Add new version of aaa

Change-Id: I94d72011e6019e66c98f46d11436a5cb33ff295d

9 files changed, 494 insertions, 0 deletions

diff --git a/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd b/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd
new file mode 100644
index 00000000..ddd59fb3
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd
diff --git a/odl-aaa-moon/aaa/commons/docs/direct_authn.png b/odl-aaa-moon/aaa/commons/docs/direct_authn.png
new file mode 100644
index 00000000..f63f038e
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/docs/direct_authn.png
diff --git a/odl-aaa-moon/aaa/commons/docs/federated_authn1.png b/odl-aaa-moon/aaa/commons/docs/federated_authn1.png
new file mode 100644
index 00000000..199f6f4d
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/docs/federated_authn1.png
diff --git a/odl-aaa-moon/aaa/commons/docs/federated_authn2.png b/odl-aaa-moon/aaa/commons/docs/federated_authn2.png
new file mode 100644
index 00000000..b71e9aa7
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/docs/federated_authn2.png
diff --git a/odl-aaa-moon/aaa/commons/federation/README b/odl-aaa-moon/aaa/commons/federation/README
new file mode 100644
index 00000000..dd9cdbf0
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/federation/README
@@ -0,0 +1,271 @@
+README
+===============================================================================
+Federated AAA is deployed using several config files.  This file explains a
+simple scenario utilizing two servers:
+a) ipa.example.com
+   - Runs the IPA Server Software
+b) odl.example.com
+   - Runs the IPA Client Software
+   - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so)
+   - Runs ODL
+
+This setup for this scenario is illustrated in Figure 1 below:
+
+      -----------------------
+     | odl.example.com       |
+     | (Fedora 20 Linux)     |
+     |                       |
+     |  -------------------  |
+     | | ODL Jetty Server  | |
+     | | (Port 8181 & 8383)| |
+     |  -------------------  |
+     |   ^              .    |
+     |   .   (Apache    .    |  SSSD Requests/Responses
+     |   .    Reverse   .    |           /
+     |   .     Proxy)   .    |          /
+     |   .              v    |         /
+     |  -------------------  |        |          ------------------
+     | | Apache            |<|..................| ipa.example.com  |
+     | | (Port 80)         |.|.................>| (FreeIPA         |
+     |  -------------------  |                  |   Kerberos And   |
+     | ______________________|                  |     LDAP)        |
+                                                 ------------------
+Figure 1: Shows the setup for a simple Federated AAA use case utilizing
+FreeIPA as an identity provider.
+
+
+These instructions were written for Fedora 20, since SSSD is unique to RHEL based
+distributions.  SSSD is NOT a requirement for Federation though;  you can use
+any supported linux flavor.  At this time, SSSD is the only Filter available
+with regards to capturing IdP attributes that can be used in making advanced mapping
+decisions (such as IdP group membership information).
+
+
+
+1) Install FreeIPA Server on ipa.example.com.  This is achieved through running:
+# yum install freeipa-server bind bind-dyndb-ldap
+# ipa-server-intall
+
+
+
+2) Add a FreeIPA user called testuser:
+$ kinit admin@EXAMPLE.COM
+$ ipa group-add odl_users --desc "ODL Users"
+$ ipa group-add odl_admin --desc "ODL Admin"
+$ ipa user-add testuser --first Test --last USER --email test.user@example.com
+$ ipa group-add-member odl_users --user testuser
+$ ipa group-add-member odl_admin --user testuser
+
+
+
+3) Install FreeIPA Client on odl.example.com.  This is achieved through running:
+# yum install freeipa-client
+# ipa-client-install
+
+
+
+4) Set up Client keytab for HTTP access on odl.example.com:
+# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \
+    -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab
+# chmod 644 /etc/krb5.keytab
+NOTE: The second command allows Apache to read the keytab.  There are more
+secure methods to support such access through SELINUX, but they are outside
+the scope of this tutorial.
+
+
+
+5) Install Apache on odl.example.com.  This is achieved through running:
+# yum install httpd
+
+
+
+6) Create an Apache application to broker federation between ODL and FreeIPA.
+Create the following file on odl.example.com:
+
+[root@odl /]# cat /etc/httpd/conf.d/my_app.conf
+<Location "/*">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd on
+  KrbAuthRealms EXAMPLE.COM
+  Krb5KeyTab /etc/krb5.keytab
+  require valid-user
+</Location>
+
+
+<LocationMatch "/*">
+
+ RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+ RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
+ RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
+ RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+ProxyPass / http://localhost:8383/
+ProxyPassReverse / http://localhost:8383/
+
+
+
+7) Install the ODL distribution in the /opt folder on odl.example.com.
