2 Documentation Test suite: Authentication Support for Keystone
4 ... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc. bringing the benefits of a centralized / unified user management framework.
6 ... As a first step, It shall be possible to authenticate users against Keystone by using passwords provided by the users.
8 Suite Teardown Cleanup Suite
12 Library OperatingSystem
13 Library RequestsLibrary
14 Resource ../../../libraries/Utils.robot
15 Resource ../../../libraries/TemplatedRequests.robot
16 Resource ../../../libraries/KarafKeywords.robot
17 Resource ../../../libraries/ClusterManagement.robot
18 Resource ../../../variables/Variables.robot
19 Resource ../../../libraries/AAA/DockerKeystone.robot
22 ${URI_CERTIFICATE} /restconf/operations/aaa-cert-rpc:getODLCertificate
23 ${URI_RESTCONF} /restconf/operational/ietf-restconf-monitoring:restconf-state
26 Successful Authentication Including Domain
27 [Documentation] *Test Case: Successful Authentication with user@domain/password credentials*
31 ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain
32 ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one.
36 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "sdnadmin" has "admin" role in keystone the access is authorized too
38 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
40 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
41 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
42 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
43 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
44 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
46 Successful Authentication Without Domain
47 [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included*
51 ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered
52 ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one
56 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "CSC_user" has "admin" role in keystone the access is authorized too
58 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
60 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
61 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
62 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
63 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
64 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
66 Unsuccessful Authentication Wrong User
67 [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials*
71 ... - Create an HTTP session with ODL as an invalid user
72 ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone
76 ... Due to authentication fails, authorization is not evaluated
78 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
79 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
80 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
81 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
82 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
84 UnSuccessful Authentication Without Domain
85 [Documentation] *Test Case: UnSuccessful Authentication without domain*
90 ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered
91 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials
95 ... Due to authentication fails, authorization is not evaluated
97 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
98 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
99 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
100 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
101 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
103 Unsuccessful Authentication Wrong Domain
104 [Documentation] *Test Case: UnSuccessful Authentication with wrong domain*
110 ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain
111 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn"
115 ... Due to authentication fails, authorization is not evaluated
117 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_WRONG_DOM} headers=${HEADERS}
118 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
119 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
120 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
121 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
123 Unsuccessful Basic Authorization
124 [Documentation] *Test Case: UnSuccessful Basic Authorization*
128 ... - Provision MDSAL so that users with role "admin" or "user" are authorized to access all URIs
129 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
130 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
131 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized becaiuse that URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to all URLs is allowed to all user with "user" role
133 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
134 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
135 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
136 ${resp_ok}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
137 Should Contain ${ALLOWED_STATUS_CODES} ${resp_ok.status_code}
138 ${resp_nook}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
139 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
141 Unsuccessful Dynamic Authorization
142 [Documentation] *Test Case: UnSuccessful Dynamic Authorization*
146 ... - Provision MDSAL so that just users with role "admin" are authorized to access all URIs
147 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
148 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
149 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although the URL is not specified in shiro.ini, in MDSAL Dynamic Authorization access to all URLs is allowed just for users with "admin" role and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role
151 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-2.json
152 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
153 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
154 ${resp_nook}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
155 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
156 ${resp_nook}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
157 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
159 Unsuccessful Dynamic Authorization 2
160 [Documentation] *Test Case: UnSuccessful Dynamic Authorization 2*
164 ... - Provision MDSAL so that:
165 ... \ \ - URI "/restconf/operations/aaa-cert-rpc:getODLCertificate" is authorized just for users with "user" role
166 ... \ - URI "/restconf/operational/**" is authorized just for users with "user" role
168 ... - Create an HTTP session with ODL as "sdnadmin" user
169 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because although in shiro.ini configuration the access is allowed to "admin" roles and "cscadmin" does have \ "admin" role, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
