3 Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
5 This program and the accompanying materials are made available under the
6 terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 and is available at http://www.eclipse.org/legal/epl-v10.html
11 ///////////////////////////////////////////////////////////////////////////////////////
12 // clustered-app-config instance responsible for AAA configuration. In the future, //
13 // this will contain all AAA related configuration. //
14 ///////////////////////////////////////////////////////////////////////////////////////
17 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
20 ///////////////////////////////////////////////////////////////////////////////////
21 // shiro-configuration is the model based container that contains all shiro //
22 // related information used in ODL AAA configuration. It is the sole pain of //
23 // glass for shiro related configuration, and is how to configure shiro concepts //
27 // * security manager settings //
29 // In general, you really shouldn't muck with the settings in this file. The //
30 // way an operator should configure AAA shiro settings is through one of ODL's //
31 // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
32 // defaults if no values are specified in MD-SAL. The reason this file is so //
33 // verbose is for two reasons: //
34 // 1) to demonstrate payload examples for plausible configuration scenarios //
35 // 2) to allow bootstrap of the controller (first time start) since otherwise //
36 // configuration becomes a chicken and the egg problem. //
38 ///////////////////////////////////////////////////////////////////////////////////
42 ===================================================================================
48 ===================================================================================
52 ===================================================================================
53 ============================ ODLJndiLdapRealmAuthNOnly ============================
54 ===================================================================================
56 = Description: A Realm implementation aimed at federating with an external LDAP =
57 = server for authentication only. For authorization support, refer =
58 = to ODLJndiLdapRealm. =
59 ===================================================================================
61 <!-- Start ldapRealm commented out
63 <pair-key>ldapRealm</pair-key>
64 <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
67 <pair-key>ldapRealm.userDnTemplate</pair-key>
68 <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
71 <pair-key>ldapRealm.contextFactory.url</pair-key>
72 <pair-value>ldap://<URL>:389</pair-value>
75 <pair-key>ldapRealm.searchBase</pair-key>
76 <pair-value>dc=DOMAIN,dc=TLD</pair-value>
79 <pair-key>ldapRealm.groupRolesMap</pair-key>
80 <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
83 <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
84 <pair-value>objectClass</pair-value>
86 End ldapRealm commented out-->
89 ===================================================================================
90 ============================= ODLActiveDirectoryRealm =============================
91 ===================================================================================
93 = Description: A Realm implementation aimed at federating with an external AD =
95 ===================================================================================
97 <!-- Start adRealm commented out
99 <pair-key>adRealm</pair-key>
100 <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
103 <pair-key>adRealm.searchBase</pair-key>
104 <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
107 <pair-key>adRealm.systemUsername</pair-key>
108 <pair-value>aduser@example.com</pair-value>
111 <pair-key>adRealm.systemPassword</pair-key>
112 <pair-value>adpassword</pair-value>
115 <pair-key>adRealm.url</pair-key>
116 <pair-value>ldaps://adserver:636</pair-value>
119 <pair-key>adRealm.groupRolesMap</pair-key>
120 <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
122 End adRealm commented out-->
125 ===================================================================================
126 ================================== ODLJdbcRealm ===================================
127 ===================================================================================
129 = Description: A Realm implementation aimed at federating with an external JDBC =
131 ===================================================================================
133 <!-- Start jdbcRealm commented out
135 <pair-key>ds</pair-key>
136 <pair-value>com.mysql.jdbc.Driver</pair-value>
139 <pair-key>ds.serverName</pair-key>
140 <pair-value>localhost</pair-value>
143 <pair-key>ds.user</pair-key>
144 <pair-value>user</pair-value>
147 <pair-key>ds.password</pair-key>
148 <pair-value>password</pair-value>
151 <pair-key>ds.databaseName</pair-key>
152 <pair-value>db_name</pair-value>
155 <pair-key>jdbcRealm</pair-key>
156 <pair-value>ODLJdbcRealm</pair-value>
159 <pair-key>jdbcRealm.dataSource</pair-key>
