3 Authentication, Authorization and Accounting (AAA) Services
4 ===========================================================
9 Authentication, Authorization and Accounting (AAA) is a term for a
10 framework controlling access to resources, enforcing policies to use
11 those resources and auditing their usage. These processes are the
12 fundamental building blocks for effective network management and security.
14 Authentication provides a way of identifying a user, typically by
15 having the user enter a valid user name and valid password before access
16 is granted. The process of authentication is based on each user having a unique
17 set of criteria for gaining access. The AAA framework compares a user's
18 authentication credentials with other user credentials stored in a database.
19 If the credentials match, the user is granted access to the network.
20 If the credentials don't match, authentication fails and access is denied.
22 Authorization is the process of finding out what an authenticated user is
23 allowed to do within the system, which tasks can do, which API can call, etc.
24 The authorization process determines whether the user has the authority
25 to perform such actions.
27 Accounting is the process of logging the activity of an authenticated user,
28 for example, the amount of data a user has sent and/or received during a
29 session, which APIs called, etc.
35 Authentication, Authorization and Accounting.
38 A claim of access to a group of resources on the controller.
41 A group of resources, direct or indirect, physical, logical, or
42 virtual, for the purpose of access control.
45 A person who either owns or has access to a resource or group of
46 resources on the controller.
49 Opaque representation of a set of permissions, which is merely a
50 unique string as admin or guest.
53 Proof of identity such as user name and password, OTP, biometrics, or
57 A service or application that requires access to the controller.
60 A data set of validated assertions regarding a user, e.g. the role,
76 git clone https://git.opendaylight.org/gerrit/aaa
82 cd aaa && mvn clean install
88 AAA is automatically installed upon installation of odl-restconf, but you can
89 install it yourself directly from the Karaf console through the following
94 feature:install odl-aaa-shiro
99 The following are basic instructions to push your contributions to the project's
106 # make changes, add change id, etc.
108 git push ssh://{username}@git.opendaylight.org:29418/aaa.git HEAD:refs/for/master
110 AAA Framework implementations
111 -----------------------------
113 Since Boron release, the OpenDaylight's AAA services are based on the
114 `Apache Shiro <https://shiro.apache.org/>`_ Java Security Framework. The main
115 configuration file for AAA is located at “etc/shiro.ini” relative to the
116 OpenDaylight Karaf home directory.
121 The database (H2) used by ODL AAA Authentication store is not-cluster enabled.
122 When deployed in a clustered environment each node needs to have its AAA user
123 file synchronized using out of band means.
128 AAA is enabled through installing the odl-aaa-shiro feature. The vast majority
129 of OpenDaylight's northbound APIs (and all RESTCONF APIs) are protected by AAA
130 by default when installing the +odl-restconf+ feature, since the odl-aaa-shiro
131 is automatically installed as part of them.
136 Edit the “etc/shiro.ini” file and replace the following:
148 Then, restart the Karaf process.
150 How application developers can leverage AAA to provide servlet security
151 -----------------------------------------------------------------------
153 In order to provide security to a servlet, add the following to the
154 servlet’s web.xml file as the first filter definition:
159 <param-name>shiroEnvironmentClass</param-name>
160 <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value>
164 <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
168 <filter-name>ShiroFilter</filter-name>
169 <filter-class>org.opendaylight.aaa.shiro.filters.AAAShiroFilter</filter-class>
173 <filter-name>AAAShiroFilter</filter-name>
174 <url-pattern>/*</url-pattern>
179 It is very important to place this AAAShiroFilter as the first
180 javax.servlet.Filter, as Jersey applies Filters in the order they
181 appear within web.xml. Placing the AAAShiroFilter first ensures
182 incoming HTTP/HTTPS requests have proper credentials before any
183 other filtering is attempted.
188 AAA plugin utilizes the Shiro Realms to support pluggable authentication &
189 authorization schemes. There are two parent types of realms:
191 - AuthenticatingRealm
193 - Provides no Authorization capability.
195 - Users authenticated through this type of realm are treated
200 - AuthorizingRealm is a more sophisticated AuthenticatingRealm,
201 which provides the additional mechanisms to distinguish users
204 - Useful for applications in which roles determine allowed
207 OpenDaylight contains five implementations:
211 - An AuthorizingRealm built to bridge the Shiro-based AAA service
212 with the h2-based AAA implementation.
