From e63b03f3d7e4851e008e4bb4d184982c2c0bd229 Mon Sep 17 00:00:00 2001
From: WuKong <rebirthmonkey@gmail.com>
Date: Tue, 24 May 2016 17:13:17 +0200
Subject: odl/aaa clone

Change-Id: I2b72c16aa3245e02d985a2c6189aacee7caad36e
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
---
 .../aaa-shiro/src/main/resources/shiro.ini         | 95 ++++++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini

(limited to 'odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini')

diff --git a/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini
new file mode 100644
index 00000000..d84f9fa0
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini
@@ -0,0 +1,95 @@
+#
+# Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v1.0 which accompanies this distribution,
+# and is available at http://www.eclipse.org/legal/epl-v10.html
+#
+
+###############################################################################
+# shiro.ini                                                                   #
+#                                                                             #
+# Configuration of OpenDaylight's aaa-shiro feature.  Provided Realm          #
+# implementations include:                                                    #
+# - TokenAuthRealm (enabled by default)                                       #
+# - ODLJndiLdapRealm (disabled by default)                                    #
+# - ODLJndiLdapRealmAuthNOnly (disabled by default)                           #
+# Basic user configuration through shiro.ini is disabled for security         #
+# purposes.                                                                   #
+###############################################################################
+
+
+
+[main]
+###############################################################################
+# realms                                                                      #
+#                                                                             #
+# This section is dedicated to setting up realms for OpenDaylight.  Realms    #
+# are essentially different methods for providing AAA.  ODL strives to provide#
+# highly-configurable AAA by providing pluggable infrastructure.  By deafult, #
+# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
+# mechanisms).  More than one realm can be enabled, and the realms are        #
+# tried Round-Robin until:                                                    #
+# 1) a realm successfully authenticates the incoming request                  #
+# 2) all realms are exhausted, and 401 is returned                            #
+###############################################################################
+
+# ODL provides a few LDAP implementations, which are disabled out of the box.
+# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
+# extracted through and LDAP search.  This requires a bit of knowledge about
+# how your LDAP system is setup.  An example is provided below:
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
+#ldapRealm.ldapAttributeForComparison = objectClass
+
+# ODL also provides ODLJndiLdapRealmAuthNOnly.  Essentially, this allows
+# access through AAAFilter to any user that can authenticate against the
+# provided LDAP server.
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+
+# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
+# This realm is enabled by default, and utilizes h2-store by default.
+tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
+moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
+
+# The CSV list of enabled realms.  In order to enable a realm, add it to the
+# list below:
+securityManager.realms = $moonAuthRealm
+
+
+# adds a custom AuthenticationFilter to support OAuth2 for backwards
+# compatibility.  To disable OAuth2 access, just comment out the next line
+# and authcBasic will default to BasicHttpAuthenticationFilter, a
+# Shiro-provided class.
+authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
+# OAuth2 Filer for moon token AuthN
+rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
+
+
+
+[urls]
+###############################################################################
+# url authorization section                                                   #
+#                                                                             #
+# This section is dedicated to defining url-based authorization according to: #
+# http://shiro.apache.org/web.html                                            #
+###############################################################################
+#Filtering REST requests with AAAFilter
+/v1/users** = authcBasic
+/v1/domains** = authcBasic
+/v1/roles** = authcBasic
+
+#Filter OAuth2 request$
+/token = rest
+
+# General access through AAAFilter requires valid credentials (AuthN only).
+/** = authcBasic
+
+# Access to the credential store is limited to the valid users who have the
+# admin role. The following line is only needed if the mdsal store is enabled
+#(the mdsal store is disabled by default).
+/config/aaa-authn-model** = authcBasic,roles[admin]
-- 
cgit 1.2.3-korg