* *Authorization*: Means to authorize human or machine user access to resources including RPCs, notification subscriptions, and subsets of the datatree.
* *Accounting*: Means to record and access the records of human or machine user access to resources including RPCs, notifications, and subsets of the datatree
+## Caveats
+The following caveats are applicable to the current AAA implementation:
+ - The database (H2) used by ODL AAA Authentication store is not-cluster enabled. When deployed in a clustered environment each node needs to have its AAA
+ user file synchronised using out of band means.
+
## Quick Start
### Building
repo-add mvn:org.opendaylight.aaa/features-aaa/0.1.0-SNAPSHOT/xml/features
-Install all AAA features:
+Install AAA AuthN features:
- feature:install odl-aaa-all
+ feature:install odl-aaa-authn
### Protecting your REST/RestConf resources
curl -s -H 'Authorization: Bearer d772d85e-34c7-3099-bea5-cfafd3c747cb' http://<controller>:<port>/restconf/operational/opendaylight-inventory:nodes
+The operational state of access tokens cached in the MD-SAL can also be obtained after enabling the restconf feature:
+
+ feature:install odl-aaa-all
+
+At the following URL
+
+ http://controller:8181/restconf/operational/aaa-authn-model:tokencache/
+
+
## Framework Overview
### Authentication
Authorization is implemented via the aaa-authz modules, comprising of a yang based AuthZ policy schema, an MD-SAL AuthZ capable broker, an AuthZ
service engine invoked by the broker and executing policies.
-Initially the AuthZ functionality is only able to handle RestConf requests, and to do so the Restconf connnector configuration must
+NOTE: The Lithium release features a trail of Authz functionality, in particular longest string matching is not implemented.
+
+Initially the AuthZ functionality is only able to handle RestConf requests, and to do so the Restconf connector configuration must
be explicitly modified as follows:
- 0. Compile as per the above instructions
- 1. If you have already run ODL with Restconf or the mdsal-all feature package under karaf, then proceed as per below. Alternatively skip to step 2.
- 1a. consider deleting the assembly/data directory in your karaf install. This will require the re-activation of features at karaf startup.
- 1b. Delete the default restconf connector configuration file: "rm assembly/etc/opendaylight/karaf/10-rest-connector.xml"
- 2. Start karaf and install the odl-aaa-all feature as per the previous instructions
- 3. Start the odl-restconf feature via the command "feature:install odl-resctonf". An alternative can also be feature:install odl-mdsal-all
-
-To unistall authz:
-1. Unistall the feature via "feature:uninstall feature:odl-aaa-authz"
-2. Either:
-2a. Locate and open in an editor the default 10-rest-connector.xml configuration file in assembly/etc/opendaylight/karaf/.
- 2. Change the <dom-broker> configuration element
- FROM:
- <dom-broker>
- <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
- <name>authz-connector-default</name>
- </dom-broker>
- TO:
- <dom-broker>
- <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
- <name>dom-broker</name>
- </dom-broker>
-OR:
-2b. Reinstall resctonf via the command "feature:install odl-resctonf"
-
-Legacy instructions for activating Authz in non karaf based ODL runtimes:
- 0. Build aaa project and copy all generated aaa jars to the plugins directory of your odl target install
- 1. Locate and open in an editor the default 10-rest-connector.xml configuration file. Default location is at 'configuration/initial'
- 2. Change the <dom-broker> configuration element
- FROM:
- <dom-broker>
- <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
- <name>dom-broker</name>
- </dom-broker>
- TO:
- <dom-broker>
- <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
- <name>authz-connector-default</name>
- </dom-broker>
- 3. Restart ODL
-
-Default authorization are loaded from the configuration subsystem (TODO: Provide a default set)
-They are accessible and editable via the restconf interface at: http://<odl address>/restconf/configuration/authorization-schema:simple-authorization/
+ 0. Compile or obtain the ODL distribution
+ 1. Start karaf and install the odl-aaa-authz feature
+
+ Note: At this stage, with a default configuration, there is no MD-SAL data to test against. To test you can install the toaster service using feature:install odl-toaster
+
+Default authorization policies are loaded from the configuration subsystem (TODO: Provide a default set)
+They are accessible and editable via the restconf interface at:
+
+ http://<odl address>/restconf/configuration/authorization-schema:simple-authorization/
The schema for policies is a list consisting of the following items:
* Resource: The URI or Yang instance id of the resource, including wildcards (see examples below)
* Role: The AuthN derived user role
-Some examples of resources are
- Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
- Wildcarded data: /configuration/opendaylight-inventory:nodes/node/*/node-connector/*
- RPC: /operations/example-ops:reboot
- Wildcarded RPC: /operations/example-ops:*
- Notification: /notifications/example-ops:startup
+Some examples of resources are:
+
+ Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
+
+ Wildcarded data: /configuration/opendaylight-inventory:nodes/node/*/node-connector/*
+
+ RPC: /operations/example-ops:reboot
+
+ Wildcarded RPC: /operations/example-ops:*
+
+ Notification: /notifications/example-ops:startup
+
*More on MD-SAL authorization later...*