214 - Exposes a RESTful web service to manipulate IdM policy on a
215 per-node basis. If identical AAA policy is desired across a
216 cluster, the backing data store must be synchronized using an out
219 - A python script located at “etc/idmtool” is included to help
220 manipulate data contained in the TokenAuthRealm.
222 - Enabled out of the box. This is the realm configured by default.
226 - An AuthorizingRealm built to extract identity information from IdM
227 data contained on an LDAP server.
229 - Extracts group information from LDAP, which is translated into
232 - Useful when federating against an existing LDAP server, in which
233 only certain types of users should have certain access privileges.
235 - Disabled out of the box.
237 - ODLJndiLdapRealmAuthNOnly
239 - The same as ODLJndiLdapRealm, except without role extraction.
240 Thus, all LDAP users have equal authentication and authorization
243 - Disabled out of the box.
245 - ODLActiveDirectoryRealm
247 - Wraps the generic ActiveDirectoryRealm provided by Shiro. This allows for
248 enhanced logging as well as isolation of all realms in a single package,
249 which enables easier import by consuming servlets.
251 - Disabled out of the box.
255 - This realm authenticates OpenDaylight users against the OpenStack's
256 Keystone server by using the
257 `Keystone's Identity API v3 <https://developer.openstack.org/api-ref/identity/v3/>`_
260 - Disabled out of the box.
264 More than one Realm implementation can be specified. Realms are attempted
265 in order until authentication succeeds or all realm sources are exhausted.
266 Edit the **securityManager.realms = $tokenAuthRealm** property in shiro.ini
267 and add all the realms needed separated by commas.
275 The TokenAuthRealm is the default Authorization Realm deployed in OpenDaylight.
276 TokenAuthRealm uses a direct authentication mechanism as shown in the following
279 .. figure:: ./images/aaa/direct-authentication.png
280 :alt: TokenAuthRealm direct authentication mechanism
282 TokenAuthRealm direct authentication mechanism
284 A user presents some credentials (e.g., username/password) directly to the
285 OpenDaylight controller token endpoint /oauth2/token and receives an access
286 token, which then can be used to access protected resources on the controller.
288 How to access the H2 database
289 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
291 The H2 database provides an optional front-end Web interface, which can be very
292 useful for new users. From the KARAF_HOME directory, you can run the following
293 command to enable the user interface:
297 java -cp ./data/cache/org.eclipse.osgi/bundles/217/1/.cp/h2-1.4.185.jar
298 org.h2.tools.Server -trace -pg -web -webAllowOthers -baseDir `pwd`
301 You can navigate to the following and login via the browser:
313 LDAP integration is provided in order to externalize identity management.
314 This configuration allows federation with an external LDAP server.
315 The user’s OpenDaylight role parameters are mapped to corresponding LDAP
316 attributes as specified by the groupRolesMap. Thus, an LDAP operator can
317 provision attributes for LDAP users that support different OpenDaylight role
320 ODLJndiLdapRealmAuthNOnly
321 ^^^^^^^^^^^^^^^^^^^^^^^^^
326 This is useful for setups where all LDAP users are allowed equal access.
334 This realm authenticates OpenDaylight users against the OpenStack's Keystone
335 server. This realm uses the
336 `Keystone's Identity API v3 <https://developer.openstack.org/api-ref/identity/v3/>`_
339 .. figure:: ./images/aaa/keystonerealm-authentication.png
340 :alt: KeystoneAuthRealm authentication mechanism
342 KeystoneAuthRealm authentication/authorization mechanism
344 As can shown on the above diagram, once configured, all the RESTCONF APIs calls
345 will require sending **user**, **password** and optionally **domain** (1). Those
346 credentials are used to authenticate the call against the Keystone server (2) and,
347 if the authentication succeeds, the call will proceed to the MDSAL (3). The
348 credentials must be provisioned in advance within the Keystone Server. The user
349 and password are mandatory, while the domain is optional, in case it is not
350 provided within the REST call, the realm will default to (**Default**),
351 which is hard-coded. The default domain can be also configured through the
352 *shiro.ini* file (see the :doc:`AAA User Guide <../user-guide/authentication-and-authorization-services>`).
354 The protocol between the Controller and the Keystone Server (2) can be either
355 HTTPS or HTTP. In order to use HTTPS the Keystone Server's certificate
356 must be exported and imported on the Controller (see the :ref:`Certificate Management <aaa-certificate-management>` section).
