1 Authentication, Authorization and Accounting (AAA) Services
2 ===========================================================
4 The Boron AAA services are based on the Apache Shiro Java Security
5 Framework. The main configuration file for AAA is located at
6 “etc/shiro.ini” relative to the ODL karaf home directory.
12 A claim of access to a group of resources on the controller
15 A group of resources, direct or indirect, physical, logical, or
16 virtual, for the purpose of access control. ODL recommends using the
17 default “sdn" domain in the Boron release.
20 A person who either owns or has access to a resource or group of
21 resources on the controller
24 Opaque representation of a set of permissions, which is merely a
25 unique string as admin or guest
28 Proof of identity such as username and password, OTP, biometrics, or
32 A service or application that requires access to the controller
35 A data set of validated assertions regarding a user, e.g. the role,
41 AAA is enabled through installing the odl-aaa-shiro feature.
42 odl-aaa-shiro is automatically installed as part of the odl-restconf
48 Edit the “etc/shiro.ini” file and replace the following:
60 Then restart the karaf process.
64 This is a change from the Lithium release, in which
65 “etc/org.opendaylight.aaa.authn.cfg” was edited to set
66 “authEnabled=false”. Please use the “shiro.ini” mechanism to disable
69 How application developers can leverage AAA to provide servlet security
70 -----------------------------------------------------------------------
72 In order to provide security to a servlet, add the following to the
73 servlet’s web.xml file as the first filter definition:
78 <param-name>shiroEnvironmentClass</param-name>
79 <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value>
83 <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
87 <filter-name>ShiroFilter</filter-name>
88 <filter-class>org.opendaylight.aaa.shiro.filters.AAAShiroFilter</filter-class>
92 <filter-name>AAAShiroFilter</filter-name>
93 <url-pattern>/*</url-pattern>
98 It is very important to place this AAAShiroFilter as the first
99 javax.servlet.Filter, as Jersey applies Filters in the order they
100 appear within web.xml. Placing the AAAShiroFilter first ensures
101 incoming HTTP/HTTPS requests have proper credentials before any
102 other filtering is attempted.
107 AAA plugin utilizes realms to support pluggable authentication &
108 authorization schemes. There are two parent types of realms:
110 - AuthenticatingRealm
112 - Provides no Authorization capability.
114 - Users authenticated through this type of realm are treated
119 - AuthorizingRealm is a more sophisticated AuthenticatingRealm,
120 which provides the additional mechanisms to distinguish users
123 - Useful for applications in which roles determine allowed
126 ODL Contains Four Implementations
130 - An AuthorizingRealm built to bridge the Shiro-based AAA service
131 with the Lithium h2-based AAA implementation.
133 - Exposes a RESTful web service to manipulate IdM policy on a
134 per-node basis. If identical AAA policy is desired across a
135 cluster, the backing data store must be synchronized using an out
138 - A python script located at “etc/idmtool” is included to help
139 manipulate data contained in the TokenAuthRealm.
141 - Enabled out of the box.
145 - An AuthorizingRealm built to extract identity information from IdM
146 data contained on an LDAP server.
148 - Extracts group information from LDAP, which is translated into ODL
151 - Useful when federating against an existing LDAP server, in which
152 only certain types of users should have certain access privileges.
154 - Disabled out of the box.
156 - ODLJndiLdapRealmAuthNOnly
158 - The same as ODLJndiLdapRealm, except without role extraction.
159 Thus, all LDAP users have equal authentication and authorization
162 - Disabled out of the box.
164 - ActiveDirectoryRealm
168 More than one Realm implementation can be specified. Realms are
169 attempted in order until authentication succeeds or all realm
170 sources are exhausted.
