aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/commons
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/commons')
-rw-r--r--odl-aaa-moon/commons/docs/AuthNusecases.vsdbin206336 -> 0 bytes
-rw-r--r--odl-aaa-moon/commons/docs/direct_authn.pngbin22058 -> 0 bytes
-rw-r--r--odl-aaa-moon/commons/docs/federated_authn1.pngbin36542 -> 0 bytes
-rw-r--r--odl-aaa-moon/commons/docs/federated_authn2.pngbin35203 -> 0 bytes
-rw-r--r--odl-aaa-moon/commons/federation/README271
-rw-r--r--odl-aaa-moon/commons/federation/idp_mapping_rules.json.example30
-rw-r--r--odl-aaa-moon/commons/federation/jetty.xml.example85
-rw-r--r--odl-aaa-moon/commons/federation/my_app.conf.example31
-rw-r--r--odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection77
9 files changed, 0 insertions, 494 deletions
diff --git a/odl-aaa-moon/commons/docs/AuthNusecases.vsd b/odl-aaa-moon/commons/docs/AuthNusecases.vsd
deleted file mode 100644
index ddd59fb3..00000000
--- a/odl-aaa-moon/commons/docs/AuthNusecases.vsd
+++ /dev/null
Binary files differ
diff --git a/odl-aaa-moon/commons/docs/direct_authn.png b/odl-aaa-moon/commons/docs/direct_authn.png
deleted file mode 100644
index f63f038e..00000000
--- a/odl-aaa-moon/commons/docs/direct_authn.png
+++ /dev/null
Binary files differ
diff --git a/odl-aaa-moon/commons/docs/federated_authn1.png b/odl-aaa-moon/commons/docs/federated_authn1.png
deleted file mode 100644
index 199f6f4d..00000000
--- a/odl-aaa-moon/commons/docs/federated_authn1.png
+++ /dev/null
Binary files differ
diff --git a/odl-aaa-moon/commons/docs/federated_authn2.png b/odl-aaa-moon/commons/docs/federated_authn2.png
deleted file mode 100644
index b71e9aa7..00000000
--- a/odl-aaa-moon/commons/docs/federated_authn2.png
+++ /dev/null
Binary files differ
diff --git a/odl-aaa-moon/commons/federation/README b/odl-aaa-moon/commons/federation/README
deleted file mode 100644
index dd9cdbf0..00000000
--- a/odl-aaa-moon/commons/federation/README
+++ /dev/null
@@ -1,271 +0,0 @@
-README
-===============================================================================
-Federated AAA is deployed using several config files. This file explains a
-simple scenario utilizing two servers:
-a) ipa.example.com
- - Runs the IPA Server Software
-b) odl.example.com
- - Runs the IPA Client Software
- - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so)
- - Runs ODL
-
-This setup for this scenario is illustrated in Figure 1 below:
-
- -----------------------
- | odl.example.com |
- | (Fedora 20 Linux) |
- | |
- | ------------------- |
- | | ODL Jetty Server | |
- | | (Port 8181 & 8383)| |
- | ------------------- |
- | ^ . |
- | . (Apache . | SSSD Requests/Responses
- | . Reverse . | /
- | . Proxy) . | /
- | . v | /
- | ------------------- | | ------------------
- | | Apache |<|..................| ipa.example.com |
- | | (Port 80) |.|.................>| (FreeIPA |
- | ------------------- | | Kerberos And |
- | ______________________| | LDAP) |
- ------------------
-Figure 1: Shows the setup for a simple Federated AAA use case utilizing
-FreeIPA as an identity provider.
-
-
-These instructions were written for Fedora 20, since SSSD is unique to RHEL based
-distributions. SSSD is NOT a requirement for Federation though; you can use
-any supported linux flavor. At this time, SSSD is the only Filter available
-with regards to capturing IdP attributes that can be used in making advanced mapping
-decisions (such as IdP group membership information).