358 Authorization Configuration
359 ---------------------------
361 OpenDaylight supports two authorization engines at present, both of which are
362 roughly similar in behavior:
364 - Shiro-Based Authorization
366 - MDSAL-Based Dynamic Authorization
370 The preferred mechanism for configuring AAA Authentication is the
371 MDSAL-Based Dynamic Authorization. Read the following section.
373 Shiro-Based Static Authorization
374 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
376 OpenDaylight AAA has support for Role Based Access Control (RBAC) based
377 on the Apache Shiro permissions system. Configuration of the authorization
378 system is done off-line; authorization currently cannot be configured
379 after the controller is started. The Authorization provided by this mechanism
380 is aimed towards supporting coarse-grained security policies, the MDSAL-Based
381 mechanism allows for a more robust configuration capabilities. `Shiro-based
382 Authorization <http://shiro.apache.org/web.html#Web-%7B%7B%5Curls%5C%7D%7D>`_
383 describes how to configure the Authentication feature in detail.
387 The Shiro-Based Authorization that uses the *shiro.ini* URLs section to
388 define roles requirements is **deprecated** and **discouraged** since the
389 changes made to the file are only honored on a controller restart.
391 Shiro-Based Authorization is not **cluster-aware**, so the changes made on
392 the *shiro.ini* file have to be replicated on every controller instance
393 belonging to the cluster.
395 The URL patterns are matched relative to the Servlet context leaving room
396 for ambiguity, since many endpoints may match (i.e., "/restconf/modules" and
397 "/auth/modules" would both match a "/modules/\**" rule).
399 MDSAL-Based Dynamic Authorization
400 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
401 The MDSAL-Based Dynamic authorization uses the MDSALDynamicAuthorizationFilter
402 engine to restrict access to particular URL endpoint patterns. Users may define
403 a list of policies that are insertion-ordered. Order matters for that list of
404 policies, since the first matching policy is applied. This choice was made to
405 emulate behavior of the Shiro-Based Authorization mechanism.
407 A **policy** is a key/value pair, where the key is a **resource**
408 (i.e., a "URL pattern") and the value is a list of **permissions** for the
409 resource. The following describes the various elements of a policy:
411 - **Resource**: the resource is a string URL pattern as outlined by
412 Apache Shiro. For more information, see http://shiro.apache.org/web.html.
414 - **Description**: an optional description of the URL endpoint and why it is
417 - **Permissions list**: a list of permissions for a particular policy. If more
418 than one permission exists in the permissions list they are evaluated using
419 logical "OR". A permission describes the prerequisites to perform HTTP
420 operations on a particular endpoint. The following describes the various
421 elements of a permission:
423 + **Role**: the role required to access the target URL endpoint.
424 + **Actions list**: a leaf-list of HTTP permissions that are allowed for a
425 Subject possessing the required role.
427 This an example on how to limit access to the modules endpoint:
432 put URL: /restconf/config/aaa:http-authorization/policies
434 headers: Content-Type: application/json Accept: application/json
439 [ { "aaa:resource": "/restconf/modules/**",
440 "aaa:permissions": [ { "aaa:role": "admin",
441 "aaa:actions": [ "get",
454 The above example locks down access to the modules endpoint (and any URLS
455 available past modules) to the "admin" role. Thus, an attempt from the OOB
456 *admin* user will succeed with 2XX HTTP status code, while an attempt from the
457 OOB *user* user will fail with HTTP status code 401, as the user *user* is not
458 granted the "admin" role.
460 Accounting Configuration
461 ------------------------
463 Accounting is handled through the standard slf4j logging mechanisms used by the
464 rest of OpenDaylight. Thus, one can control logging verbosity through
465 manipulating the log levels for individual packages and classes directly through
466 the Karaf console, JMX, or etc/org.ops4j.pax.logging.cfg. In normal operations,
467 the default levels exposed do not provide much information about AAA services;
468 this is due to the fact that logging can severely degrade performance.
470 All AAA logging is output to the standard karaf.log file. For debugging purposes
471 (i.e., to enable maximum verbosity), issue the following command:
475 log:set TRACE org.opendaylight.aaa
477 Enable Successful/Unsuccessful Authentication Attempts Logging
478 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
480 By default, successful/unsuccessful authentication attempts are NOT logged. This
481 is due to the fact that logging can severely decrease REST performance.
