdbc.Driver
+#ds.serverName = localhost
+#ds.user = user
+#ds.password = password
+#ds.databaseName = db_name
+# jdbcRealm is used to manipulate realm instance properties, specifically the
+# queries required to extract information from a JDBC data source.
+#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
+#jdbcRealm.dataSource = $ds
+#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
+#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
+
+# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
+# This realm is enabled by default, and utilizes h2-store by default.
+tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
+
+# AT&T
+# Use this class for AAF Realm, must also use AAF permission format for URL's
+#tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm
+
+# The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To
+# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
+# to the securityManager.realms list below
+#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
+#moonAuthRealm.moonServerURL = http://<host>:<port>
+
+# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack
+# Keystone (v3) instance. At this time the authentication is 'unscoped' and
+# authorization is not supported.
+#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
+#keystoneAuthRealm.url = https://<host>:<port>
+#keystoneAuthRealm.sslVerification = true
+# Default domain to use if not specified within the provided credentials.
+#keystoneAuthRealm.defaultDomain = Default
+
+# The CSV list of enabled realms. In order to enable a realm, add it to the
+# list below:
+securityManager.realms = $tokenAuthRealm
+
+# adds a custom AuthenticationFilter to support OAuth2 for backwards
+# compatibility. To disable OAuth2 access, just comment out the next line
+# and authcBasic will default to BasicHttpAuthenticationFilter, a
+# Shiro-provided class.
+authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
+
+# OAuth2 Filter for moon token AuthN
+#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
+
+# add in AuthenticationListener, a Listener that records whether
+# authentication attempts are successful or unsuccessful. This audit
+# information is disabled by default, to avoid log flooding. To enable,
+# issue the following in karaf:
+# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
+accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
+securityManager.authenticator.authenticationListeners = $accountingListener
+
+# Filter to support dynamic urls rules based on md-sal model
+dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
+
+
+
+[urls]
+###############################################################################
+# url authorization section #
+# #
+# This section is dedicated to defining url-based authorization according to: #
+# http://shiro.apache.org/web.html #
+# #
+# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! #
+###############################################################################
+
+# Temporarily added authorization endpoints; will be removed when MDSAL based
+# Model can be initialized from file.
+/v1/** = authcBasic, roles[admin], dynamicAuthorization
+
+# Restrict AAA-Certificate REST APIs to Admin role
+/config/aaa-cert-mdsal** = authcBasic, roles[admin]
+/operational/aaa-cert-mdsal** = authcBasic, roles[admin]
+/operations/aaa-cert-rpc** = authcBasic, roles[admin]
+
+# Access to the credential store is limited to the valid users who have the
+# admin role. The following line is only needed if the mdsal store is enabled
+#(the mdsal store is disabled by default).
+/config/aaa-authn-model** = authcBasic, roles[admin]
+/operational/aaa-authn-model** = authcBasic, roles[admin]
+
+# Uncomment the line below to enable the Moon AuthenticatingFilter
+#/token = rest
+
+# General access through AAAFilter requires valid credentials (AuthN only).
+/** = authcBasic, dynamicAuthorization
+
+# AT&T
+# use this format for AAF, must use AAF Realm for authcBasic realm
+#/** = authcBasic, roles[org.onap.appc.odl|odl-api|*]
+# use this format for no security
+#/** = noauth
--- /dev/null
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+hostname=localhost
+
+csp_devl_localhost=true
+
+# should this be onap.org?
+basic_realm=onap.org
+
+basic_warn=TRUE
+
+cadi_loglevel=DEBUG
+
+aaf_taf_class=com.att.cadi.aaf.v2_0.AAFTaf
+aaf_domain_support=.org
+
+# add location of keyfile to use encrypted password
+#cadi_keyfile=/opt/appc/data/stores/appckeyfile
+#cadi_keystore=etc/keystore/truststore2018.jks
+#cadi_keystore_password=changeit
+
+AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=false
+
+cadi_protocols=TLSv1.1,TLSv1.2
+
+# Configure AAF
+aaf_url=http://10.12.5.148:8101
+
+aaf_id=admin@appc.onap.org
+
+# to use encrypted password ensure cadi_keyfile location has been set
+aaf_password=appc_admin
+
+aaf_timeout=5000
+aaf_clean_interval=30000
+aaf_user_expires=5000
+aaf_high_count=1000
\ No newline at end of file
Code Review / appc / deployment.git / commitdiff