diff options
author | DUVAL Thomas <thomas.duval@orange.com> | 2016-06-16 13:08:32 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@172.30.200.206> | 2016-06-16 13:08:32 +0000 |
commit | 9bdc327fd67e2189b6088f83f7d7470efc859acb (patch) | |
tree | 7ee82b65535696e1f004ab2a2de16ced0ac8b6d5 /odl-aaa-moon/aaa/aaa-idmlight/src/main/resources | |
parent | 2cadaf72d814b8f8c243855c65ba43d3b9a701cc (diff) | |
parent | adf7e6616c2a8d6f60207059288423f693509928 (diff) |
Merge "Add new version of aaa"
Diffstat (limited to 'odl-aaa-moon/aaa/aaa-idmlight/src/main/resources')
3 files changed, 358 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml new file mode 100644 index 00000000..facba131 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> + + <servlet> + <servlet-name>IdmLight</servlet-name> + <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> + <init-param> + <param-name>javax.ws.rs.Application</param-name> + <param-value>org.opendaylight.aaa.idm.IdmLightApplication</param-value> + </init-param> + <init-param> + <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name><param-value>true</param-value> + </init-param> + <load-on-startup>1</load-on-startup> + </servlet> + <servlet-mapping> + <servlet-name>IdmLight</servlet-name> + <url-pattern>/*</url-pattern> + </servlet-mapping> + + <context-param> + <param-name>shiroEnvironmentClass</param-name> + <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value> + </context-param> + + <listener> + <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> + </listener> + + <filter> + <filter-name>ShiroFilter</filter-name> + <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class> + </filter> + + <filter-mapping> + <filter-name>ShiroFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> + <filter-name>cross-origin-restconf</filter-name> + <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> + <init-param> + <param-name>allowedOrigins</param-name> + <param-value>*</param-value> + </init-param> + <init-param> + <param-name>allowedMethods</param-name> + <param-value>GET,POST,OPTIONS,DELETE,PUT,HEAD</param-value> + </init-param> + <init-param> + <param-name>allowedHeaders</param-name> + <param-value>origin, content-type, accept, authorization, Authorization</param-value> + </init-param> + </filter> + + <filter-mapping> + <filter-name>cross-origin-restconf</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <security-constraint> + <web-resource-collection> + <web-resource-name>NB api</web-resource-name> + <url-pattern>/*</url-pattern> + <http-method>POST</http-method> + <http-method>GET</http-method> + <http-method>PUT</http-method> + <http-method>PATCH</http-method> + <http-method>DELETE</http-method> + <http-method>HEAD</http-method> + </web-resource-collection> + </security-constraint> + +</web-app> diff --git a/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py new file mode 100755 index 00000000..b14a8758 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py @@ -0,0 +1,255 @@ +#!/usr/bin/env python + +# +# Copyright (c) 2016 Brocade Communications Systems and others. All rights reserved. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v1.0 which accompanies this distribution, +# and is available at http://www.eclipse.org/legal/epl-v10.html +# + +''' +idmtool + +Used to manipulate ODL AAA idm on a node-per-node basis. Assumes only one domain (sdn) +since current support in ODL is limited. +''' + +__author__ = "Ryan Goulding" +__copyright__ = "Copyright (c) 2016 Brocade Communications Systems and others" +__credits__ = "Ryan Goulding" +__license__ = "EPL" +__version__ = "1.0" +__maintainer__ = "Ryan Goulding" +__email__ = "ryandgoulding@gmail.com" +__status__ = "Production" + +import argparse, getpass, json, requests, sys + +parser = argparse.ArgumentParser('idmtool') + +user='' +hostname='localhost' +protocol='http' +port='8181' +target_host='{}://{}:{}/'.format(protocol, hostname, port) + +# main program arguments +parser.add_argument('user',help='username for BSC node', nargs=1) +parser.add_argument('--target-host', help="target host node", nargs=1) + +subparsers = parser.add_subparsers(help='sub-command help') + +# users table related +list_users = subparsers.add_parser('list-users', help='list all users') +list_users.set_defaults(func=list_users) +add_user = subparsers.add_parser('add-user', help='add a user') +add_user.set_defaults(func=add_user) +add_user.add_argument('newUser', help='new user name', nargs=1) +change_password = subparsers.add_parser('change-password', help='change a password') +change_password.set_defaults(func=change_password) +change_password.add_argument('userid', help='change