483 It is possible to add custom AuthenticationListener(s) to the Shiro-based
484 configuration, allowing different ways to listen for successful/unsuccessful
485 authentication attempts. Custom AuthenticationListener(s) must implement
486 the org.apache.shiro.authc.AuthenticationListener interface.
488 .. _aaa-certificate-management:
490 Certificate Management
491 ----------------------
493 The **Certificate Management Service** is used to manage the keystores and
494 certificates at the OpenDaylight distribution to easily provides the TLS
497 The Certificate Management Service managing two keystores:
499 1. **OpenDaylight Keystore** which holds the OpenDaylight distribution
500 certificate self sign certificate or signed certificate from a root CA based
501 on generated certificate request.
503 2. **Trust Keystore** which holds all the network nodes certificates that shall
504 to communicate with the OpenDaylight distribution through TLS communication.
506 The Certificate Management Service stores the keystores (OpenDaylight & Trust)
507 as *.jks* files under configuration/ssl/ directory. Also the keystores
508 could be stored at the MD-SAL datastore in case OpenDaylight distribution
509 running at cluster environment. When the keystores are stored at MD-SAL,
510 the Certificate Management Service rely on the **Encryption-Service** to encrypt
511 the keystore data before storing it to MD-SAL and decrypted at runtime.
513 How to use the Certificate Management Service to manage the TLS communication
514 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
516 The following are the steps to configure the TLS communication within your
519 1. It is assumed that there exists an already created OpenDaylight distribution
520 project following `this guide
521 <https://wiki.opendaylight.org/view/OpenDaylight_Controller:MD-SAL:Startup_Project_Archetype#Part_1_-_Build_with_a_simple_.27Example.27_module>`_.
523 2. In the implementation bundle the following artifact must be added to its
524 *pom.xml* file as dependency.
529 <groupId>org.opendaylight.aaa</groupId>
530 <artifactId>aaa-cert</artifactId>
531 <version>0.5.0-SNAPSHOT</version>
534 3. Using the provider class in the implementation bundle needs to define a
535 variable holding the Certificate Manager Service as in the following example:
539 import org.opendaylight.aaa.cert.api.ICertificateManager;
540 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
542 public class UseCertManagerExampleProvider {
543 private final DataBroker dataBroker;
544 private final ICertificateManager caManager;
546 public EncSrvExampleProvider(final DataBroker dataBroker, final ICertificateManager caManager) {
547 this.dataBroker = dataBroker;
548 this.caManager = caManager;
550 public SSLEngine createSSLEngine() {
551 final SSLContext sslContext = caManager.getServerContext();
552 if (sslContext != null) {
553 final SSLEngine sslEngine = sslContext.createSSLEngine();
554 sslEngine.setEnabledCipherSuites(caManager.getCipherSuites());
555 // DO the Implementation
562 public void close() {
567 4. The Certificate Manager Service provides two main methods that are needed to
568 establish the *SSLEngine* object, *getServerContext()* and *getCipherSuites()*
569 as the above example shows. It also provides other methods such as
570 *getODLKeyStore()* and *getTrustKeyStore()* that gives access to the
571 OpenDaylight and Trust keystores.
573 5. Now the *ICertificateManager* need to be passed as an argument to the
574 *UseCertManagerExampleProvider* within the implementation bundle blueprint
575 configuration. The following example shows how:
579 <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
580 xmlns:odl="http://opendaylight.org/xmlns/blueprint/v1.0.0"
581 odl:use-default-for-reference-types="true">
582 <reference id="dataBroker"
583 interface="org.opendaylight.controller.md.sal.binding.api.DataBroker"
584 odl:type="default" />
585 <reference id="aaaCertificateManager"
586 interface="org.opendaylight.aaa.cert.api.ICertificateManager"
587 odl:type="default-certificate-manager" />
589 class="org.opendaylight.UseCertManagerExample.impl.UseCertManagerExampleProvider"
590 init-method="init" destroy-method="close">
591 <argument ref="dataBroker" />
592 <argument ref="aaaCertificateManager" />
596 6. After finishing the bundle implementation the feature module needs to be
597 updated to include the *aaa-cert* feature in its feature bundle pom.xml file.