+
+
+
+8) Add a federation connector to the jetty server hosting ODL on
+odl.example.com:
+
+[user@odl distribution]$ cat etc/jetty.xml
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Set connectors -->
+    <!-- =========================================================== -->
+    <!-- One of each type! -->
+    <!-- =========================================================== -->
+
+    <!-- Use this connector for many frequently idle connections and for
+        threadless continuations. -->
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                <Set name="host">
+                    <Property name="jetty.host" />
+                </Set>
+                <Set name="port">
+                    <Property name="jetty.port" default="8181" />
+                </Set>
+                <Set name="maxIdleTime">300000</Set>
+                <Set name="Acceptors">2</Set>
+                <Set name="statsOn">false</Set>
+                <Set name="confidentialPort">8443</Set>
+                <Set name="lowResourcesConnections">20000</Set>
+                <Set name="lowResourcesMaxIdleTime">5000</Set>
+            </New>
+        </Arg>
+    </Call>
+    <!-- Trusted Authentication Federation proxy connection -->
+    <Call name="addConnector">
+     <Arg>
+         <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+           <Set name="host">127.0.0.1</Set>
+     <Set name="port">8383</Set>
+     <Set name="maxIdleTime">300000</Set>
+     <Set name="Acceptors">2</Set>
+     <Set name="statsOn">false</Set>
+     <Set name="confidentialPort">8445</Set>
+     <Set name="name">federationConn</Set>
+     <Set name="lowResourcesConnections">20000</Set>
+     <Set name="lowResourcesMaxIdleTime">5000</Set>
+    </New>
+   </Arg>
+ </Call>
+    <!-- =========================================================== -->
+    <!-- Configure Authentication Realms -->
+    <!-- Realms may be configured for the entire server here, or -->
+    <!-- they can be configured for a specific web app in a context -->
+    <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+    <!-- example). -->
+    <!-- =========================================================== -->
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">karaf</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">default</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+</Configure>
+
+
+
+9) Add the idp_mapping rules file on odl.example.com
+
+[user@odl distribution]$ cat etc/idp_mapping_rules.json
+[
+   {
+      "mapping":{
+         "ClientId":"1",
+         "UserId":"1",
+         "User":"admin",
+         "Domain":"BRCD-SSSD-TB.COM",
+         "roles":"$roles"
+      },
+      "statement_blocks":[
+         [
+            [
+               "set",
+               "$groups",
+               [
+
+               ]
+            ],
+            [
+               "set",
+               "$roles",
+               [
+                  "admin",
+                  "user"
+               ]
+            ]
+         ]
+      ]
+   }
+]
+
+NOTE:  This is a very basic mapping example in which all federated users are
+mapped into the default "admin" account.
+
+
+
+10) Start ODL and install the following features on odl.example.com:
+# bin/karaf
+karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf
+
+
+
+11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383):
+[user@odl distribution]$ kinit testuser
+[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/
+
+
+
+12) Obtain an access_token on odl.example.com through normal port (8181):
+[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=<PUT RESULT FROM ABOVE STEP HERE>&scope=sdn' http://odl.example.com:8181/oauth2/token
+
+
+
+13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181):
+[user@odl distribution]$ curl -s -H 'Authorization: Bearer <PUT RESULT FROM ABOVE STEP HERE>' http://odl.brcd-sssd-tb.com:8181/restconf/streams/
+
diff --git a/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example
new file mode 100644
index 00000000..98bacb0a
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example
@@ -0,0 +1,30 @@
+[
+   {
+      "mapping":{
+         "ClientId":"1",
+         "UserId":"1",
+         "User":"admin",
+         "Domain":"BRCD-SSSD-TB.COM",
+         "roles":"$roles"
+      },
+      "statement_blocks":[
+         [
+            [
+               "set",
+               "$groups",
+               [
+
+               ]
+            ],
+            [
+               "set",
+               "$roles",
+               [
+                  "admin",
+                  "user"
+               ]
+            ]
+         ]
+      ]
+   }
+]
diff --git a/odl-aaa-moon/aaa/commons/federation/jetty.xml.example b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example
new file mode 100644
index 00000000..c4cb2a7d
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example
@@ -0,0 +1,85 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Set connectors -->
+    <!-- =========================================================== -->
+    <!-- One of each type! -->
+    <!-- =========================================================== -->
+
+    <!-- Use this connector for many frequently idle connections and for