172 TokenAuthRealm Configuration
173 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
175 TokenAuthRealm stores IdM data in an h2 database on each node. Thus,
176 configuration of a cluster currently requires configuring the desired
177 IdM policy on each node. There are two supported methods to manipulate
178 the TokenAuthRealm IdM configuration:
180 - idmtool Configuration
182 - RESTful Web Service Configuration
184 idmtool Configuration
185 ^^^^^^^^^^^^^^^^^^^^^
187 A utility script located at “etc/idmtool” is used to manipulate the
188 TokenAuthRealm IdM policy. idmtool assumes a single domain (sdn), since
189 multiple domains are not leveraged in the Boron release. General usage
190 information for idmtool is derived through issuing the following
195 $ python etc/idmtool -h
196 usage: idmtool [-h] [--target-host TARGET_HOST]
198 {list-users,add-user,change-password,delete-user,list-domains,list-roles,add-role,delete-role,add-grant,get-grants,delete-grant}
201 positional arguments:
202 user username for BSC node
203 {list-users,add-user,change-password,delete-user,list-domains,list-roles,add-role,delete-role,add-grant,get-grants,delete-grant}
205 list-users list all users
207 change-password change a password
208 delete-user delete a user
209 list-domains list all domains
210 list-roles list all roles
212 delete-role delete a role
213 add-grant add a grant
214 get-grants get grants for userid on sdn
215 delete-grant delete a grant
218 -h, --help show this help message and exit
219 --target-host TARGET_HOST
227 python etc/idmtool admin add-user newUser
242 "password": "**********",
243 "salt": "**********",
244 "userid": "newUser@sdn"
249 AAA redacts the password and salt fields for security purposes.
256 $ python etc/idmtool admin delete-user newUser@sdn
258 delete_user(newUser@sdn)
267 $ python etc/idmtool admin list-users
277 "description": "user user",
282 "password": "**********",
283 "salt": "**********",
287 "description": "admin user",
292 "password": "**********",
293 "salt": "**********",
294 "userid": "admin@sdn"
299 Change a user’s password
300 ''''''''''''''''''''''''
304 $ python etc/idmtool admin change-password admin@sdn
308 change_password(admin)
314 "description": "admin user",
319 "password": "**********",
320 "salt": "**********",
321 "userid": "admin@sdn"
329 $ python etc/idmtool admin add-role network-admin
331 add_role(network-admin)
339 "name": "network-admin",
340 "roleid": "network-admin@sdn"
348 $ python etc/idmtool admin delete-role network-admin@sdn
350 delete_role(network-admin@sdn)
359 $ python etc/idmtool admin list-roles
369 "description": "a role for admins",
372 "roleid": "admin@sdn"
375 "description": "a role for users",
388 $ python etc/idmtool admin list-domains
398 "description": "default odl sdn domain",
411 $ python etc/idmtool admin add-grant user@sdn admin@sdn
413 add_grant(userid=user@sdn,roleid=admin@sdn)
420 "grantid": "user@sdn@admin@sdn@sdn",
421 "roleid": "admin@sdn",
430 $ python etc/idmtool admin delete-grant user@sdn admin@sdn
432 http://localhost:8181/auth/v1/domains/sdn/users/user@sdn/roles/admin@sdn
433 delete_grant(userid=user@sdn,roleid=admin@sdn)
437 Get grants for a user
438 '''''''''''''''''''''
442 python etc/idmtool admin get-grants admin@sdn
444 get_grants(admin@sdn)
452 "description": "a role for users",
458 "description": "a role for admins",
461 "roleid": "admin@sdn"
469 The TokenAuthRealm IdM policy is fully configurable through a RESTful
470 web service. Full documentation for manipulating AAA IdM data is located
471 online (https://wiki.opendaylight.org/images/0/00/AAA_Test_Plan.docx),
472 and a few examples are included in this guide:
479 curl -u admin:admin http://localhost:8181/auth/v1/users
484 "description": "user user",
489 "password": "**********",
490 "salt": "**********",
494 "description": "admin user",
499 "password": "**********",
500 "salt": "**********",
501 "userid": "admin@sdn"
511 curl -u admin:admin -X POST -H "Content-Type: application/json" --data-binary @./user.json http://localhost:8181/auth/v1/users
515 "userid": "ryan@sdn",
518 "description": "Ryan's User Account",
519 "email": "ryandgoulding@gmail.com"
526 "description":"Ryan's User Account",
528 "email":"ryandgoulding@gmail.com",
529 "password":"**********",
534 Create an OAuth2 Token For Admin Scoped to SDN
535 ''''''''''''''''''''''''''''''''''''''''''''''
539 curl -d 'grant_type=password&username=admin&password=a&scope=sdn' http://localhost:8181/oauth2/token
544 "token_type":"Bearer",
545 "access_token":"5a615fbc-bcad-3759-95f4-ad97e831c730"
553 curl -H "Authorization: Bearer 5a615fbc-bcad-3759-95f4-ad97e831c730" http://localhost:8181/auth/v1/domains
560 "description":"default odl sdn domain",
566 ODLJndiLdapRealm Configuration
567 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
569 LDAP integration is provided in order to externalize identity
570 management. To configure LDAP parameters, modify "etc/shiro.ini"
571 parameters to include the ODLJndiLdapRealm:
575 # ODL provides a few LDAP implementations, which are disabled out of the box.
