- Created by Scott Seabolt, last modified on Apr 16, 2018
The ODL Nitrogen release no longer utilizes the shiro.ini file and has replaced it with aaa-app-config.xml. The aaa-app-config.xml file is created using a python script provided by ODL. ODL instructions can be found at http://docs.opendaylight.org/en/stable-nitrogen/release-notes/projects/aaa.html.
Example conversion:
root@07bdfeb292d5:/opt/opendaylight/current/etc# python ../bin/upgrade/convert-shiro-ini-to-rest-payload shiro.ini opendaylight/datastore/initial/config/aaa-app-config.xml
Sample shiro.ini: Expand source
#
# Copyright (c) 2015-2016 Brocade Communications Systems, Inc. and others. All rights reserved.
# Additions copyright (C) 2018 AT&T Intellectual Property
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v1.0 which accompanies this distribution,
# and is available at http://www.eclipse.org/legal/epl-v10.html
#
###############################################################################
# shiro.ini #
# #
# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
# implementations include: #
# - TokenAuthRealm (enabled by default) #
# - ODLJndiLdapRealm (disabled by default) #
# - ODLJndiLdapRealmAuthNOnly (disabled by default) #
# Basic user configuration through shiro.ini is disabled for security #
# purposes. #
###############################################################################
[main]
###############################################################################
# realms #
# #
# This section is dedicated to setting up realms for OpenDaylight. Realms #
# are essentially different methods for providing AAA. ODL strives to provide#
# highly-configurable AAA by providing pluggable infrastructure. By deafult, #
# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
# mechanisms). More than one realm can be enabled, and the realms are #
# tried Round-Robin until: #
# 1) a realm successfully authenticates the incoming request #
# 2) all realms are exhausted, and 401 is returned #
###############################################################################
# ODL provides a few LDAP implementations, which are disabled out of the box.
# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
# extracted through and LDAP search. This requires a bit of knowledge about
# how your LDAP system is setup. An example is provided below:
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
# Abstraction to map LDAP extracted groups to ODL roles
#ldapRealm.groupRolesMap = "person":"admin", "organizationalPerson":"user"
#ldapRealm.ldapAttributeForComparison = objectClass
# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
# access through AAAFilter to any user that can authenticate against the
# provided LDAP server.
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
# ODL provides an Active Directory Realm through ODLActiveDirectoryRealm.
#adRealm = org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm
#adRealm.searchBase = "CN=Users,DC=example,DC=com"
#adRealm.systemUsername = aduser@example.com
#adRealm.systemPassword = adpassword
#adRealm.url = ldaps://adserver:636
# the groupRolesMap maps an AD query to a particular role.
#adRealm.groupRolesMap = "CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"
# ODL provides a slightly customized version of Shiro's JdbcRealm, which
# can be used to integrate with an existing JDBC-supporting data source. This
# helps ease deployment configuration with existing OSS systems. Setting up
# the ODLJdbcRealm requires instantiation of two abstractions; the data source
# and the realm.
# ds, which stands for data source, defines a data source which can be used
# for JDBC connections.
#ds = com.mysql.jdbc.Driver
#ds.serverName = localhost
#ds.user = user
#ds.password = password
#ds.databaseName = db_name
# jdbcRealm is used to manipulate realm instance properties, specifically the
# queries required to extract information from a JDBC data source.
#jdbcRealm = org.opendaylight.aaa.shiro.realm.ODLJdbcRealm
#jdbcRealm.dataSource = $ds
#jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?"
#jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?"
# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
# This realm is enabled by default, and utilizes h2-store by default.
#tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
# AT&T
# Use this class for AAF Realm, must also use AAF permission format for URL's
tokenAuthRealm = org.onap.aaf.cadi.shiro.AAFRealm
# The MoonRealm is useful for bridging ODL with the OPNFV Moon project. To
# enable the moonAuthRealm, uncomment the line below, and then add moonAuthRealm
# to the securityManager.realms list below
#moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
#moonAuthRealm.moonServerURL = http://<host>:<port>
# ODL provides a KeystoneAuthRealm to authenticate access against an OpenStack
# Keystone (v3) instance. At this time the authentication is 'unscoped' and
# authorization is not supported.
#keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
#keystoneAuthRealm.url = https://<host>:<port>
#keystoneAuthRealm.sslVerification = true
# Default domain to use if not specified within the provided credentials.
#keystoneAuthRealm.defaultDomain = Default
# The CSV list of enabled realms. In order to enable a realm, add it to the
# list below:
securityManager.realms = $tokenAuthRealm
# adds a custom AuthenticationFilter to support OAuth2 for backwards
# compatibility. To disable OAuth2 access, just comment out the next line
# and authcBasic will default to BasicHttpAuthenticationFilter, a
# Shiro-provided class.
authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
# OAuth2 Filter for moon token AuthN
#rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
# add in AuthenticationListener, a Listener that records whether
# authentication attempts are successful or unsuccessful. This audit
# information is disabled by default, to avoid log flooding. To enable,
# issue the following in karaf:
# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
securityManager.authenticator.authenticationListeners = $accountingListener
# Filter to support dynamic urls rules based on md-sal model
dynamicAuthorization = org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter
[urls]
###############################################################################
# url authorization section #
# #
# This section is dedicated to defining url-based authorization according to: #
# http://shiro.apache.org/web.html #
# #
# DO NOT EDIT THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING! #
###############################################################################
# Temporarily added authorization endpoints; will be removed when MDSAL based
# Model can be initialized from file.
/v1/** = authcBasic, roles[admin], dynamicAuthorization
# Restrict AAA-Certificate REST APIs to Admin role
/config/aaa-cert-mdsal** = authcBasic, roles[admin]
/operational/aaa-cert-mdsal** = authcBasic, roles[admin]
/operations/aaa-cert-rpc** = authcBasic, roles[admin]
# Access to the credential store is limited to the valid users who have the
# admin role. The following line is only needed if the mdsal store is enabled
#(the mdsal store is disabled by default).
/config/aaa-authn-model** = authcBasic, roles[admin]
/operational/aaa-authn-model** = authcBasic, roles[admin]
# Uncomment the line below to enable the Moon AuthenticatingFilter
#/token = rest
# General access through AAAFilter requires valid credentials (AuthN only).
#/** = authcBasic, dynamicAuthorization
# AT&T
# use this format for AAF, must use AAF Realm for authcBasic realm
/** = authcBasic, roles[org.onap.appc.odl|odl-api|*]
# use this format for no security
#/** = noauth
Resultant aaa-app-config.xml: Expand source
<?xml version="1.0" ?>
<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
<main>
<pair-key>securityManager.realms</pair-key>
<pair-value>$tokenAuthRealm</pair-value>
</main>
<main>
<pair-key>authcBasic</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
</main>
<main>
<pair-key>accountingListener</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
</main>
<main>
<pair-key>securityManager.authenticator.authenticationListeners</pair-key>
<pair-value>$accountingListener</pair-value>
</main>
<main>
<pair-key>dynamicAuthorization</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
</main>
<urls>
<pair-key>/v1/**</pair-key>
<pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value>
</urls>
<urls>
<pair-key>/config/aaa-cert-mdsal**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/operational/aaa-cert-mdsal**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/operations/aaa-cert-rpc**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/config/aaa-authn-model**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/operational/aaa-authn-model**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
</shiro-configuration>
- No labels