3 Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
5 This program and the accompanying materials are made available under the
6 terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 and is available at http://www.eclipse.org/legal/epl-v10.html
11 ///////////////////////////////////////////////////////////////////////////////////////
12 // clustered-app-config instance responsible for AAA configuration. In the future, //
13 // this will contain all AAA related configuration. //
14 ///////////////////////////////////////////////////////////////////////////////////////
17 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
20 ///////////////////////////////////////////////////////////////////////////////////
21 // shiro-configuration is the model based container that contains all shiro //
22 // related information used in ODL AAA configuration. It is the sole pain of //
23 // glass for shiro related configuration, and is how to configure shiro concepts //
27 // * security manager settings //
29 // In general, you really shouldn't muck with the settings in this file. The //
30 // way an operator should configure AAA shiro settings is through one of ODL's //
31 // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
32 // defaults if no values are specified in MD-SAL. The reason this file is so //
33 // verbose is for two reasons: //
34 // 1) to demonstrate payload examples for plausible configuration scenarios //
35 // 2) to allow bootstrap of the controller (first time start) since otherwise //
36 // configuration becomes a chicken and the egg problem. //
38 ///////////////////////////////////////////////////////////////////////////////////
42 ===================================================================================
48 ===================================================================================
52 ===================================================================================
53 ============================ ODLJndiLdapRealmAuthNOnly ============================
54 ===================================================================================
56 = Description: A Realm implementation aimed at federating with an external LDAP =
57 = server for authentication only. For authorization support, refer =
58 = to ODLJndiLdapRealm. =
59 ===================================================================================
61 <!-- Start ldapRealm commented out
63 <pair-key>ldapRealm</pair-key>
64 <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
67 <pair-key>ldapRealm.userDnTemplate</pair-key>
68 <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
71 <pair-key>ldapRealm.contextFactory.url</pair-key>
72 <pair-value>ldap://<URL>:389</pair-value>
75 <pair-key>ldapRealm.searchBase</pair-key>
76 <pair-value>dc=DOMAIN,dc=TLD</pair-value>
79 <pair-key>ldapRealm.groupRolesMap</pair-key>
80 <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
83 <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
84 <pair-value>objectClass</pair-value>
86 End ldapRealm commented out-->
89 ===================================================================================
90 ============================= ODLActiveDirectoryRealm =============================
91 ===================================================================================
93 = Description: A Realm implementation aimed at federating with an external AD =
95 ===================================================================================
97 <!-- Start adRealm commented out
99 <pair-key>adRealm</pair-key>
100 <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
103 <pair-key>adRealm.searchBase</pair-key>
104 <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
107 <pair-key>adRealm.systemUsername</pair-key>
108 <pair-value>aduser@example.com</pair-value>
111 <pair-key>adRealm.systemPassword</pair-key>
112 <pair-value>adpassword</pair-value>
115 <pair-key>adRealm.url</pair-key>
116 <pair-value>ldaps://adserver:636</pair-value>
119 <pair-key>adRealm.groupRolesMap</pair-key>
120 <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
122 End adRealm commented out-->
125 ===================================================================================
126 ================================== ODLJdbcRealm ===================================
127 ===================================================================================
129 = Description: A Realm implementation aimed at federating with an external JDBC =
131 ===================================================================================
133 <!-- Start jdbcRealm commented out
135 <pair-key>ds</pair-key>
136 <pair-value>com.mysql.jdbc.Driver</pair-value>
139 <pair-key>ds.serverName</pair-key>
140 <pair-value>localhost</pair-value>
143 <pair-key>ds.user</pair-key>
144 <pair-value>user</pair-value>
147 <pair-key>ds.password</pair-key>
148 <pair-value>password</pair-value>
151 <pair-key>ds.databaseName</pair-key>
152 <pair-value>db_name</pair-value>
155 <pair-key>jdbcRealm</pair-key>
156 <pair-value>ODLJdbcRealm</pair-value>
159 <pair-key>jdbcRealm.dataSource</pair-key>
160 <pair-value>$ds</pair-value>
163 <pair-key>jdbcRealm.authenticationQuery</pair-key>
164 <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
