...
- get rid of the insecure basic authentication of opendaylight for Restconf
- instead implement JsonWebToken(JWT) authorization
- JWT is stateless because its signed
- so roles can be put inside of the token and the token only has to be verified (checked signature) to get the roles of the user)
Problems
- Opendaylight AAA project for aluminium-SR1 is only supporting authorization header starting with "Basic" and JWT is a Bearer token
- So we had to patch the org.opendaylight.aaa:aaa-shiro:0.12.1 bundle with
- some backported classes from org.apache.shiro:shiro-core:1.7 package
- two modifications on the Authenticator to Accept also Bearer tokens
- we realized that an entry in aaa-app-config.xml like
...
where /real_access/roles are the important ones for us which were configured in the keycloak backend.
Hint: offline_access and uma_authorization are built-in keycloak roles. These ones are filtered by oauth-provider bundle. So delivered role in this case is only provision.
The Opendaylight Roles access problem
As described on top we found out that an entry in aaa-app-config.xml like
| Code Block |
|---|
<urls> <pair-key>/**</pair-key> <pair-value>authcBasic, roles["admin,provision"]</pair-value> </urls> |
results in a restriction for the configured url that the user has to be in both rules. That's why we implement a new Filter AnyRoleHttpAuthenticationFilter. That means if you enable it for a url you just have to be in at least one of this groups to get access.
| Code Block |
|---|
<main>
<pair-key>anyroles</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
</main> |
So usage changes to:
| Code Block |
|---|
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, anyroles["admin,provision"]</pair-value>
</urls> |