From adf7e6616c2a8d6f60207059288423f693509928 Mon Sep 17 00:00:00 2001 From: DUVAL Thomas Date: Thu, 16 Jun 2016 14:50:31 +0200 Subject: Add new version of aaa Change-Id: I94d72011e6019e66c98f46d11436a5cb33ff295d --- odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd | Bin 0 -> 206336 bytes odl-aaa-moon/aaa/commons/docs/direct_authn.png | Bin 0 -> 22058 bytes odl-aaa-moon/aaa/commons/docs/federated_authn1.png | Bin 0 -> 36542 bytes odl-aaa-moon/aaa/commons/docs/federated_authn2.png | Bin 0 -> 35203 bytes odl-aaa-moon/aaa/commons/federation/README | 271 +++++++++++++++++++++ .../federation/idp_mapping_rules.json.example | 30 +++ .../aaa/commons/federation/jetty.xml.example | 85 +++++++ .../aaa/commons/federation/my_app.conf.example | 31 +++ .../AAA_AuthZ_MDSAL.json.postman_collection | 77 ++++++ 9 files changed, 494 insertions(+) create mode 100644 odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd create mode 100644 odl-aaa-moon/aaa/commons/docs/direct_authn.png create mode 100644 odl-aaa-moon/aaa/commons/docs/federated_authn1.png create mode 100644 odl-aaa-moon/aaa/commons/docs/federated_authn2.png create mode 100644 odl-aaa-moon/aaa/commons/federation/README create mode 100644 odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example create mode 100644 odl-aaa-moon/aaa/commons/federation/jetty.xml.example create mode 100644 odl-aaa-moon/aaa/commons/federation/my_app.conf.example create mode 100644 odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection (limited to 'odl-aaa-moon/aaa/commons') diff --git a/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd b/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd new file mode 100644 index 00000000..ddd59fb3 Binary files /dev/null and b/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd differ diff --git a/odl-aaa-moon/aaa/commons/docs/direct_authn.png b/odl-aaa-moon/aaa/commons/docs/direct_authn.png new file mode 100644 index 00000000..f63f038e Binary files /dev/null and b/odl-aaa-moon/aaa/commons/docs/direct_authn.png differ diff --git a/odl-aaa-moon/aaa/commons/docs/federated_authn1.png b/odl-aaa-moon/aaa/commons/docs/federated_authn1.png new file mode 100644 index 00000000..199f6f4d Binary files /dev/null and b/odl-aaa-moon/aaa/commons/docs/federated_authn1.png differ diff --git a/odl-aaa-moon/aaa/commons/docs/federated_authn2.png b/odl-aaa-moon/aaa/commons/docs/federated_authn2.png new file mode 100644 index 00000000..b71e9aa7 Binary files /dev/null and b/odl-aaa-moon/aaa/commons/docs/federated_authn2.png differ diff --git a/odl-aaa-moon/aaa/commons/federation/README b/odl-aaa-moon/aaa/commons/federation/README new file mode 100644 index 00000000..dd9cdbf0 --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/README @@ -0,0 +1,271 @@ +README +=============================================================================== +Federated AAA is deployed using several config files. This file explains a +simple scenario utilizing two servers: +a) ipa.example.com + - Runs the IPA Server Software +b) odl.example.com + - Runs the IPA Client Software + - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so) + - Runs ODL + +This setup for this scenario is illustrated in Figure 1 below: + + ----------------------- + | odl.example.com | + | (Fedora 20 Linux) | + | | + | ------------------- | + | | ODL Jetty Server | | + | | (Port 8181 & 8383)| | + | ------------------- | + | ^ . | + | . (Apache . | SSSD Requests/Responses + | . Reverse . | / + | . Proxy) . | / + | . v | / + | ------------------- | | ------------------ + | | Apache |<|..................| ipa.example.com | + | | (Port 80) |.|.................>| (FreeIPA | + | ------------------- | | Kerberos And | + | ______________________| | LDAP) | + ------------------ +Figure 1: Shows the setup for a simple Federated AAA use case utilizing +FreeIPA as an identity provider. + + +These instructions were written for Fedora 20, since SSSD is unique to RHEL based +distributions. SSSD is NOT a requirement for Federation though; you can use +any supported linux flavor. At this time, SSSD is the only Filter available +with regards to capturing IdP attributes that can be used in making advanced mapping +decisions (such as IdP group membership information). + + + +1) Install FreeIPA Server on ipa.example.com. This is achieved through running: +# yum install freeipa-server bind bind-dyndb-ldap +# ipa-server-intall + + + +2) Add a FreeIPA user called testuser: +$ kinit admin@EXAMPLE.COM +$ ipa group-add odl_users --desc "ODL Users" +$ ipa group-add odl_admin --desc "ODL Admin" +$ ipa user-add testuser --first Test --last USER --email test.user@example.com +$ ipa group-add-member odl_users --user testuser +$ ipa group-add-member odl_admin --user testuser + + + +3) Install FreeIPA Client on odl.example.com. This is achieved through running: +# yum install freeipa-client +# ipa-client-install + + + +4) Set up Client keytab for HTTP access on odl.example.com: +# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \ + -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab +# chmod 644 /etc/krb5.keytab +NOTE: The second command allows Apache to read the keytab. There are more +secure methods to support such access through SELINUX, but they are outside +the scope of this tutorial. + + + +5) Install Apache on odl.example.com. This is achieved through running: +# yum install httpd + + + +6) Create an Apache application to broker federation between ODL and FreeIPA. +Create the following file on odl.example.com: + +[root@odl /]# cat /etc/httpd/conf.d/my_app.conf + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd on + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/krb5.keytab + require valid-user + + + + + + RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} + RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} + RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} + RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} + LookupUserAttr