From adf7e6616c2a8d6f60207059288423f693509928 Mon Sep 17 00:00:00 2001 From: DUVAL Thomas Date: Thu, 16 Jun 2016 14:50:31 +0200 Subject: Add new version of aaa Change-Id: I94d72011e6019e66c98f46d11436a5cb33ff295d --- odl-aaa-moon/aaa/commons/federation/README | 271 +++++++++++++++++++++ .../federation/idp_mapping_rules.json.example | 30 +++ .../aaa/commons/federation/jetty.xml.example | 85 +++++++ .../aaa/commons/federation/my_app.conf.example | 31 +++ 4 files changed, 417 insertions(+) create mode 100644 odl-aaa-moon/aaa/commons/federation/README create mode 100644 odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example create mode 100644 odl-aaa-moon/aaa/commons/federation/jetty.xml.example create mode 100644 odl-aaa-moon/aaa/commons/federation/my_app.conf.example (limited to 'odl-aaa-moon/aaa/commons/federation') diff --git a/odl-aaa-moon/aaa/commons/federation/README b/odl-aaa-moon/aaa/commons/federation/README new file mode 100644 index 00000000..dd9cdbf0 --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/README @@ -0,0 +1,271 @@ +README +=============================================================================== +Federated AAA is deployed using several config files. This file explains a +simple scenario utilizing two servers: +a) ipa.example.com + - Runs the IPA Server Software +b) odl.example.com + - Runs the IPA Client Software + - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so) + - Runs ODL + +This setup for this scenario is illustrated in Figure 1 below: + + ----------------------- + | odl.example.com | + | (Fedora 20 Linux) | + | | + | ------------------- | + | | ODL Jetty Server | | + | | (Port 8181 & 8383)| | + | ------------------- | + | ^ . | + | . (Apache . | SSSD Requests/Responses + | . Reverse . | / + | . Proxy) . | / + | . v | / + | ------------------- | | ------------------ + | | Apache |<|..................| ipa.example.com | + | | (Port 80) |.|.................>| (FreeIPA | + | ------------------- | | Kerberos And | + | ______________________| | LDAP) | + ------------------ +Figure 1: Shows the setup for a simple Federated AAA use case utilizing +FreeIPA as an identity provider. + + +These instructions were written for Fedora 20, since SSSD is unique to RHEL based +distributions. SSSD is NOT a requirement for Federation though; you can use +any supported linux flavor. At this time, SSSD is the only Filter available +with regards to capturing IdP attributes that can be used in making advanced mapping +decisions (such as IdP group membership information). + + + +1) Install FreeIPA Server on ipa.example.com. This is achieved through running: +# yum install freeipa-server bind bind-dyndb-ldap +# ipa-server-intall + + + +2) Add a FreeIPA user called testuser: +$ kinit admin@EXAMPLE.COM +$ ipa group-add odl_users --desc "ODL Users" +$ ipa group-add odl_admin --desc "ODL Admin" +$ ipa user-add testuser --first Test --last USER --email test.user@example.com +$ ipa group-add-member odl_users --user testuser +$ ipa group-add-member odl_admin --user testuser + + + +3) Install FreeIPA Client on odl.example.com. This is achieved through running: +# yum install freeipa-client +# ipa-client-install + + + +4) Set up Client keytab for HTTP access on odl.example.com: +# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \ + -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab +# chmod 644 /etc/krb5.keytab +NOTE: The second command allows Apache to read the keytab. There are more +secure methods to support such access through SELINUX, but they are outside +the scope of this tutorial. + + + +5) Install Apache on odl.example.com. This is achieved through running: +# yum install httpd + + + +6) Create an Apache application to broker federation between ODL and FreeIPA. +Create the following file on odl.example.com: + +[root@odl /]# cat /etc/httpd/conf.d/my_app.conf + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd on + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/krb5.keytab + require valid-user + + + + + + RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} + RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} + RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} + RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} + LookupUserAttr mail REMOTE_USER_EMAIL + RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + LookupUserAttr sn REMOTE_USER_LASTNAME + RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e + LookupUserGroups REMOTE_USER_GROUPS ":" + RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + + +ProxyPass / http://localhost:8383/ +ProxyPassReverse / http://localhost:8383/ + + + +7) Install the ODL distribution in the /opt folder on odl.example.com. + + + +8) Add a federation connector to the jetty server hosting ODL on +odl.example.com: + +[user@odl distribution]$ cat etc/jetty.xml + + + + + + + + + + + + + + + + + + + + + + 300000 + 2 + false + 8443 + 20000 + 5000 + + + + + + + + 127.0.0.1 + 8383 + 300000 + 2 + false + 8445 + federationConn + 20000 + 5000 + + + + + + + + + + + + + + karaf + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + default + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + +9) Add the idp_mapping rules file on odl.example.com + +[user@odl distribution]$ cat etc/idp_mapping_rules.json +[ + { + "mapping":{ + "ClientId":"1", + "UserId":"1", + "User":"admin", + "Domain":"BRCD-SSSD-TB.COM", + "roles":"$roles" + }, + "statement_blocks":[ + [ + [ + "set", + "$groups", + [ + + ] + ], + [ + "set", + "$roles", + [ + "admin", + "user" + ] + ] + ] + ] + } +] + +NOTE: This is a very basic mapping example in which all federated users are +mapped into the default "admin" account. + + + +10) Start ODL and install the following features on odl.example.com: +# bin/karaf +karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf + + + +11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383): +[user@odl distribution]$ kinit testuser +[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/ + + + +12) Obtain an access_token on odl.example.com through normal port (8181): +[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=&scope=sdn' http://odl.example.com:8181/oauth2/token + + + +13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181): +[user@odl distribution]$ curl -s -H 'Authorization: Bearer ' http://odl.brcd-sssd-tb.com:8181/restconf/streams/ + diff --git a/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example new file mode 100644 index 00000000..98bacb0a --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example @@ -0,0 +1,30 @@ +[ + { + "mapping":{ + "ClientId":"1", + "UserId":"1", + "User":"admin", + "Domain":"BRCD-SSSD-TB.COM", + "roles":"$roles" + }, + "statement_blocks":[ + [ + [ + "set", + "$groups", + [ + + ] + ], + [ + "set", + "$roles", + [ + "admin", + "user" + ] + ] + ] + ] + } +] diff --git a/odl-aaa-moon/aaa/commons/federation/jetty.xml.example b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example new file mode 100644 index 00000000..c4cb2a7d --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example @@ -0,0 +1,85 @@ + + + + + + + + + + + + + + + + + + + + + + 300000 + 2 + false + 8443 + 20000 + 5000 + + + + + + + + 127.0.0.1 + 8383 + 300000 + 2 + false + 8445 + federationConn + 20000 + 5000 + + + + + + + + + + + + + + karaf + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + default + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + diff --git a/odl-aaa-moon/aaa/commons/federation/my_app.conf.example b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example new file mode 100644 index 00000000..71c8ad87 --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example @@ -0,0 +1,31 @@ +LoadModule lookup_identity_module modules/mod_lookup_identity.so + + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd on + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/krb5.keytab + require valid-user + + + + + + RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} + RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} + RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} + RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} + LookupUserAttr mail REMOTE_USER_EMAIL + RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + LookupUserAttr sn REMOTE_USER_LASTNAME + RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e + LookupUserGroups REMOTE_USER_GROUPS ":" + RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + + +ProxyPass / http://localhost:8383/ +ProxyPassReverse / http://localhost:8383/ -- cgit 1.2.3-korg