ules.lighty-aaa.20.2.0.source-code.aaa-app-config.xml Maven / Gradle / Ivy
The newest version!
<?xml version="1.0" ?>
<!--
Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
This program and the accompanying materials are made available under the
terms of the Eclipse Public License v1.0 which accompanies this distribution,
and is available at http://www.eclipse.org/legal/epl-v10.html
-->
<!--
///////////////////////////////////////////////////////////////////////////////////////
// clustered-app-config instance responsible for AAA configuration. In the future, //
// this will contain all AAA related configuration. //
///////////////////////////////////////////////////////////////////////////////////////
-->
<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
<!--
///////////////////////////////////////////////////////////////////////////////////
// shiro-configuration is the model based container that contains all shiro //
// related information used in ODL AAA configuration. It is the sole pain of //
// glass for shiro related configuration, and is how to configure shiro concepts //
// such as: //
// * realms //
// * urls //
// * security manager settings //
// //
// In general, you really shouldn't muck with the settings in this file. The //
// way an operator should configure AAA shiro settings is through one of ODL's //
// northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
// defaults if no values are specified in MD-SAL. The reason this file is so //
// verbose is for two reasons: //
// 1) to demonstrate payload examples for plausible configuration scenarios //
// 2) to allow bootstrap of the controller (first time start) since otherwise //
// configuration becomes a chicken and the egg problem. //
// //
///////////////////////////////////////////////////////////////////////////////////
-->
<!--
===================================================================================
= =
= =
= MAIN =
= =
= =
===================================================================================
-->
<!--
===================================================================================
============================ ODLJndiLdapRealmAuthNOnly ============================
===================================================================================
= =
= Description: A Realm implementation aimed at federating with an external LDAP =
= server for authentication only. For authorization support, refer =
= to ODLJndiLdapRealm. =
===================================================================================
-->
<!-- Start ldapRealm commented out
<main>
<pair-key>ldapRealm</pair-key>
<pair-value>ODLJndiLdapRealmAuthNOnly</pair-value>
</main>
<main>
<pair-key>ldapRealm.userDnTemplate</pair-key>
<pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
</main>
<main>
<pair-key>ldapRealm.contextFactory.url</pair-key>
<pair-value>ldap://<URL>:389</pair-value>
</main>
<main>
<pair-key>ldapRealm.searchBase</pair-key>
<pair-value>dc=DOMAIN,dc=TLD</pair-value>
</main>
<main>
<pair-key>ldapRealm.groupRolesMap</pair-key>
<pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
</main>
<main>
<pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
<pair-value>objectClass</pair-value>
</main>
End ldapRealm commented out-->
<!--
===================================================================================
============================= ODLActiveDirectoryRealm =============================
===================================================================================
= =
= Description: A Realm implementation aimed at federating with an external AD =
= IDP server. =
===================================================================================
-->
<!-- Start adRealm commented out
<main>
<pair-key>adRealm</pair-key>
<pair-value>ODLActiveDirectoryRealm</pair-value>
</main>
<main>
<pair-key>adRealm.searchBase</pair-key>
<pair-value>"CN=Users,DC=example,DC=com"</pair-value>
</main>
<main>
<pair-key>adRealm.systemUsername</pair-key>
<pair-value>[email protected]</pair-value>
</main>
<main>
<pair-key>adRealm.systemPassword</pair-key>
<pair-value>adpassword</pair-value>
</main>
<main>
<pair-key>adRealm.url</pair-key>
<pair-value>ldaps://adserver:636</pair-value>
</main>
<main>
<pair-key>adRealm.groupRolesMap</pair-key>
<pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
</main>
End adRealm commented out-->
<!--
===================================================================================
================================== ODLJdbcRealm ===================================
===================================================================================
= =
= Description: A Realm implementation aimed at federating with an external JDBC =
= DBMS. =
===================================================================================
-->
<!-- Start jdbcRealm commented out
<main>
<pair-key>ds</pair-key>
<pair-value>com.mysql.jdbc.Driver</pair-value>
