3 Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
5 This program and the accompanying materials are made available under the
6 terms of the Eclipse Public License v1.0 which accompanies this distribution,
7 and is available at http://www.eclipse.org/legal/epl-v10.html
11 ///////////////////////////////////////////////////////////////////////////////////////
12 // clustered-app-config instance responsible for AAA configuration. In the future, //
13 // this will contain all AAA related configuration. //
14 ///////////////////////////////////////////////////////////////////////////////////////
17 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
20 ///////////////////////////////////////////////////////////////////////////////////
21 // shiro-configuration is the model based container that contains all shiro //
22 // related information used in ODL AAA configuration. It is the sole pain of //
23 // glass for shiro related configuration, and is how to configure shiro concepts //
27 // * security manager settings //
29 // In general, you really shouldn't muck with the settings in this file. The //
30 // way an operator should configure AAA shiro settings is through one of ODL's //
31 // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
32 // defaults if no values are specified in MD-SAL. The reason this file is so //
33 // verbose is for two reasons: //
34 // 1) to demonstrate payload examples for plausible configuration scenarios //
35 // 2) to allow bootstrap of the controller (first time start) since otherwise //
36 // configuration becomes a chicken and the egg problem. //
38 ///////////////////////////////////////////////////////////////////////////////////
42 ===================================================================================
48 ===================================================================================
52 ===================================================================================
53 ============================ ODLJndiLdapRealmAuthNOnly ============================
54 ===================================================================================
56 = Description: A Realm implementation aimed at federating with an external LDAP =
57 = server for authentication only. For authorization support, refer =
58 = to ODLJndiLdapRealm. =
59 ===================================================================================
61 <!-- Start ldapRealm commented out
63 <pair-key>ldapRealm</pair-key>
64 <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
67 <pair-key>ldapRealm.userDnTemplate</pair-key>
68 <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
71 <pair-key>ldapRealm.contextFactory.url</pair-key>
72 <pair-value>ldap://<URL>:389</pair-value>
75 <pair-key>ldapRealm.searchBase</pair-key>
76 <pair-value>dc=DOMAIN,dc=TLD</pair-value>
79 <pair-key>ldapRealm.groupRolesMap</pair-key>
80 <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
83 <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
84 <pair-value>objectClass</pair-value>
86 End ldapRealm commented out-->
89 ===================================================================================
90 ============================= ODLActiveDirectoryRealm =============================
91 ===================================================================================
93 = Description: A Realm implementation aimed at federating with an external AD =
95 ===================================================================================
97 <!-- Start adRealm commented out
99 <pair-key>adRealm</pair-key>
100 <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
103 <pair-key>adRealm.searchBase</pair-key>
104 <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
107 <pair-key>adRealm.systemUsername</pair-key>
108 <pair-value>aduser@example.com</pair-value>
111 <pair-key>adRealm.systemPassword</pair-key>
112 <pair-value>adpassword</pair-value>
115 <pair-key>adRealm.url</pair-key>
116 <pair-value>ldaps://adserver:636</pair-value>
119 <pair-key>adRealm.groupRolesMap</pair-key>
120 <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
122 End adRealm commented out-->
125 ===================================================================================
126 ================================== ODLJdbcRealm ===================================
127 ===================================================================================
129 = Description: A Realm implementation aimed at federating with an external JDBC =
131 ===================================================================================
133 <!-- Start jdbcRealm commented out
135 <pair-key>ds</pair-key>
136 <pair-value>com.mysql.jdbc.Driver</pair-value>
139 <pair-key>ds.serverName</pair-key>
140 <pair-value>localhost</pair-value>
143 <pair-key>ds.user</pair-key>
144 <pair-value>user</pair-value>
147 <pair-key>ds.password</pair-key>
148 <pair-value>password</pair-value>
151 <pair-key>ds.databaseName</pair-key>
152 <pair-value>db_name</pair-value>
155 <pair-key>jdbcRealm</pair-key>
156 <pair-value>ODLJdbcRealm</pair-value>
159 <pair-key>jdbcRealm.dataSource</pair-key>
160 <pair-value>$ds</pair-value>
163 <pair-key>jdbcRealm.authenticationQuery</pair-key>
164 <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
167 <pair-key>jdbcRealm.userRolesQuery</pair-key>
168 <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
170 End jdbcRealm commented out-->
173 ===================================================================================
174 ================================= TokenAuthRealm ==================================
175 ===================================================================================
177 = Description: A Realm implementation utilizing a per node H2 database store. =
178 ===================================================================================
181 <pair-key>tokenAuthRealm</pair-key>
182 <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
186 ===================================================================================
187 =================================== MdsalRealm ====================================
188 ===================================================================================
190 = Description: A Realm implementation utilizing the aaa.yang model. =
191 ===================================================================================
193 <!-- Start mdsalRealm commented out
195 <pair-key>mdsalRealm</pair-key>
196 <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
198 End mdsalRealm commented out-->
201 ===================================================================================
202 ================================= MoonAuthRealm ===================================
203 ===================================================================================
205 = Description: A Realm implementation aimed at federating with OPNFV Moon. =
206 ===================================================================================
208 <!-- Start moonAuthRealm commented out
210 <pair-key>moonAuthRealm</pair-key>
211 <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
214 <pair-key>moonAuthRealm.moonServerURL</pair-key>
215 <pair-value>http://<host>:<port></pair-value>
217 End moonAuthRealm commented out-->
220 ===================================================================================
221 ================================= KeystoneAuthRealm == ============================
222 ===================================================================================
224 = Description: A Realm implementation aimed at federating with an OpenStack =
226 ===================================================================================
228 <!-- Start keystoneAuthRealm commented out
230 <pair-key>keystoneAuthRealm</pair-key>
231 <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
234 <pair-key>keystoneAuthRealm.url</pair-key>
235 <pair-value>https://<host>:<port></pair-value>
238 <pair-key>keystoneAuthRealm.sslVerification</pair-key>
239 <pair-value>true</pair-value>
242 <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
243 <pair-value>Default</pair-value>
248 Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
251 <pair-key>securityManager.realms</pair-key>
252 <pair-value>$tokenAuthRealm</pair-value>
255 <!-- Start moonAuthRealm commented out
257 <pair-key>rest</pair-key>
258 <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
260 End moonAuthRealm commented out-->
262 <!-- in order to track AAA challenge attempts -->
264 <pair-key>accountingListener</pair-key>
265 <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
268 <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
269 <pair-value>$accountingListener</pair-value>
272 <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
274 <pair-key>dynamicAuthorization</pair-key>
275 <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
280 ===================================================================================
286 ===================================================================================
288 <!-- Start moonAuthRealm commented out
290 <pair-key>/token</pair-key>
291 <pair-value>rest</pair-value>
293 End moonAuthRealm commented out-->
295 <pair-key>/**/operations/cluster-admin**</pair-key>
296 <pair-value>authcBasic, roles[admin]</pair-value>
299 <pair-key>/**/v1/**</pair-key>
300 <pair-value>authcBasic, roles[admin]</pair-value>
303 <pair-key>/**/config/aaa*/**</pair-key>
304 <pair-value>authcBasic, roles[admin]</pair-value>
307 <pair-key>/**</pair-key>
308 <pair-value>authcBasic</pair-value>
310 </shiro-configuration>
Code Review / aaa.git / blob