Overview

Provide simple user management. 

• User groups : admin, configure, read
• Authentication and authorization
• Choose existing identity provider:
  • User management
  • OAuth 2.0 token (key)

Standards

• OpenID (https://en.wikipedia.org/wiki/OpenID)
• OpenID Connect (https://en.wikipedia.org/wiki/OpenID_Connect)
• OAuth 2.0  (https://en.wikipedia.org/wiki/OAuth)

Identityprovider

• ory/hydra
  • github https://github.com/ory/hydra
  • as docker https://hub.docker.com/r/oryd/hydra/
• ory/kratos
  • github https://github.com/ory/kratos
  • as docker https://hub.docker.com/r/oryd/kratos
  • Quickstart: https://www.youtube.com/watch?v=5t1Zr_zJc7E
• keycloak

Requirements

•  OpenId Connect as Identity Provider

AAA configuration

The term AAA configuration groups the configuration of 

• user domains
• user roles 
• user policies
• users
• and the associations for users to domains, roles and policies

At startup time of the system domains, roles and policies are configured and should not change during the runtime of the system. Users and their associations to domains, roles and policies can be configured during runtime.

For a better understanding of such configuration ONAP SDN-R should provide the following default configuration:

SDN-R default configuration for "Domains"

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Roles"

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Policies"

Please note that this configuration is set during start-up time of the system e.g. by K8s.

Open: How to allow EACH user to update its own user password?

SDN-R default configuration for "Users"

Please note that this configuration can be set set during start-up time and during run time.

SDN-R default configuration for "Grants"

eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkhlcmJlcnQgRWlzZWx0Iiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IkhlcmJlcnQgRWlzZWx0IiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjkyOTk3NjMwIiwiZGlhZ3JhbU5hbWUiOiJVc2VybWFuYWdlbWVudCIsImFzcGVjdCI6IiIsImxpbmtzIjoiYXV0byIsImNlb05hbWUiOiJVc2VyIG1hbmFnZW1lbnQiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjkyOTk3NTc2LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjo5MzAwODIxOSwicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6NSwibWFjcm9JZCI6IjE5ZWE2ZjgxLWMyNzgtNDczZS1iY2QxLWQ2OGY0YTQyNDAzZiIsInByZXZpZXdOYW1lIjoiVXNlcm1hbmFnZW1lbnQucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjQwMCIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTYwNDY1MjA3MjAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=

Work split

• Acting components
  • User
  • Identification provider
  • ODLUX Client
  • SDN-R server
• Identity provider
  • authentication 
  • providing key for registered users indicating level of rights (group)
  • https://github.com/ory/kratos
• SDN-R Server
  • data-provider
    • Provide list of authentication providers to ODLUX Client
    • Provide internal group for user to ODLUX Client
    • CCSDK bundles
      • do authorization on URL level
      • shiro V1.3.2 of ODL Aluminium (https://github.com/apache/shiro)
        • aaf-cadi (https://github.com/onap/aaf-cadi)
          • → OauthV2TokenRealm required
• ODLUX Client
  • authorization for GUI
  • Use list of identity providers to offer login
  • Get key with identity and group of user from identity provider into ODLUX Userspace
  • Get SDN-R User group from server
  • User user group to enable/disable functions in ODLUX GUI

OAuth Provider bundle