</main>
<main>
<pair-key>ds.serverName</pair-key>
<pair-value>localhost</pair-value>
</main>
<main>
<pair-key>ds.user</pair-key>
<pair-value>user</pair-value>
</main>
<main>
<pair-key>ds.password</pair-key>
<pair-value>password</pair-value>
</main>
<main>
<pair-key>ds.databaseName</pair-key>
<pair-value>db_name</pair-value>
</main>
<main>
<pair-key>jdbcRealm</pair-key>
<pair-value>ODLJdbcRealm</pair-value>
</main>
<main>
<pair-key>jdbcRealm.dataSource</pair-key>
<pair-value>$ds</pair-value>
</main>
<main>
<pair-key>jdbcRealm.authenticationQuery</pair-key>
<pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
</main>
<main>
<pair-key>jdbcRealm.userRolesQuery</pair-key>
<pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
</main>
End jdbcRealm commented out-->
<!--
===================================================================================
================================= TokenAuthRealm ==================================
===================================================================================
= =
= Description: A Realm implementation utilizing a per node H2 database store. =
===================================================================================
-->
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
</main>
<!--
===================================================================================
=================================== MdsalRealm ====================================
===================================================================================
= =
= Description: A Realm implementation utilizing the aaa.yang model. =
===================================================================================
-->
<!-- Start mdsalRealm commented out
<main>
<pair-key>mdsalRealm</pair-key>
<pair-value>MdsalRealm</pair-value>
</main>
End mdsalRealm commented out-->
<!--
===================================================================================
================================= MoonAuthRealm ===================================
===================================================================================
= =
= Description: A Realm implementation aimed at federating with OPNFV Moon. =
===================================================================================
-->
<!-- Start moonAuthRealm commented out
<main>
<pair-key>moonAuthRealm</pair-key>
<pair-value>MoonRealm</pair-value>
</main>
<main>
<pair-key>moonAuthRealm.moonServerURL</pair-key>
<pair-value>http://<host>:<port></pair-value>
</main>
End moonAuthRealm commented out-->
<!--
===================================================================================
================================= KeystoneAuthRealm == ============================
===================================================================================
= =
= Description: A Realm implementation aimed at federating with an OpenStack =
= Keystone. =
===================================================================================
-->
<!-- Start keystoneAuthRealm commented out
<main>
<pair-key>keystoneAuthRealm</pair-key>
<pair-value>KeystoneAuthRealm</pair-value>
</main>
<main>
<pair-key>keystoneAuthRealm.url</pair-key>
<pair-value>https://<host>:<port></pair-value>
</main>
<main>
<pair-key>keystoneAuthRealm.sslVerification</pair-key>
<pair-value>true</pair-value>
</main>
<main>
<pair-key>keystoneAuthRealm.defaultDomain</pair-key>
<pair-value>Default</pair-value>
</main>
-->
<!--
Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
-->
<main>
<pair-key>securityManager.realms</pair-key>
<pair-value>$tokenAuthRealm</pair-value>
</main>
<!-- Start moonAuthRealm commented out
<main>
<pair-key>rest</pair-key>
<pair-value>MoonOAuthFilter</pair-value>
</main>
End moonAuthRealm commented out-->
<!-- in order to track AAA challenge attempts -->
<main>
<pair-key>accountingListener</pair-key>
<pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
</main>
<main>
<pair-key>securityManager.authenticator.authenticationListeners</pair-key>
<pair-value>$accountingListener</pair-value>
</main>
<!-- Model based authorization scheme supporting RBAC for REST endpoints -->
<main>
<pair-key>dynamicAuthorization</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
</main>
<!--
===================================================================================
= =
= =
= URLS =
= =
= =
===================================================================================
-->
<!-- Start moonAuthRealm commented out
<urls>
<pair-key>/token</pair-key>
<pair-value>rest</pair-value>
</urls>
End moonAuthRealm commented out-->
<urls>
<pair-key>/operations/cluster-admin**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/v1/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/config/aaa*/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
</urls>
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, dynamicAuthorization</pair-value>
</urls>
</shiro-configuration>