APPC uses the the AAF Shiro OSGI plugin to secure access to ODL web services with AAF.
The AAF shiro plugin is preloaded in the APPC docker image along with a sample cadi.properties file.
New certificates are available on the master branch to replace expired one way ssl
/opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
3. Restart APPC
If there is not a DNS entry for aaf-onap-beijing-test.osaaf.org set the mapping to a valid AAF instance in etc/hosts.
If there is not a DNS entry for aaf-onap-beijing-test.osaaf.org set the mapping to a valid AAF instance in etc/hosts.
properties include:
hostname= usually machine hostname, should be unique
aaf_url= AAF instance to connect to
aaf_id= id used to connect to AAF
aaf_password= password associated with aaf_id
cadi_keyfile= keyfile used for password encryption
/opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
The permissions used to secure urls can be customized.
To customize the permission used for a url:
Ensure the permision has been added to AAF
Identify the url in the aaa-app-config.xml
set the AAF permission to be used in the roles[] for the url
Example:
to use the permission org.onap.appc.admin|*|* for the /auth/** url
<urls>
<pair-key>/auth/**</pair-key>
<pair-value>authcBasic, roles[org.onap.appc.admin|*|*]</pair-value>
</urls>
Older versions of ODL use shiro.ini located in the /etc directory in place of aaa-app-config.xml. The properties used in shiro.ini are the same. When updating the shiro.ini ODL has to be restared for changes to take effect.