2 # Copyright (c) 2015-2017 Brocade Communications Systems, Inc. and others. All rights reserved.
4 # This program and the accompanying materials are made available under the
5 # terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 # and is available at http://www.eclipse.org/legal/epl-v10.html
9 ###############################################################################
12 # Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
13 # implementations include: #
14 # - TokenAuthRealm (enabled by default) #
15 # - ODLJndiLdapRealm (disabled by default) #
16 # - ODLJndiLdapRealmAuthNOnly (disabled by default) #
17 # - ODLActiveDirectoryRealm (disabled by default) #
18 # - KeystoneAuthRealm (disabled by default) #
20 # Basic user configuration through shiro.ini is disabled for security #
22 ###############################################################################
25 ###############################################################################
28 # This section is dedicated to setting up realms for OpenDaylight. Realms #
29 # are essentially different methods for providing AAA. ODL strives to provide#
30 # highly-configurable AAA by providing pluggable infrastructure. By default, #
31 # TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
32 # mechanisms). More than one realm can be enabled, and the realms are #
33 # tried Round-Robin until: #
34 # 1) a realm successfully authenticates the incoming request #
35 # 2) all realms are exhausted, and 401 is returned #
36 ###############################################################################
38 # ODL provides a few LDAP implementations, which are disabled out of the box.
39 # ODLJndiLdapRealm includes authorization functionality based on LDAP elements
40 # extracted through and LDAP search. This requires a bit of knowledge about
41 # how your LDAP system is setup. An example is provided below:
42 #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
43 #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
44 #ldapRealm.contextFactory.url = ldap://<URL>:389
45 #ldapRealm.searchBase = dc=DOMAIN,dc=TLD
46 # Abstraction to map LDAP extracted groups to ODL roles
47 #ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
48 #ldapRealm.ldapAttributeForComparison = objectClass
50 # ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
51 # access through AAAFilter to any user that can authenticate against the
52 # provided LDAP server.
53 #ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
54 #ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
55 #ldapRealm.contextFactory.url = ldap://<URL>:389
57 # ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
58 #adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
59 #adRealm.searchBase = "CN=Users,DC=example,DC=com"
60 #adRealm.systemUsername = aduser@example.com
61 #adRealm.systemPassword = adpassword
62 #adRealm.url = ldaps://adserver:636
63 # the groupRolesMap maps an AD query to a particular role.
64 #adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
66 # ODL provides a slightly customized version of Shiro's JdbcRealm, which
67 # can be used to integrate with an existing JDBC-supporting data source. This
68 # helps ease deployment configuration with existing OSS systems. Setting up
69 # the ODLJdbcRealm requires instantiation of two abstractions; the data source
71 # ds, which stands for data source, defines a data source which can be used
72 # for JDBC connections.
73 #ds = com.mysql.jdbc.Driver
74 #ds.serverName = localhost
76 #ds.password = password
77 #ds.databaseName = db_name
78 # jdbcRealm is used to manipulate realm instance properties, specifically the
79 # queries required to extract information from a JDBC data source.
80 #jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
81 #jdbcRealm.dataSource = $ds
82 #jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
83 #jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
85 # Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
86 # This realm is enabled by default, and utilizes h2-store by default.
87 tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
89 # The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To
90 # enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
91 # to the securityManager.realms list below
92 #moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
93 #moonAuthRealm.moonServerURL = http://<host>:<port>
95 # The KeystoneAuthRealm allows for authentication/authorization against an
96 # OpenStack's Keystone server. It uses the Identity's API v3 or later.
97 #keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
98 # The URL where the Keystone server exposes the Identity's API v3 the URL
99 # can be either HTTP or HTTPS and it is mandatory for this realm.
100 #keystoneAuthRealm.url = https://<host>:<port>
101 # Optional parameter to make the realm verify the certificates in case of HTTPS
102 #keystoneAuthRealm.sslVerification = true
103 # Optional parameter to set up a default domain for requests using credentials
104 # without domain, uncomment in case you want a different value from the hard-coded
106 #keystoneAuthRealm.defaultDomain = Default
108 # The CSV list of enabled realms. In order to enable a realm, add it to the
110 securityManager.realms = $tokenAuthRealm
112 # adds a custom AuthenticationFilter to support OAuth2 for backwards
113 # compatibility. To disable OAuth2 access, just comment out the next line
114 # and authcBasic will default to BasicHttpAuthenticationFilter, a
115 # Shiro-provided class.
116 authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
118 # OAuth2 Filter for moon token AuthN
119 #rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
121 # add in AuthenticationListener, a Listener that records whether
122 # authentication attempts are successful or unsuccessful. This audit
123 # information is disabled by default, to avoid log flooding. To enable,
124 # issue the following in karaf:
125 # >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
126 accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
127 securityManager.authenticator.authenticationListeners = $accountingListener
129 # Filter to support dynamic urls rules based on md-sal model
130 dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
134 ###############################################################################
135 # url authorization section #
137 # This section is dedicated to defining url-based authorization according to: #
138 # http://shiro.apache.org/web.html #
140 # DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! #
141 ###############################################################################
143 # Temporarily added authorization endpoints; will be removed when MDSAL based
144 # Model can be initialized from file.
145 /v1/** = authcBasic, roles[admin], dynamicAuthorization
147 # Restrict AAA-Certificate REST APIs to Admin role
148 /config/aaa-cert-mdsal** = authcBasic, roles[admin]
149 /operational/aaa-cert-mdsal** = authcBasic, roles[admin]
150 /operations/aaa-cert-rpc** = authcBasic, roles[admin]
152 # Access to the credential store is limited to the valid users who have the
153 # admin role. The following line is only needed if the mdsal store is enabled
154 #(the mdsal store is disabled by default).
155 /config/aaa-authn-model** = authcBasic, roles[admin]
156 /operational/aaa-authn-model** = authcBasic, roles[admin]
158 # Uncomment the line below to enable the Moon AuthenticatingFilter
161 # General access through AAAFilter requires valid credentials (AuthN only).
162 /** = authcBasic, dynamicAuthorization