2 * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.aaa.api;
10 import java.util.ArrayList;
11 import java.util.Arrays;
12 import java.util.HashMap;
13 import java.util.List;
15 import org.opendaylight.aaa.api.model.Domain;
16 import org.opendaylight.aaa.api.model.Grant;
17 import org.opendaylight.aaa.api.model.Grants;
18 import org.opendaylight.aaa.api.model.Role;
19 import org.opendaylight.aaa.api.model.User;
20 import org.slf4j.Logger;
21 import org.slf4j.LoggerFactory;
24 * StoreBuilder is triggered during feature installation by
25 * <code>AAAIDMLightModule.createInstance()</code>. StoreBuilder is responsible
26 * for initializing the IIDMStore with initial default user account
27 * information. By default, the following users are created:
33 * <p>By default, the following domain is created:
38 * <p>By default, the following grants are created:
40 * <li>admin with admin role on sdn</li>
41 * <li>admin with user role on sdn</li>
44 * @author peter.mellquist@hp.com
45 * @author saichler@cisco.com
46 * @author Michael Vorburger.ch - some refactoring, for new CLI tool
48 public class StoreBuilder {
50 private static final Logger LOG = LoggerFactory.getLogger(StoreBuilder.class);
52 private final IIDMStore store;
54 public StoreBuilder(IIDMStore store) {
59 * Initialize IIDMStore with some default entries.
61 * @deprecated Better explicitly use
62 * {@link #initDomainAndRolesWithoutUsers(String)} or
63 * {@link #initWithDefaultUsers(String)}
65 * @throws IDMStoreException for issues coming from the IIDMStore
68 public void init() throws IDMStoreException {
69 initWithDefaultUsers(IIDMStore.DEFAULT_DOMAIN);
73 * Initialize IIDMStore with the default domain and the 'user' and 'admin' roles, if needed.
74 * This does not create any default user entries (because they are an inherent security risk).
76 * @param domainID ID (same as name) of the "authentication domain"
77 * @return ID of the just newly created Domain, or null if no new one had to be created
78 * @throws IDMStoreException for issues coming from the IIDMStore
80 public String initDomainAndRolesWithoutUsers(String domainID) throws IDMStoreException {
81 LOG.info("Checking if default entries must be created in IDM store");
83 // Check whether the default domain exists. If it exists, then do not
84 // create default data in the store.
85 // TODO Address the fact that someone may delete the sdn domain, or make
87 Domain defaultDomain = store.readDomain(domainID);
88 if (defaultDomain != null) {
89 LOG.info("Found default domain in IDM store, skipping insertion of default data");
93 // Create default domain
94 Domain domain = new Domain();
95 domain.setEnabled(true);
96 domain.setName(IIDMStore.DEFAULT_DOMAIN);
97 domain.setDescription("default odl sdn domain");
98 domain = store.writeDomain(domain);
99 LOG.info("Created default domain");
100 String newDomainID = domain.getDomainid();
102 // Create default Roles ("admin" and "user")
103 Role adminRole = new Role();
104 adminRole.setName("admin");
105 adminRole.setDomainid(newDomainID);
106 adminRole.setDescription("a role for admins");
107 store.writeRole(adminRole);
108 LOG.info("Created 'admin' role");
110 Role userRole = new Role();
111 userRole.setName("user");
112 userRole.setDomainid(newDomainID);
113 userRole.setDescription("a role for users");
114 store.writeRole(userRole);
115 LOG.info("Created 'user' role");
121 * Initialize IIDMStore with the default domain and the 'user' and 'admin'
122 * roles AND a default admin account (with default password, which is bad practice).
124 * @param domainID ID (same as name) of the "authentication domain"
125 * @throws IDMStoreException for issues coming from the IIDMStore
127 public void initWithDefaultUsers(String domainID) throws IDMStoreException {
128 String newDomainID = initDomainAndRolesWithoutUsers(domainID);
129 if (newDomainID != null) {
130 createUser(newDomainID, "admin", "admin", true);
134 public List<String> getRoleIDs(String domainID, List<String> roleNames) throws IDMStoreException {
135 Map<String, String> roleNameToID = new HashMap<>();
136 List<Role> roles = store.getRoles().getRoles();
137 for (Role role : roles) {
138 if (domainID.equals(role.getDomainid())) {
139 roleNameToID.put(role.getName(), role.getRoleid());
143 List<String> roleIDs = new ArrayList<>(roleNames.size());
144 for (String roleName : roleNames) {
145 String roleID = roleNameToID.get(roleName);
146 if (roleID == null) {
147 throw new IllegalStateException("'" + roleName + "' role not found (in domain '" + domainID + "')");
158 * @param domainID ID (same as name) of the "authentication domain"
159 * @param userName new user name (without the domain prefix which gets automatically added)
160 * @param password the new user's initial password
161 * @param roleIDs list of IDs of roles to grant the new user (e.g. ["user", "admin"])
163 * @return ID of the just newly created user, useful to reference it e.g. in grants
164 * @throws IDMStoreException for issues coming from the IIDMStore
166 public String createUser(String domainID, String userName, String password, List<String> roleIDs)
167 throws IDMStoreException {
168 User newUser = new User();
169 newUser.setEnabled(true);
170 newUser.setDomainid(domainID);
171 newUser.setName(userName);
172 newUser.setDescription(userName + " user");
173 newUser.setEmail("");
174 newUser.setPassword(password);
175 newUser = store.writeUser(newUser);
176 LOG.debug("Created '" + userName + "' user in domain '" + domainID + "'");
178 String newUserID = newUser.getUserid();
179 for (String roleID : roleIDs) {
180 createGrant(domainID, newUserID, roleID);
185 public String createUser(String domainID, String userName, String password, boolean isAdmin)
186 throws IDMStoreException {
187 List<String> roleIDs;
189 roleIDs = getRoleIDs(domainID, Arrays.asList("user", "admin"));
191 roleIDs = getRoleIDs(domainID, Arrays.asList("user"));
193 return createUser(domainID, userName, password, roleIDs);
196 public boolean deleteUser(String domainID, String userName) throws IDMStoreException {
197 String userID = IDMStoreUtil.createUserid(userName, domainID);
198 Grants grants = store.getGrants(userID); // NOT store.getGrants(domainID, userName)
199 for (Grant grant : grants.getGrants()) {
200 store.deleteGrant(grant.getGrantid());
202 return store.deleteUser(userID) != null;
205 private void createGrant(String domainID, String userID, String roleID) throws IDMStoreException {
206 Grant grant = new Grant();
207 grant.setDomainid(domainID);
208 grant.setUserid(userID);
209 grant.setRoleid(roleID);
210 store.writeGrant(grant);
211 LOG.debug("Granted '" + userID + "' user the '" + roleID + "' role in domain '" + domainID + "'");