Versions Compared

Old Version 10

changes.mady.by.user Herbert Eiselt

Saved on

compared with

New Version Current

changes.mady.by.user Michael Dürre

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview

Provide simple user management. 

  • User groups : admin, configure, read
  • Authentication and authorization
  • Choose existing identity provider:
    • User management
    • OAuth 2.0 token (key)

Standards

Identityprovider

...

User setting

  • server can store a provide a user specific data record
    • username is key for the record
    • Should be JSON
    • data-provider has get and set method
    • Specified via yang
  • User groups

Features to be managed

  • Applications (use, read)
    • all
  •  Configurations
    • mountpoint
    • config app
    • maintenance

...

  • keycloak

Requirements

AAA configuration

The term AAA configuration groups the configuration of 

  • user domains
  • user roles 
  • user policies
  • users
  • and the associations for users to domains, roles and policies

At startup time of the system domains, roles and policies are configured and should not change during the runtime of the system. Users and their associations to domains, roles and policies can be configured during runtime.

For a better understanding of such configuration ONAP SDN-R should provide the following default configuration:

SDN-R default configuration for "Domains"

Domain IDDescription
sdnDefault OpenDaylight SDN domain

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Roles"

Role IDDescriptionDomain
adminA role with full read and write access.sdn
provision

A role for those who are provisioning the network. This allows read-write access to everything, accept security settings.

Open: each user should be able to configure his own password.

sdn
supervision

A role read-only access.

Open: each user should be able to configure his own password.

sdn

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Policies"

REST pattern (Policy ID)ROLEHTTP-GETHTTP-PUTHTTP-PATCHHTTP-DELETEHTTP-POST
/oauth/**anon




/readyanon




/odlux/**anon




/aboutanon




/help/**anon




/apidoc/**admin




/restconf/**

admintruetruetruetruetrue
/rests/data/network-topology:network-topology/topology=topology-netconf/**admin, provisiontruetruetruetruetrue
/rests/data/network-topology:network-topology/topology=topology-netconf/**supervisiontruefalsefalsefalsefalse

Please note that this configuration is set during start-up time of the system e.g. by K8s.

Open: How to allow EACH user to update its own user password?

SDN-R default configuration for "Users"

NAME (User ID)DESCRIPTIONEMAILPASSWORDDOMAIN

leia.organa


The first administrator of ONAP SDN-R.leia.organa@sdnr.onap.orgDefault4SDN!sdn
r2.d2The automation administrator for ONAP SDN-R.r2.d2@sdnr.onap.orgDefault4SDN!sdn
luke.skywalkerThe son of Anakin Skywalker and Padmé Amidala, Luke Skywalker was born mere days after the formation of the Galactic Empire. luke.skywalker@sdnr.onap.orgDefault4SDN!sdn
jargo.fettJust read - don't write.jargo.fett@sdnr.onap.orgDefault4SDN!sdn

Please note that this configuration can be set set during start-up time and during run time.

SDN-R default configuration for "Grants"

NAMEDOMAINROLE
leia.organasdnadmin
r2.d2sdnadmin
luke.skywalkersdnprovision
jargo.fettsdnsupervision



Work split

  • Acting components
    • User
    • Identification provider
    • ODLUX Client
    • SDN-R server
  • Identity provider
  • SDN-R Server

    ...

    ...

    ...

    • ODLUX Client

    ...

      ...

        • authorization

      ...

      • to be configured

      ...

      • proxy

      ...

        • for GUI
        • Use list of identity providers to offer login
        • Get key with identity and group of user from identity provider into ODLUX Userspace
        • Get SDN-R User group from server
        • User user group to enable/disable functions in ODLUX GUI