167 <pair-key>jdbcRealm.userRolesQuery</pair-key>
168 <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
170 End jdbcRealm commented out-->
173 ===================================================================================
174 ================================= TokenAuthRealm ==================================
175 ===================================================================================
177 = Description: A Realm implementation utilizing a per node H2 database store. =
178 ===================================================================================
181 <!-- <pair-key>tokenAuthRealm</pair-key> -->
182 <!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
185 <pair-key>tokenAuthRealm</pair-key>
186 <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
190 ===================================================================================
191 =================================== MdsalRealm ====================================
192 ===================================================================================
194 = Description: A Realm implementation utilizing the aaa.yang model. =
195 ===================================================================================
197 <!-- Start mdsalRealm commented out
199 <pair-key>mdsalRealm</pair-key>
200 <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
202 End mdsalRealm commented out-->
205 ===================================================================================
206 ================================= MoonAuthRealm ===================================
207 ===================================================================================
209 = Description: A Realm implementation aimed at federating with OPNFV Moon. =
210 ===================================================================================
212 <!-- Start moonAuthRealm commented out
214 <pair-key>moonAuthRealm</pair-key>
215 <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
218 <pair-key>moonAuthRealm.moonServerURL</pair-key>
219 <pair-value>http://<host>:<port></pair-value>
221 End moonAuthRealm commented out-->
224 ===================================================================================
225 ================================= KeystoneAuthRealm == ============================
226 ===================================================================================
228 = Description: A Realm implementation aimed at federating with an OpenStack =
230 ===================================================================================
232 <!-- Start keystoneAuthRealm commented out
234 <pair-key>keystoneAuthRealm</pair-key>
235 <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
238 <pair-key>keystoneAuthRealm.url</pair-key>
239 <pair-value>https://<host>:<port></pair-value>
242 <pair-key>keystoneAuthRealm.sslVerification</pair-key>
243 <pair-value>true</pair-value>
246 <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
247 <pair-value>Default</pair-value>
252 Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
255 <pair-key>securityManager.realms</pair-key>
256 <pair-value>$tokenAuthRealm</pair-value>
258 <!-- Used to support OAuth2 use case. -->
260 <pair-key>authcBasic</pair-key>
261 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
264 <pair-key>anyroles</pair-key>
265 <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
268 <pair-key>authcBearer</pair-key>
269 <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
272 <!-- Start moonAuthRealm commented out
274 <pair-key>rest</pair-key>
275 <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
277 End moonAuthRealm commented out-->
279 <!-- in order to track AAA challenge attempts -->
281 <pair-key>accountingListener</pair-key>
282 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
285 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
286 <pair-value>$accountingListener</pair-value>
289 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
291 <pair-key>dynamicAuthorization</pair-key>
292 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
295 <!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> -->
296 <!-- <pair-value>false</pair-value> -->
300 ===================================================================================
306 ===================================================================================
308 <!-- Start moonAuthRealm commented out
310 <pair-key>/token</pair-key>
311 <pair-value>rest</pair-value>
313 End moonAuthRealm commented out-->
315 <pair-key>/**/operations/cluster-admin**</pair-key>
316 <pair-value>authcBearer, roles[admin]</pair-value>
319 <pair-key>/**/v1/**</pair-key>
320 <pair-value>authcBearer, roles[admin]</pair-value>
323 <pair-key>/**/config/aaa*/**</pair-key>
324 <pair-value>authcBearer, roles[admin]</pair-value>
327 <pair-key>/oauth/**</pair-key>
328 <pair-value>anon</pair-value>
331 <pair-key>/odlux/**</pair-key>
332 <pair-value>anon</pair-value>
335 <pair-key>/apidoc/**</pair-key>
336 <pair-value>authcBasic</pair-value>
339 <pair-key>/rests/**</pair-key>
340 <pair-value>authcBearer, roles[admin]</pair-value>
343 <pair-key>/**</pair-key>
344 <pair-value>authcBearer, roles[admin]</pair-value>
346 </shiro-configuration>