170 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although in shiro.ini configuration that URL is not considered, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
173 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
174 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
175 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized because the URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "CSC_user_no_admin" does \ have \ "user" role in keystone
177 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-3.json
178 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
179 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
180 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
181 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
182 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
183 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
184 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
185 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
186 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
187 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
188 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
190 Unsuccessful No Keystone Connection
191 [Documentation] *Test Case: Unsuccessful No Keystone Connection*
195 ... - Put down Keystone
196 ... - All accesses are forbidden
199 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
200 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
201 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
202 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
203 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
204 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
205 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
206 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
207 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
208 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
212 [Documentation] The steps included in the Initialization phase are:
214 ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone
216 ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone
218 ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration
220 ... - Provision Keystone: Populate keystone database with the needed users and roles
222 ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication
223 ${TOOLS_SYSTEM_NAME} Run Command On Remote System ${TOOLS_SYSTEM_IP} hostname -f user=${TOOLS_SYSTEM_USER} password=${TOOLS_SYSTEM_PASSWORD}
225 Configure AAA In Controller ${TOOLS_SYSTEM_NAME}
226 Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json
227 Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME}
230 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
231 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
234 [Documentation] Destoy keystone container
235 ${result} Run Keyword And Return Status Set Domain To False ${domain} ${HEADERS_TOKEN}
236 Run Keyword If ${result} == True Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
237 Run Keyword If ${result} == True Destroy Docker Keystone
239 Configure AAA In Controller
240 [Arguments] ${TOOLS_SYSTEM_NAME}
241 [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings:
245 ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
246 ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357
247 ... keystoneAuthRealm.sslVerification = true
249 ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm
254 ... - aaa-cert-config.xml:
255 ... <use-config>true</use-config>
257 ... <tls-protocols>TLSv1.2</tls-protocols>
258 ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied
259 ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied
260 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path}
261 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path}
262 ${result} Run Command On Controller cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path}
263 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path}
264 ${result} Run Command On Controller cmd=sed -ie 's/\\/operations\\/aaa-cert-rpc.*/\\/operations\\/aaa-cert-rpc** = authcBasic, roles[admin], dynamicAuthorization/g' ${shiro_path}
265 ${result} Run Command On Controller cmd=sed -ie 's/<use-config>.*/<use-config>true<\\/use-config>/g' ${cert_path}
266 ${result} Run Command On Controller cmd=sed -ie 's/<tls-protocols.*/<tls-protocols>TLSv1.2<\\/tls-protocols>/g' ${cert_path}
267 ${result} Run Command On Controller cmd=cat ${shiro_path}
269 ${result} Run Command On Controller cmd=cat ${cert_path}
271 ${result} Run Command On Controller cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts
272 ${result} Run Command On Controller cmd=cat /etc/hosts
276 [Documentation] As CSC_user provision:
278 ... - User "sdnadmin"
279 ... - Role "admin" to "sdnadmin" user in "sdn" domain
280 ${result} Create Keystone session ${TOOLS_SYSTEM_IP}
282 Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json
283 ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE}
285 &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json
286 Set Suite Variable ${HEADERS_TOKEN} ${HEADERS}
287 ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN}
288 Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json
289 ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE}
290 Set Suite Variable ${domain} ${domain_local}
291 Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json
292 ${normalized_file}= OperatingSystem.Normalize Path ${CREATE_USERS_FILE}
293 ${output} OperatingSystem.Run sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE}
294 ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE}
295 Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN}
298 [Arguments] ${PUT_DYNAMIC_AUTH_FILE}
299 Create Session session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
300 Set Suite Variable ${PUT_DYNAMIC_AUTH_URI} /restconf/config/aaa:http-authorization
301 ${body_dyn} OperatingSystem.Get File ${PUT_DYNAMIC_AUTH_FILE}
302 ${resp} RequestsLibrary.Put Request session_admin ${PUT_DYNAMIC_AUTH_URI} data=${body_dyn} headers=${HEADERS}
303 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
304 Delete Request session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
307 [Documentation] Controller restart is needed in order the new shiro.ini config takes effect
308 ClusterManagement.ClusterManagement_Setup
309 Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
310 Start_Single_Member 1 wait_for_sync=False timeout=120
311 Wait Until Keyword Succeeds 30x 5s Get Controller Modules
313 Get Controller Modules
314 [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence
315 Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
316 ${resp} = RequestsLibrary.Get_Request session1 ${MODULES_API}
317 BuiltIn.Log ${resp.content}
318 BuiltIn.Should_Be_Equal ${resp.status_code} ${200}
319 BuiltIn.Should_Contain ${resp.content} ietf-restconf