the password for a particular userid', nargs=1) +delete_user = subparsers.add_parser('delete-user', help='delete a user') +delete_user.add_argument('userid', help='name@sdn', nargs=1) +delete_user.set_defaults(func=delete_user) + +# domains table related +# only read is defined; this was done on purpose since the "domain" concept +# is mostly unsupported in ODL. +list_domains = subparsers.add_parser('list-domains', help='list all domains') +list_domains.set_defaults(func=list_domains) + +# roles table related +list_roles = subparsers.add_parser('list-roles', help='list all roles') +list_roles.set_defaults(func=list_roles) +add_role = subparsers.add_parser('add-role', help='add a role') +add_role.add_argument('role', help='role name', nargs=1) +add_role.set_defaults(func=add_role) +delete_role = subparsers.add_parser('delete-role', help='delete a role') +delete_role.add_argument('roleid', help='rolename@sdn', nargs=1) +delete_role.set_defaults(func=delete_role) +add_grant = subparsers.add_parser('add-grant', help='add a grant') +add_grant.set_defaults(func=add_grant) +add_grant.add_argument('userid', help="username@sdn", nargs=1) +add_grant.add_argument('roleid', help="role@sdn", nargs=1) +get_grants = subparsers.add_parser('get-grants', help='get grants for userid on sdn') +get_grants.set_defaults(func=get_grants) +get_grants.add_argument('userid', help="username@sdn", nargs=1) +delete_grant = subparsers.add_parser('delete-grant', help='delete a grant') +delete_grant.add_argument('userid', help='username@sdn', nargs=1) +delete_grant.add_argument('roleid', help='role@sdn', nargs=1) +delete_grant.set_defaults(func=delete_grant) + +def process_result(r): + ''' Generic method to print result of a REST call ''' + print '' + sc = r.status_code + if sc >= 200 and sc < 300: + print "command succeeded!" + try: + res = r.json() + if res is not None: + print '\njson:\n', json.dumps(res, indent=4, sort_keys=True) + except(ValueError): + pass + elif sc == 401: + print "Incorrect Credentials Provided" + elif sc == 404: + print "RESTconf is either not installed or not initialized yet" + elif sc >= 500 and sc < 600: + print "Internal Server Error Ocurred" + else: + print "Unknown error; HTTP status code: {}".format(sc) + +def get_request(user, password, url, description, outputResult=True): + if outputResult: + print description + try: + r = requests.get(url, auth=(user,password)) + if outputResult: + process_result(r) + return r + except(requests.exceptions.ConnectionError): + if outputResult: + print "Unable to connect; are you sure the controller is up?" + sys.exit(1) + +def post_request(user, password, url, description, payload, params): + print description + try: + r = requests.post(url, auth=(user,password), data=payload, headers=params) + process_result(r) + except(requests.exceptions.ConnectionError): + print "Unable to connect; are you sure the controller is up?" + sys.exit(1) + +def put_request(user, password, url, description, payload, params): + print description + try: + r = requests.put(url, auth=(user,password), data=payload, headers=params) + process_result(r) + except(requests.exceptions.ConnectionError): + print "Unable to connect; are you sure the controller is up?" + sys.exit(1) + +def delete_request(user, password, url, description, payload='', params={'Content-Type':'application/json'}): + print description + try: + r = requests.delete(url, auth=(user,password), data=payload, headers=params) + process_result(r) + except(requests.exceptions.ConnectionError): + print "Unable to connect; are you sure the controller is up?" + sys.exit(1) + +def poll_new_password(): + new_password = getpass.getpass(prompt="Enter new password: ") + new_password_repeated = getpass.getpass(prompt="Re-enter password: ") + if new_password != new_password_repeated: + print "Passwords did not match; cancelling the add_user request" + sys.exit(1) + return new_password + +def list_users(user, password): + get_request(user, password, target_host + 'auth/v1/users', 'list_users') + +def add_user(user, password, newUser): + new_password = poll_new_password() + description = 'add_user({})'.format(user) + url = target_host + 'auth/v1/users' + payload = {'name':newUser, 'password':new_password, 'description':'', "domainid":"sdn", 'userid':'{}@sdn'.format(newUser), 'email':''} + jsonpayload = json.dumps(payload) + headers={'Content-Type':'application/json'} + post_request(user, password, url, description, jsonpayload, headers) + +def delete_user(user, password, userid): + url = target_host + 'auth/v1/users/{}'.format(userid) + description = 