-
-
-
-1) Install FreeIPA Server on ipa.example.com. This is achieved through running:
-# yum install freeipa-server bind bind-dyndb-ldap
-# ipa-server-intall
-
-
-
-2) Add a FreeIPA user called testuser:
-$ kinit admin@EXAMPLE.COM
-$ ipa group-add odl_users --desc "ODL Users"
-$ ipa group-add odl_admin --desc "ODL Admin"
-$ ipa user-add testuser --first Test --last USER --email test.user@example.com
-$ ipa group-add-member odl_users --user testuser
-$ ipa group-add-member odl_admin --user testuser
-
-
-
-3) Install FreeIPA Client on odl.example.com. This is achieved through running:
-# yum install freeipa-client
-# ipa-client-install
-
-
-
-4) Set up Client keytab for HTTP access on odl.example.com:
-# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \
- -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab
-# chmod 644 /etc/krb5.keytab
-NOTE: The second command allows Apache to read the keytab. There are more
-secure methods to support such access through SELINUX, but they are outside
-the scope of this tutorial.
-
-
-
-5) Install Apache on odl.example.com. This is achieved through running:
-# yum install httpd
-
-
-
-6) Create an Apache application to broker federation between ODL and FreeIPA.
-Create the following file on odl.example.com:
-
-[root@odl /]# cat /etc/httpd/conf.d/my_app.conf
-<Location "/*">
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate On
- KrbMethodK5Passwd on
- KrbAuthRealms EXAMPLE.COM
- Krb5KeyTab /etc/krb5.keytab
- require valid-user
-</Location>
-
-
-<LocationMatch "/*">
-
- RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
- RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
- RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
- RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
- LookupUserAttr mail REMOTE_USER_EMAIL
- RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
- LookupUserAttr givenname REMOTE_USER_FIRSTNAME
- RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
- LookupUserAttr sn REMOTE_USER_LASTNAME
- RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
- LookupUserGroups REMOTE_USER_GROUPS ":"
- RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
-</LocationMatch>
-
-ProxyPass / http://localhost:8383/
-ProxyPassReverse / http://localhost:8383/
-
-
-
-7) Install the ODL distribution in the /opt folder on odl.example.com.
-
-
-
-8) Add a federation connector to the jetty server hosting ODL on
-odl.example.com:
-
-[user@odl distribution]$ cat etc/jetty.xml
-<?xml version="1.0"?>
-<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
-DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
-
-<Configure class="org.eclipse.jetty.server.Server">
-
- <!-- =========================================================== -->
- <!-- Set connectors -->
- <!-- =========================================================== -->
- <!-- One of each type! -->
- <!-- =========================================================== -->
-
- <!-- Use this connector for many frequently idle connections and for
- threadless continuations. -->
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
- <Set name="host">
- <Property name="jetty.host" />
- </Set>
- <Set name="port">
- <Property name="jetty.port" default="8181" />
- </Set>
- <Set name="maxIdleTime">300000</Set>
- <Set name="Acceptors">2</Set>
- <Set name="statsOn">false</Set>
- <Set name="confidentialPort">8443</Set>
- <Set name="lowResourcesConnections">20000</Set>
- <Set name="lowResourcesMaxIdleTime">5000</Set>
- </New>
- </Arg>
- </Call>
- <!-- Trusted Authentication Federation proxy connection -->
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
- <Set name="host">127.0.0.1</Set>
- <Set name="port">8383</Set>
- <Set name="maxIdleTime">300000</Set>
- <Set name="Acceptors">2</Set>
- <Set name="statsOn">false</Set>
- <Set name="confidentialPort">8445</Set>
- <Set name="name">federationConn</Set>
- <Set name="lowResourcesConnections">20000</Set>
- <Set name="lowResourcesMaxIdleTime">5000</Set>
- </New>
- </Arg>
- </Call>
- <!-- =========================================================== -->
- <!-- Configure Authentication Realms -->
- <!-- Realms may be configured for the entire server here, or -->
- <!-- they can be configured for a specific web app in a context -->
- <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
- <!-- example). -->
- <!-- =========================================================== -->
- <Call name="addBean">
- <Arg>
- <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
- <Set name="name">karaf</Set>
- <Set name="loginModuleName">karaf</Set>
- <Set name="roleClassNames">
- <Array type="java.lang.String">
- <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
- </Item>
- </Array>
- </Set>
- </New>
- </Arg>
- </Call>
- <Call name="addBean">
- <Arg>
- <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
- <Set name="name">default</Set>
- <Set name="loginModuleName">karaf</Set>
- <Set name="roleClassNames">
- <Array type="java.lang.String">
- <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
- </Item>
- </Array>
- </Set>
- </New>
- </Arg>
- </Call>
-</Configure>
-
-
-
-9) Add the idp_mapping rules file on odl.example.com
-
-[user@odl distribution]$ cat etc/idp_mapping_rules.json
-[
- {
- "mapping":{
- "ClientId":"1",
- "UserId":"1",
- "User":"admin",
- "Domain":"BRCD-SSSD-TB.COM",
- "roles":"$roles"
- },
- "statement_blocks":[
- [
- [
- "set",
- "$groups",
- [
-
- ]
- ],
- [
- "set",
- "$roles",
- [
- "admin",
- "user"
- ]
- ]
- ]
- ]
- }
-]
-
-NOTE: This is a very basic mapping example in which all federated users are
-mapped into the default "admin" account.
-
-
-
-10) Start ODL and install the following features on odl.example.com:
-# bin/karaf
-karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf
-
-
-
-11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383):
-[user@odl distribution]$ kinit testuser
-[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/
-
-
-
-12) Obtain an access_token on odl.example.com through normal port (8181):
-[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=<PUT RESULT FROM ABOVE STEP HERE>&scope=sdn' http://odl.example.com:8181/oauth2/token
-
-
-
-13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181):
-[user@odl distribution]$ curl -s -H 'Authorization: Bearer <PUT RESULT FROM ABOVE STEP HERE>' http://odl.brcd-sssd-tb.com:8181/restconf/streams/
-
diff --git a/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example
deleted file mode 100644
index 98bacb0a..00000000
--- a/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example
+++ /dev/null
@@ -1,30 +0,0 @@
-[
- {
- "mapping":{
- "ClientId":"1",
- "UserId":"1",
- "User":"admin",
- "Domain":"BRCD-SSSD-TB.COM",
- "roles":"$roles"
- },
- "statement_blocks":[
- [
- [
- "set",
- "$groups",
- [
-
- ]
- ],
- [
- "set",
- "$roles",
- [
- "admin",
- "user"
- ]
- ]
- ]
- ]
- }
-]
diff --git a/odl-aaa-moon/commons/federation/jetty.xml.example b/odl-aaa-moon/commons/federation/jetty.xml.example
deleted file mode 100644
index c4cb2a7d..00000000
--- a/odl-aaa-moon/commons/federation/jetty.xml.example
+++ /dev/null
@@ -1,85 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
-DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
-
-<Configure class="org.eclipse.jetty.server.Server">
-
- <!-- =========================================================== -->
- <!-- Set connectors -->
- <!-- =========================================================== -->
- <!-- One of each type! -->
- <!-- =========================================================== -->
-
- <!-- Use this connector for many frequently idle connections and for
- threadless continuations. -->
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
- <Set name="host">
- <Property name="jetty.host" />
- </Set>
- <Set name="port">
- <Property name="jetty.port" default="8181" />
- </Set>
- <Set name="maxIdleTime">300000</Set>
- <Set name="Acceptors">2</Set>
- <Set name="statsOn">false</Set>
- <Set name="confidentialPort">8443</Set>
- <Set name="lowResourcesConnections">20000</Set>
- <Set name="lowResourcesMaxIdleTime">5000</Set>
- </New>
- </Arg>
- </Call>
- <!-- Trusted Authentication Federation proxy connection -->
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
- <Set name="host">127.0.0.1</Set>
- <Set name="port">8383</Set>
- <Set name="maxIdleTime">300000</Set>
- <Set name="Acceptors">2</Set>
- <Set name="statsOn">false</Set>
- <Set name="confidentialPort">8445</Set>
- <Set name="name">federationConn</Set>
- <Set name="lowResourcesConnections">20000</Set>
- <Set name="lowResourcesMaxIdleTime">5000</Set>
- </New>
- </Arg>
- </Call>
- <!-- =========================================================== -->
- <!-- Configure Authentication Realms -->
- <!-- Realms may be configured for the entire server here, or -->
- <!-- they can be configured for a specific web app in a context -->
- <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
- <!-- example). -->
- <!-- =========================================================== -->
- <Call name="addBean">
- <Arg>
- <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
- <Set name="name">karaf</Set>
- <Set name="loginModuleName">karaf</Set>
- <Set name="roleClassNames">
- <Array type="java.lang.String">
- <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
- </Item>
- </Array>
- </Set>
- </New>
- </Arg>
- </Call>
- <Call name="addBean">
- <Arg>
- <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
- <Set name="name">default</Set>
- <Set name="loginModuleName">karaf</Set>
- <Set name="roleClassNames">
- <Array type="java.lang.String">
- <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
- </Item>
- </Array>
- </Set>
- </New>
- </Arg>
- </Call>
-</Configure>
-
diff --git a/odl-aaa-moon/commons/federation/my_app.conf.example b/odl-aaa-moon/commons/federation/my_app.conf.example
deleted file mode 100644
index 71c8ad87..00000000
--- a/odl-aaa-moon/commons/federation/my_app.conf.example
+++ /dev/null
@@ -1,31 +0,0 @@
-LoadModule lookup_identity_module modules/mod_lookup_identity.so
-
-<Location "/*">
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate On
- KrbMethodK5Passwd on
- KrbAuthRealms EXAMPLE.COM
- Krb5KeyTab /etc/krb5.keytab
- require valid-user
-</Location>
-
-
-<LocationMatch "/*">
-
- RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
- RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
- RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
- RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
- LookupUserAttr mail REMOTE_USER_EMAIL
- RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
- LookupUserAttr givenname REMOTE_USER_FIRSTNAME
- RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
- LookupUserAttr sn REMOTE_USER_LASTNAME
- RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
- LookupUserGroups REMOTE_USER_GROUPS ":"
- RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
-</LocationMatch>
-
-ProxyPass / http://localhost:8383/
-ProxyPassReverse / http://localhost:8383/
diff --git a/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
deleted file mode 100644
index 15193a70..00000000
--- a/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
+++ /dev/null
@@ -1,77 +0,0 @@
-{
- "id": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
- "name": "AAA AuthZ MDSAL",
- "description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.",
- "order": [
- "7959a1f4-703a-417a-9d4c-70ab56c0e57f",
- "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
- "4df58109-fd50-dbdf-b982-7e59d3475544"
- ],
- "folders": [],
- "timestamp": 1439405060911,
- "owner": 0,
- "remoteLink": "",
- "public": false,
- "requests": [
- {
- "id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
- "headers": "Authorization: Basic YWRtaW46YWRtaW4=\n",
- "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
- "pathVariables": {},
- "preRequestScript": "",
- "method": "GET",
- "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
- "data": [],
- "dataMode": "raw",
- "name": "Get configuration authorization schema with admin role",
- "description": "",
- "descriptionFormat": "html",
- "time": 1439405954342,
- "version": 2,
- "responses": [],
- "tests": "",
- "currentHelper": "normal",
- "helperAttributes": {},
- "rawModeData": ""
- },
- {
- "id": "4df58109-fd50-dbdf-b982-7e59d3475544",
- "headers": "Authorization: Basic dXNlcjp1c2Vy\n",
- "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
- "preRequestScript": "",
- "pathVariables": {},
- "method": "GET",
- "data": [],
- "dataMode": "params",
- "version": 2,
- "tests": "",
- "currentHelper": "normal",
- "helperAttributes": {},
- "time": 1439406616859,
- "name": "Get configuration authorization schema with user role",
- "description": "",
- "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
- "responses": []
- },
- {
- "id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f",
- "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
- "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
- "preRequestScript": "",
- "pathVariables": {},
- "method": "PUT",
- "data": [],
- "dataMode": "raw",
- "version": 2,
- "tests": "",
- "currentHelper": "normal",
- "helperAttributes": {},
- "time": 1439405844861,
- "name": "Secure RestConfService for admin role",
- "description": "",
- "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
- "responses": [],
- "rawModeData": "{\n \"policies\": {\n \"resource\": \"*\",\n \"service\":\"RestConfService\",\n \"role\": \"admin\"\n }\n}"
- }
- ]
-} \ No newline at end of file