160 <pair-value>$ds</pair-value>
163 <pair-key>jdbcRealm.authenticationQuery</pair-key>
164 <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
167 <pair-key>jdbcRealm.userRolesQuery</pair-key>
168 <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
170 End jdbcRealm commented out-->
173 ===================================================================================
174 ================================= TokenAuthRealm ==================================
175 ===================================================================================
177 = Description: A Realm implementation utilizing a per node H2 database store. =
178 ===================================================================================
181 <pair-key>tokenAuthRealm</pair-key>
182 <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
186 ===================================================================================
187 =================================== MdsalRealm ====================================
188 ===================================================================================
190 = Description: A Realm implementation utilizing the aaa.yang model. =
191 ===================================================================================
193 <!-- Start mdsalRealm commented out
195 <pair-key>mdsalRealm</pair-key>
196 <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
198 End mdsalRealm commented out-->
201 ===================================================================================
202 ================================= MoonAuthRealm ===================================
203 ===================================================================================
205 = Description: A Realm implementation aimed at federating with OPNFV Moon. =
206 ===================================================================================
208 <!-- Start moonAuthRealm commented out
210 <pair-key>moonAuthRealm</pair-key>
211 <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
214 <pair-key>moonAuthRealm.moonServerURL</pair-key>
215 <pair-value>http://<host>:<port></pair-value>
217 End moonAuthRealm commented out-->
220 ===================================================================================
221 ================================= KeystoneAuthRealm == ============================
222 ===================================================================================
224 = Description: A Realm implementation aimed at federating with an OpenStack =
226 ===================================================================================
228 <!-- Start keystoneAuthRealm commented out
230 <pair-key>keystoneAuthRealm</pair-key>
231 <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
234 <pair-key>keystoneAuthRealm.url</pair-key>
235 <pair-value>https://<host>:<port></pair-value>
238 <pair-key>keystoneAuthRealm.sslVerification</pair-key>
239 <pair-value>true</pair-value>
242 <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
243 <pair-value>Default</pair-value>
248 Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
251 <pair-key>securityManager.realms</pair-key>
252 <pair-value>$tokenAuthRealm</pair-value>
255 <!-- Start moonAuthRealm commented out
257 <pair-key>rest</pair-key>
258 <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
260 End moonAuthRealm commented out-->
262 <!-- in order to track AAA challenge attempts -->
264 <pair-key>accountingListener</pair-key>
265 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
268 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
269 <pair-value>$accountingListener</pair-value>
272 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
274 <pair-key>dynamicAuthorization</pair-key>
275 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
279 Disable parts of invalidRequest filter, as these are blocking valid RESTCONF requests.
281 RESTCONF routinely transmits data in URLs. The encoding requires that all reserved URI
282 characters, as defined in https://www.rfc-editor.org/rfc/rfc3986#section-2.2, be
283 percent-encoded. See https://jira.opendaylight.org/browse/AAA-265.
286 <!-- ';' is a RFC3986 reserved character -->
287 <pair-key>invalidRequest.blockSemicolon</pair-key>
288 <pair-value>false</pair-value>
291 <!-- '/' is a RFC3986 reserved character -->
292 <pair-key>invalidRequest.blockTraversal</pair-key>
293 <pair-value>false</pair-value>
297 ===================================================================================
303 ===================================================================================
305 <!-- Start moonAuthRealm commented out
307 <pair-key>/token</pair-key>
308 <pair-value>rest</pair-value>
310 End moonAuthRealm commented out-->
312 <pair-key>/**/operations/cluster-admin**</pair-key>
313 <pair-value>authcBasic, roles[admin]</pair-value>
316 <pair-key>/**/v1/**</pair-key>
317 <pair-value>authcBasic, roles[admin]</pair-value>
320 <pair-key>/**/config/aaa*/**</pair-key>
321 <pair-value>authcBasic, roles[admin]</pair-value>
324 <pair-key>/**</pair-key>
325 <pair-value>authcBasic</pair-value>
327 </shiro-configuration>