This chapter discribes the data flow for autorization and authentification by the UX-Framework. For autorization the machanismes provided by SDNC (SDNC-485) of the Application Authorization Framework Project are used.
For Authentication ODL-AAA bundle is used. Please https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html#
@startuml ' Format skinparam backgroundColor #fefefe 'skinparam handwritten true skinparam roundcorner 15 skinparam databaseBorderColor #666666 skinparam databaseBackgroundColor #fefefe skinparam databaseFontColor #666666 skinparam sequence { MessageAlign center ArrowColor #666666 ArrowFontColor #666666 ActorBorderColor #666666 LifeLineBorderColor #666666 LifeLineBackgroundColor #eeeeee ParticipantBorderColor #666666 ParticipantBackgroundColor #ffffdd 'ParticipantFontName Impact 'ParticipantFontSize 17 ParticipantFontColor #666666 ActorBackgroundColor #ffffdd 'ActorFontColor DeepSkyBlue 'ActorFontSize 17 'ActorFontName Aapex } title User Authentication and Authorization end title ' Diagram actor User participant WebClient order 10 box " \nKaraf OpenDaylight SDN-R" #F7AA5A participant Jetty order 20 participant AAFShiroRealm order 30 participant CADIfilter order 40 end box database Log order 50 participant AAF order 60 autonumber group authentification User -> WebClient: uri:/odlux/index.html activate WebClient WebClient -> Jetty: Any request without token activate Jetty Jetty -> WebClient: Login view deactivate Jetty User -> WebClient: Provide credentials WebClient -> Jetty: uri:/oath2/token\nuser:password activate Jetty Jetty -> AAFShiroRealm activate AAFShiroRealm AAFShiroRealm -> AAF: authentificate activate AAF AAF -> AAFShiroRealm: authentificated:true|false deactivate AAF AAFShiroRealm -> Jetty deactivate AAFShiroRealm Jetty -> Log: Create log entry Jetty -> WebClient: 200 Ok:token | \n401 Unauthorized deactivate Jetty end group http request User -> WebClient: Request some data WebClient -> Jetty: URI and token activate Jetty Jetty -> CADIfilter: verify tokenlmao deactivate Jetty activate AAF activate CADIfilter CADIfilter -> AAF: check access rights \nfor user and uri note right : To be checked: \nuser or group! deactivate CADIfilter AAF -> CADIfilter: true|false deactivate AAF activate CADIfilter CADIfilter -> Jetty: true|false deactivate CADIfilter activate Jetty Jetty -> WebClient: URI-response(200 Ok | \n401 Unauthorized) deactivate Jetty end deactivate WebClient @enduml |
Token request:
curl -d 'grant_type=password&username=admin&password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U&scope=sdn' http://localhost:8181/oauth2/token
Token response:
{"access_token":"34e8340a-0d2f-3bc0-90eb-369a636dd6f2","token_type":"Bearer","expires_in":36000}
Default request:
curl -v -H "Authorization: Bearer 34e8340a-0d2f-3bc0-90eb-369a636dd6f2" http://localhost:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf
Please find more info: