diff options
Diffstat (limited to 'odl-aaa-moon/commons')
| -rw-r--r-- | odl-aaa-moon/commons/docs/AuthNusecases.vsd | bin | 206336 -> 0 bytes | |||
| -rw-r--r-- | odl-aaa-moon/commons/docs/direct_authn.png | bin | 22058 -> 0 bytes | |||
| -rw-r--r-- | odl-aaa-moon/commons/docs/federated_authn1.png | bin | 36542 -> 0 bytes | |||
| -rw-r--r-- | odl-aaa-moon/commons/docs/federated_authn2.png | bin | 35203 -> 0 bytes | |||
| -rw-r--r-- | odl-aaa-moon/commons/federation/README | 271 | ||||
| -rw-r--r-- | odl-aaa-moon/commons/federation/idp_mapping_rules.json.example | 30 | ||||
| -rw-r--r-- | odl-aaa-moon/commons/federation/jetty.xml.example | 85 | ||||
| -rw-r--r-- | odl-aaa-moon/commons/federation/my_app.conf.example | 31 | ||||
| -rw-r--r-- | odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection | 77 |
9 files changed, 0 insertions, 494 deletions
diff --git a/odl-aaa-moon/commons/docs/AuthNusecases.vsd b/odl-aaa-moon/commons/docs/AuthNusecases.vsd Binary files differdeleted file mode 100644 index ddd59fb3..00000000 --- a/odl-aaa-moon/commons/docs/AuthNusecases.vsd +++ /dev/null diff --git a/odl-aaa-moon/commons/docs/direct_authn.png b/odl-aaa-moon/commons/docs/direct_authn.png Binary files differdeleted file mode 100644 index f63f038e..00000000 --- a/odl-aaa-moon/commons/docs/direct_authn.png +++ /dev/null diff --git a/odl-aaa-moon/commons/docs/federated_authn1.png b/odl-aaa-moon/commons/docs/federated_authn1.png Binary files differdeleted file mode 100644 index 199f6f4d..00000000 --- a/odl-aaa-moon/commons/docs/federated_authn1.png +++ /dev/null diff --git a/odl-aaa-moon/commons/docs/federated_authn2.png b/odl-aaa-moon/commons/docs/federated_authn2.png Binary files differdeleted file mode 100644 index b71e9aa7..00000000 --- a/odl-aaa-moon/commons/docs/federated_authn2.png +++ /dev/null diff --git a/odl-aaa-moon/commons/federation/README b/odl-aaa-moon/commons/federation/README deleted file mode 100644 index dd9cdbf0..00000000 --- a/odl-aaa-moon/commons/federation/README +++ /dev/null @@ -1,271 +0,0 @@ -README -=============================================================================== -Federated AAA is deployed using several config files. This file explains a -simple scenario utilizing two servers: -a) ipa.example.com - - Runs the IPA Server Software -b) odl.example.com - - Runs the IPA Client Software - - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so) - - Runs ODL - -This setup for this scenario is illustrated in Figure 1 below: - - ----------------------- - | odl.example.com | - | (Fedora 20 Linux) | - | | - | ------------------- | - | | ODL Jetty Server | | - | | (Port 8181 & 8383)| | - | ------------------- | - | ^ . | - | . (Apache . | SSSD Requests/Responses - | . Reverse . | / - | . Proxy) . | / - | . v | / - | ------------------- | | ------------------ - | | Apache |<|..................| ipa.example.com | - | | (Port 80) |.|.................>| (FreeIPA | - | ------------------- | | Kerberos And | - | ______________________| | LDAP) | - ------------------ -Figure 1: Shows the setup for a simple Federated AAA use case utilizing -FreeIPA as an identity provider. - - -These instructions were written for Fedora 20, since SSSD is unique to RHEL based -distributions. SSSD is NOT a requirement for Federation though; you can use -any supported linux flavor. At this time, SSSD is the only Filter available -with regards to capturing IdP attributes that can be used in making advanced mapping -decisions (such as IdP group membership information). - - - -1) Install FreeIPA Server on ipa.example.com. This is achieved through running: -# yum install freeipa-server bind bind-dyndb-ldap -# ipa-server-intall - - - -2) Add a FreeIPA user called testuser: -$ kinit admin@EXAMPLE.COM -$ ipa group-add odl_users --desc "ODL Users" -$ ipa group-add odl_admin --desc "ODL Admin" -$ ipa user-add testuser --first Test --last USER --email test.user@example.com -$ ipa group-add-member odl_users --user testuser -$ ipa group-add-member odl_admin --user testuser - - - -3) Install FreeIPA Client on odl.example.com. This is achieved through running: -# yum install freeipa-client -# ipa-client-install - - - -4) Set up Client keytab for HTTP access on odl.example.com: -# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \ - -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab -# chmod 644 /etc/krb5.keytab -NOTE: The second command allows Apache to read the keytab. There are more -secure methods to support such access through SELINUX, but they are outside -the scope of this tutorial. - - - -5) Install Apache on odl.example.com. This is achieved through running: -# yum install httpd - - - -6) Create an Apache application to broker federation between ODL and FreeIPA. -Create the following file on odl.example.com: - -[root@odl /]# cat /etc/httpd/conf.d/my_app.conf -<Location "/*"> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd on - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/krb5.keytab - require valid-user -</Location> - - -<LocationMatch "/*"> - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} - RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} - RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - LookupUserAttr givenname REMOTE_USER_FIRSTNAME - RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - LookupUserAttr sn REMOTE_USER_LASTNAME - RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - LookupUserGroups REMOTE_USER_GROUPS ":" - RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e -</LocationMatch> - -ProxyPass / http://localhost:8383/ -ProxyPassReverse / http://localhost:8383/ - - - -7) Install the ODL distribution in the /opt folder on odl.example.com. - - - -8) Add a federation connector to the jetty server hosting ODL on -odl.example.com: - -[user@odl distribution]$ cat etc/jetty.xml -<?xml version="1.0"?> -<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// -DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> - -<Configure class="org.eclipse.jetty.server.Server"> - - <!-- =========================================================== --> - <!-- Set connectors --> - <!-- =========================================================== --> - <!-- One of each type! --> - <!-- =========================================================== --> - - <!-- Use this connector for many frequently idle connections and for - threadless continuations. --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host"> - <Property name="jetty.host" /> - </Set> - <Set name="port"> - <Property name="jetty.port" default="8181" /> - </Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8443</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- Trusted Authentication Federation proxy connection --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host">127.0.0.1</Set> - <Set name="port">8383</Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8445</Set> - <Set name="name">federationConn</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- =========================================================== --> - <!-- Configure Authentication Realms --> - <!-- Realms may be configured for the entire server here, or --> - <!-- they can be configured for a specific web app in a context --> - <!-- configuration (see $(jetty.home)/contexts/test.xml for an --> - <!-- example). --> - <!-- =========================================================== --> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">karaf</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">default</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> -</Configure> - - - -9) Add the idp_mapping rules file on odl.example.com - -[user@odl distribution]$ cat etc/idp_mapping_rules.json -[ - { - "mapping":{ - "ClientId":"1", - "UserId":"1", - "User":"admin", - "Domain":"BRCD-SSSD-TB.COM", - "roles":"$roles" - }, - "statement_blocks":[ - [ - [ - "set", - "$groups", - [ - - ] - ], - [ - "set", - "$roles", - [ - "admin", - "user" - ] - ] - ] - ] - } -] - -NOTE: This is a very basic mapping example in which all federated users are -mapped into the default "admin" account. - - - -10) Start ODL and install the following features on odl.example.com: -# bin/karaf -karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf - - - -11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383): -[user@odl distribution]$ kinit testuser -[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/ - - - -12) Obtain an access_token on odl.example.com through normal port (8181): -[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=<PUT RESULT FROM ABOVE STEP HERE>&scope=sdn' http://odl.example.com:8181/oauth2/token - - - -13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181): -[user@odl distribution]$ curl -s -H 'Authorization: Bearer <PUT RESULT FROM ABOVE STEP HERE>' http://odl.brcd-sssd-tb.com:8181/restconf/streams/ - diff --git a/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example deleted file mode 100644 index 98bacb0a..00000000 --- a/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example +++ /dev/null @@ -1,30 +0,0 @@ -[ - { - "mapping":{ - "ClientId":"1", - "UserId":"1", - "User":"admin", - "Domain":"BRCD-SSSD-TB.COM", - "roles":"$roles" - }, - "statement_blocks":[ - [ - [ - "set", - "$groups", - [ - - ] - ], - [ - "set", - "$roles", - [ - "admin", - "user" - ] - ] - ] - ] - } -] diff --git a/odl-aaa-moon/commons/federation/jetty.xml.example b/odl-aaa-moon/commons/federation/jetty.xml.example deleted file mode 100644 index c4cb2a7d..00000000 --- a/odl-aaa-moon/commons/federation/jetty.xml.example +++ /dev/null @@ -1,85 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// -DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> - -<Configure class="org.eclipse.jetty.server.Server"> - - <!-- =========================================================== --> - <!-- Set connectors --> - <!-- =========================================================== --> - <!-- One of each type! --> - <!-- =========================================================== --> - - <!-- Use this connector for many frequently idle connections and for - threadless continuations. --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host"> - <Property name="jetty.host" /> - </Set> - <Set name="port"> - <Property name="jetty.port" default="8181" /> - </Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8443</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- Trusted Authentication Federation proxy connection --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host">127.0.0.1</Set> - <Set name="port">8383</Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8445</Set> - <Set name="name">federationConn</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- =========================================================== --> - <!-- Configure Authentication Realms --> - <!-- Realms may be configured for the entire server here, or --> - <!-- they can be configured for a specific web app in a context --> - <!-- configuration (see $(jetty.home)/contexts/test.xml for an --> - <!-- example). --> - <!-- =========================================================== --> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">karaf</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">default</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> -</Configure> - diff --git a/odl-aaa-moon/commons/federation/my_app.conf.example b/odl-aaa-moon/commons/federation/my_app.conf.example deleted file mode 100644 index 71c8ad87..00000000 --- a/odl-aaa-moon/commons/federation/my_app.conf.example +++ /dev/null @@ -1,31 +0,0 @@ -LoadModule lookup_identity_module modules/mod_lookup_identity.so - -<Location "/*"> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd on - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/krb5.keytab - require valid-user -</Location> - - -<LocationMatch "/*"> - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} - RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} - RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - LookupUserAttr givenname REMOTE_USER_FIRSTNAME - RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - LookupUserAttr sn REMOTE_USER_LASTNAME - RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - LookupUserGroups REMOTE_USER_GROUPS ":" - RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e -</LocationMatch> - -ProxyPass / http://localhost:8383/ -ProxyPassReverse / http://localhost:8383/ diff --git a/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection deleted file mode 100644 index 15193a70..00000000 --- a/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection +++ /dev/null @@ -1,77 +0,0 @@ -{ - "id": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "name": "AAA AuthZ MDSAL", - "description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.", - "order": [ - "7959a1f4-703a-417a-9d4c-70ab56c0e57f", - "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", - "4df58109-fd50-dbdf-b982-7e59d3475544" - ], - "folders": [], - "timestamp": 1439405060911, - "owner": 0, - "remoteLink": "", - "public": false, - "requests": [ - { - "id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", - "headers": "Authorization: Basic YWRtaW46YWRtaW4=\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "pathVariables": {}, - "preRequestScript": "", - "method": "GET", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "data": [], - "dataMode": "raw", - "name": "Get configuration authorization schema with admin role", - "description": "", - "descriptionFormat": "html", - "time": 1439405954342, - "version": 2, - "responses": [], - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "rawModeData": "" - }, - { - "id": "4df58109-fd50-dbdf-b982-7e59d3475544", - "headers": "Authorization: Basic dXNlcjp1c2Vy\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "preRequestScript": "", - "pathVariables": {}, - "method": "GET", - "data": [], - "dataMode": "params", - "version": 2, - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "time": 1439406616859, - "name": "Get configuration authorization schema with user role", - "description": "", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "responses": [] - }, - { - "id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f", - "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "preRequestScript": "", - "pathVariables": {}, - "method": "PUT", - "data": [], - "dataMode": "raw", - "version": 2, - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "time": 1439405844861, - "name": "Secure RestConfService for admin role", - "description": "", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "responses": [], - "rawModeData": "{\n \"policies\": {\n \"resource\": \"*\",\n \"service\":\"RestConfService\",\n \"role\": \"admin\"\n }\n}" - } - ] -}
\ No newline at end of file |