576 # ODLJndiLdapRealm includes authorization functionality based on LDAP elements
577 # extracted through and LDAP search. This requires a bit of knowledge about
578 # how your LDAP system is setup. An example is provided below:
579 ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
580 ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
581 ldapRealm.contextFactory.url = ldap://<URL>:389
582 ldapRealm.searchBase = dc=DOMAIN,dc=TLD
583 ldapRealm.ldapAttributeForComparison = objectClass
584 ldapRealm.groupRolesMap = "Person":"admin"
586 # further down in the file...
587 # Stacked realm configuration; realms are round-robbined until authentication succeeds or realm sources are exhausted.
588 securityManager.realms = $tokenAuthRealm, $ldapRealm
590 This configuration allows federation with an external LDAP server, and
591 the user’s ODL role parameters are mapped to corresponding LDAP
592 attributes as specified by the groupRolesMap. Thus, an LDAP operator can
593 provision attributes for LDAP users that support different ODL role
596 ODLJndiLdapRealmAuthNOnly Configuration
597 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
599 Edit the "etc/shiro.ini" file and modify the following:
603 ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
604 ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
605 ldapRealm.contextFactory.url = ldap://<URL>:389
607 # further down in the file...
608 # Stacked realm configuration; realms are round-robbined until authentication succeeds or realm sources are exhausted.
609 securityManager.realms = $tokenAuthRealm, $ldapRealm
611 This is useful for setups where all LDAP users are allowed equal access.
613 Token Store Configuration Parameters
614 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
616 Edit the file “etc/opendaylight/karaf/08-authn-config.xml” and edit the
617 following: .\ **timeToLive**: Configure the maximum time, in
618 milliseconds, that tokens are to be cached. Default is 360000. Save the
621 Authorization Configuration
622 ---------------------------
624 Shiro-Based Authorization
625 ~~~~~~~~~~~~~~~~~~~~~~~~~
627 OpenDaylight AAA has support for Role Based Access Control based on the
628 Apache Shiro permissions system. Configuration of the authorization
629 system is done offline; authorization currently cannot be configured
630 after the controller is started. Thus, Authorization in the Beryllium
631 release is aimed towards supporting coarse-grained security policies,
632 with the aim to provide more robust configuration capabilities in the
633 future. Shiro-based Authorization is documented on the Apache Shiro
634 website (http://shiro.apache.org/web.html#Web-%7B%7B%5Curls%5C%7D%7D).
636 Enable “admin” Role Based Access to the IdMLight RESTful web service
637 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
639 Edit the “etc/shiro.ini” configuration file and add “/auth/v1/\ **=
640 authcBasic, roles[admin]” above the line “/** = authcBasic” within the
645 /auth/v1/** = authcBasic, roles[admin]
648 This will restrict the idmlight rest endpoints so that a grant for admin
649 role must be present for the requesting user.
653 The ordering of the authorization rules above is important!
658 ODL includes an experimental Authorization Broker Facade, which allows
659 finer grained access control for REST endpoints. Since this feature was
660 not well tested in the Boron release, it is recommended to use the
661 Shiro-based mechanism instead, and rely on the Authorization Broker
662 Facade for POC use only.
664 AuthZ Broker Facade Feature Installation
665 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
667 To install the authorization broker facade, please issue the following
668 command in the karaf shell:
672 feature:install odl-restconf odl-aaa-authz
674 Add an Authorization Rule
675 ^^^^^^^^^^^^^^^^^^^^^^^^^
677 The following shows how one might go about securing the controller so
678 that only admins can access restconf.
682 curl -u admin:admin -H “Content-Type: application/xml” --data-binary @./rule.json http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/
687 "service":"RestConfService",
692 Accounting Configuration
693 ------------------------
695 All AAA logging is output to the standard karaf.log file.
699 log:set TRACE org.opendaylight.aaa
701 This command enables the most verbose level of logging for AAA