+        threadless continuations. -->
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                <Set name="host">
+                    <Property name="jetty.host" />
+                </Set>
+                <Set name="port">
+                    <Property name="jetty.port" default="8181" />
+                </Set>
+                <Set name="maxIdleTime">300000</Set>
+                <Set name="Acceptors">2</Set>
+                <Set name="statsOn">false</Set>
+                <Set name="confidentialPort">8443</Set>
+                <Set name="lowResourcesConnections">20000</Set>
+                <Set name="lowResourcesMaxIdleTime">5000</Set>
+            </New>
+        </Arg>
+    </Call>
+    <!-- Trusted Authentication Federation proxy connection -->
+    <Call name="addConnector">
+     <Arg>
+         <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+           <Set name="host">127.0.0.1</Set>
+     <Set name="port">8383</Set>
+     <Set name="maxIdleTime">300000</Set>
+     <Set name="Acceptors">2</Set>
+     <Set name="statsOn">false</Set>
+     <Set name="confidentialPort">8445</Set>
+     <Set name="name">federationConn</Set>
+     <Set name="lowResourcesConnections">20000</Set>
+     <Set name="lowResourcesMaxIdleTime">5000</Set>
+    </New>
+   </Arg>
+ </Call>
+    <!-- =========================================================== -->
+    <!-- Configure Authentication Realms -->
+    <!-- Realms may be configured for the entire server here, or -->
+    <!-- they can be configured for a specific web app in a context -->
+    <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+    <!-- example). -->
+    <!-- =========================================================== -->
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">karaf</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">default</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+</Configure>
+
diff --git a/odl-aaa-moon/aaa/commons/federation/my_app.conf.example b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example
new file mode 100644
index 00000000..71c8ad87
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example
@@ -0,0 +1,31 @@
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+<Location "/*">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd on
+  KrbAuthRealms EXAMPLE.COM
+  Krb5KeyTab /etc/krb5.keytab
+  require valid-user
+</Location>
+
+
+<LocationMatch "/*">
+
+ RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+ RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
+ RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
+ RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+ProxyPass / http://localhost:8383/
+ProxyPassReverse / http://localhost:8383/
diff --git a/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
new file mode 100644
index 00000000..15193a70
--- /dev/null
+++ b/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
@@ -0,0 +1,77 @@
+{
+	"id": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+	"name": "AAA AuthZ MDSAL",
+	"description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.",
+	"order": [
+		"7959a1f4-703a-417a-9d4c-70ab56c0e57f",
+		"262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
+		"4df58109-fd50-dbdf-b982-7e59d3475544"
+	],
+	"folders": [],
+	"timestamp": 1439405060911,
+	"owner": 0,
+	"remoteLink": "",
+	"public": false,
+	"requests": [
+		{
+			"id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
+			"headers": "Authorization: Basic YWRtaW46YWRtaW4=\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"pathVariables": {},
+			"preRequestScript": "",
+			"method": "GET",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"data": [],
+			"dataMode": "raw",
+			"name": "Get configuration authorization schema with admin role",
+			"description": "",
+			"descriptionFormat": "html",
+			"time": 1439405954342,
+			"version": 2,
+			"responses": [],
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"rawModeData": ""
+		},
+		{
+			"id": "4df58109-fd50-dbdf-b982-7e59d3475544",
+			"headers": "Authorization: Basic dXNlcjp1c2Vy\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"preRequestScript": "",
+			"pathVariables": {},
+			"method": "GET",
+			"data": [],
+			"dataMode": "params",
+			"version": 2,
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"time": 1439406616859,
+			"name": "Get configuration authorization schema with user role",
+			"description": "",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"responses": []
+		},
+		{
+			"id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f",
+			"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"preRequestScript": "",
+			"pathVariables": {},
+			"method": "PUT",
+			"data": [],
+			"dataMode": "raw",
+			"version": 2,
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"time": 1439405844861,
+			"name": "Secure RestConfService for admin role",
+			"description": "",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"responses": [],
+			"rawModeData": "{\n    \"policies\": {\n        \"resource\": \"*\",\n        \"service\":\"RestConfService\",\n        \"role\": \"admin\"\n    }\n}"
+		}
+	]
+}
\ No newline at end of file