'delete_user({})'.format(userid) + delete_request(user, password, url, description) + +def change_password(user, password, existingUserId): + url = target_host + 'auth/v1/users/{}'.format(existingUserId) + r = get_request(user, password, target_host + 'auth/v1/users/{}'.format(existingUserId), 'list_users', outputResult=False) + try: + existing = r.json() + del existing['salt'] + del existing['password'] + new_password = poll_new_password() + existing['password'] = new_password + description='change_password({})'.format(existingUserId) + headers={'Content-Type':'application/json'} + url = target_host + 'auth/v1/users/{}'.format(existingUserId) + put_request(user, password, url, 'change_password({})'.format(user), json.dumps(existing), headers) + except(AttributeError): + print "Unable to connect; are you sure the controller is up?" + sys.exit(1) + +def list_domains(user, password): + get_request(user, password, target_host + 'auth/v1/domains', 'list_domains') + +def list_roles(user, password): + get_request(user, password, target_host + 'auth/v1/roles', 'list_roles') + +def add_role(user, password, role): + url = target_host + 'auth/v1/roles' + description = 'add_role({})'.format(role) + payload = {"roleid":'{}@sdn'.format(role), 'name':role, 'description':'', 'domainid':'sdn'} + data = json.dumps(payload) + headers={'Content-Type':'application/json'} + post_request(user, password, url, description, data, headers) + +def delete_role(user, password, roleid): + url = target_host + 'auth/v1/roles/{}'.format(roleid) + description = 'delete_role({})'.format(roleid) + delete_request(user, password, url, description) + +def add_grant(user, password, userid, roleid): + description = 'add_grant(userid={},roleid={})'.format(userid, roleid) + payload = {"roleid":roleid, "userid":userid, "grantid":'{}@{}@{}'.format(userid, roleid, "sdn"), "domainid":"sdn"} + url = target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid) + data=json.dumps(payload) + headers={'Content-Type':'application/json'} + post_request(user, password, url, description, data, headers) + +def get_grants(user, password, userid): + get_request(user, password, target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid), 'get_grants({})'.format(userid)) + +def delete_grant(user, password, userid, roleid): + url = target_host + 'auth/v1/domains/sdn/users/{}/roles/{}'.format(userid, roleid) + print url + description = 'delete_grant(userid={},roleid={})'.format(userid, roleid) + delete_request(user, password, url, description) + +args = parser.parse_args() +command = args.func.prog.split()[1:] +user = args.user[0] +password = getpass.getpass() +temp_host_arr = args.target_host +if temp_host_arr is not None: + temp_host_val = temp_host_arr[0] + if temp_host_val is not None: + target_host = temp_host_val + if not target_host.endswith("/"): + target_host += "/" +if "list-users" in command: + list_users(user,password) +if "list-domains" in command: + list_domains(user,password) +if "list-roles" in command: + list_roles(user,password) +if "add-user" in command: + add_user(user,password, args.newUser[0]) +if "add-grant" in command: + add_grant(user,password, args.userid[0], args.roleid[0]) +if "get-grants" in command: + get_grants(user,password, args.userid[0]) +if "change-password" in command: + change_password(user, password, args.userid[0]) +if "delete-user" in command: + delete_user(user, password, args.userid[0]) +if "delete-role" in command: + delete_role(user, password, args.roleid[0]) +if "add-role" in command: + add_role(user, password, args.role[0]) +if "delete-grant" in command: + delete_grant(user, password, args.userid[0], args.roleid[0]) + diff --git a/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml new file mode 100644 index 00000000..695ce762 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- vi: set et smarttab sw=4 tabstop=4: --> +<!-- + Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. + + This program and the accompanying materials are made available under the + terms of the Eclipse Public License v1.0 which accompanies this distribution, + and is available at http://www.eclipse.org/legal/epl-v10.html +--> +<snapshot> + <configuration> + <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> + <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> + <module> + <type xmlns:authn="config:aaa:authn:idmlight">authn:aaa-idmlight</type> + <name>aaa-idmlight</name> + </module> + </modules> + </data> + </configuration> + <required-capabilities> + <capability>config:aaa:authn:idmlight?module=aaa-idmlight&revision=2015-12-04</capability> + </required-capabilities> + +</snapshot> + |