602 <aaa.version>0.5.0-SNAPSHOT</aaa.version>
605 <groupId>org.opendaylight.aaa</groupId>
606 <artifactId>features-aaa</artifactId>
607 <version>${aaa.version}</version>
608 <classifier>features</classifier>
612 7. Now, in the feature.xml file add the Certificate Manager Service feature and
617 <repository>mvn:org.opendaylight.aaa/features-aaa/{VERSION}/xml/features</repository>
619 The Certificate Manager Service feature can be included inside the
620 implementation bundle feature as shown in the following example:
624 <feature name='odl-UseCertManagerExample' version='${project.version}'
625 description='OpenDaylight :: UseCertManagerExample'>
626 <feature version='${mdsal.version}'>odl-mdsal-broker</feature>
627 <feature version='${aaa.version}'>odl-aaa-cert</feature>
628 <bundle>mvn:org.opendaylight.UseCertManagerExample/UseCertManagerExample-impl/{VERSION}</bundle>
631 8. Now the project can be built and the OpenDaylight distribution started to
632 continue with the configuration process. See the User Guide for more details.
637 The **AAA Encryption Service** is used to encrypt the OpenDaylight users'
638 passwords and TLS communication certificates. This section shows how to use the
639 AAA Encryption Service with an OpenDaylight distribution project to encrypt data.
641 1. It is assumed that there exists an already created OpenDaylight distribution
642 project following `this guide
643 <https://wiki.opendaylight.org/view/OpenDaylight_Controller:MD-SAL:Startup_Project_Archetype#Part_1_-_Build_with_a_simple_.27Example.27_module>`_.
645 2. In the implementation bundle the following artifact must be added to its
646 *pom.xml* file as dependency.
651 <groupId>org.opendaylight.aaa</groupId>
652 <artifactId>aaa-encrypt-service</artifactId>
653 <version>0.5.0-SNAPSHOT</version>
656 3. Using the provider class in the implementation bundle needs to define a
657 variable holding the Encryption Service as in the following example:
661 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
662 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
664 public class EncSrvExampleProvider {
665 private final DataBroker dataBroker;
666 private final AAAEncryptionService encryService;
668 public EncSrvExampleProvider(final DataBroker dataBroker, final AAAEncryptionService encryService) {
669 this.dataBroker = dataBroker;
670 this.encryService = encryService;
675 public void close() {
680 The AAAEncryptionService can be used to encrypt and decrypt any data based on
683 4. Now the *AAAEncryptionService* needs to be passed as an argument to the
684 *EncSrvExampleProvider* within the implementation bundle blueprint
685 configuration. The following example shows how:
689 <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
690 xmlns:odl="http://opendaylight.org/xmlns/blueprint/v1.0.0"
691 odl:use-default-for-reference-types="true">
692 <reference id="dataBroker"
693 interface="org.opendaylight.controller.md.sal.binding.api.DataBroker"
694 odl:type="default" />
695 <reference id="encryService" interface="org.opendaylight.aaa.encrypt.AAAEncryptionService"/>
697 class="org.opendaylight.EncSrvExample.impl.EncSrvExampleProvider"
698 init-method="init" destroy-method="close">
699 <argument ref="dataBroker" />
700 <argument ref="encryService" />
704 5. After finishing the bundle implementation the feature module needs to be
705 updated to include the *aaa-encryption-service* feature in its feature bundle
711 <groupId>org.opendaylight.aaa</groupId>
712 <artifactId>features-aaa</artifactId>
713 <version>${aaa.version}</version>
714 <classifier>features</classifier>
718 It is also necessary to add the *aaa.version* in the properties section:
723 <aaa.version>0.5.0-SNAPSHOT</aaa.version>
726 6. Now, in the feature.xml file add the Encryption Service feature and its
731 <repository>mvn:org.opendaylight.aaa/features-aaa/{VERSION}/xml/features</repository>
733 The Encryption Service feature can be included inside the implementation bundle
734 feature as shown in the following example:
738 <feature name='odl-EncSrvExample' version='${project.version}' description='OpenDaylight :: EncSrvExample'>
739 <feature version='${mdsal.version}'>odl-mdsal-broker</feature>
740 <feature version='${aaa.version}'>odl-aaa-encryption-service</feature>
741 <feature version='${project.version}'>odl-EncSrvExample-api</feature>
742 <bundle>mvn:org.opendaylight.EncSrvExample/EncSrvExample-impl/{VERSION}</bundle>
745 7. Now the project can be built and the OpenDaylight distribution started to
746 continue with the configuration process. See the User Guide for more details.