mail REMOTE_USER_EMAIL + RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + LookupUserAttr sn REMOTE_USER_LASTNAME + RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e + LookupUserGroups REMOTE_USER_GROUPS ":" + RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + + +ProxyPass / http://localhost:8383/ +ProxyPassReverse / http://localhost:8383/ + + + +7) Install the ODL distribution in the /opt folder on odl.example.com. + + + +8) Add a federation connector to the jetty server hosting ODL on +odl.example.com: + +[user@odl distribution]$ cat etc/jetty.xml + + + + + + + + + + + + + + + + + + + + + + 300000 + 2 + false + 8443 + 20000 + 5000 + + + + + + + + 127.0.0.1 + 8383 + 300000 + 2 + false + 8445 + federationConn + 20000 + 5000 + + + + + + + + + + + + + + karaf + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + default + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + +9) Add the idp_mapping rules file on odl.example.com + +[user@odl distribution]$ cat etc/idp_mapping_rules.json +[ + { + "mapping":{ + "ClientId":"1", + "UserId":"1", + "User":"admin", + "Domain":"BRCD-SSSD-TB.COM", + "roles":"$roles" + }, + "statement_blocks":[ + [ + [ + "set", + "$groups", + [ + + ] + ], + [ + "set", + "$roles", + [ + "admin", + "user" + ] + ] + ] + ] + } +] + +NOTE: This is a very basic mapping example in which all federated users are +mapped into the default "admin" account. + + + +10) Start ODL and install the following features on odl.example.com: +# bin/karaf +karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf + + + +11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383): +[user@odl distribution]$ kinit testuser +[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/ + + + +12) Obtain an access_token on odl.example.com through normal port (8181): +[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=&scope=sdn' http://odl.example.com:8181/oauth2/token + + + +13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181): +[user@odl distribution]$ curl -s -H 'Authorization: Bearer ' http://odl.brcd-sssd-tb.com:8181/restconf/streams/ + diff --git a/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example new file mode 100644 index 00000000..98bacb0a --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example @@ -0,0 +1,30 @@ +[ + { + "mapping":{ + "ClientId":"1", + "UserId":"1", + "User":"admin", + "Domain":"BRCD-SSSD-TB.COM", + "roles":"$roles" + }, + "statement_blocks":[ + [ + [ + "set", + "$groups", + [ + + ] + ], + [ + "set", + "$roles", + [ + "admin", + "user" + ] + ] + ] + ] + } +] diff --git a/odl-aaa-moon/aaa/commons/federation/jetty.xml.example b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example new file mode 100644 index 00000000..c4cb2a7d --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/jetty.xml.example @@ -0,0 +1,85 @@ + + + + + + + + + + + + + + + + + + + + + + 300000 + 2 + false + 8443 + 20000 + 5000 + + + + + + + + 127.0.0.1 + 8383 + 300000 + 2 + false + 8445 + federationConn + 20000 + 5000 + + + + + + + + + + + + + + karaf + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + + + default + karaf + + + org.apache.karaf.jaas.boot.principal.RolePrincipal + + + + + + + + diff --git a/odl-aaa-moon/aaa/commons/federation/my_app.conf.example b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example new file mode 100644 index 00000000..71c8ad87 --- /dev/null +++ b/odl-aaa-moon/aaa/commons/federation/my_app.conf.example @@ -0,0 +1,31 @@ +LoadModule lookup_identity_module modules/mod_lookup_identity.so + + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd on + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/krb5.keytab + require valid-user + + + + + + RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} + RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} + RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} + RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} + LookupUserAttr mail REMOTE_USER_EMAIL + RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + LookupUserAttr sn REMOTE_USER_LASTNAME + RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e + LookupUserGroups REMOTE_USER_GROUPS ":" + RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + + +ProxyPass / http://localhost:8383/ +ProxyPassReverse / http://localhost:8383/ diff --git a/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection new file mode 100644 index 00000000..15193a70 --- /dev/null +++ b/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection @@ -0,0 +1,77 @@ +{ + "id": "273974a1-2df8-b0a6-57f9-1397cd1628d7", + "name": "AAA AuthZ MDSAL", + "description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.", + "order": [ + "7959a1f4-703a-417a-9d4c-70ab56c0e57f", + "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", + "4df58109-fd50-dbdf-b982-7e59d3475544" + ], + "folders": [], + "timestamp": 1439405060911, + "owner": 0, + "remoteLink": "", + "public": false, + "requests": [ + { + "id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\n", + "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", + "pathVariables": {}, + "preRequestScript": "", + "method": "GET", + "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", + "data": [], + "dataMode": "raw", + "name": "Get configuration authorization schema with admin role", + "description": "", + "descriptionFormat": "html", + "time": 1439405954342, + "version": 2, + "responses": [], + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "rawModeData": "" + }, + { + "id": "4df58109-fd50-dbdf-b982-7e59d3475544", + "headers": "Authorization: Basic dXNlcjp1c2Vy\n", + "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", + "preRequestScript": "", + "pathVariables": {}, + "method": "GET", + "data": [], + "dataMode": "params", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1439406616859, + "name": "Get configuration authorization schema with user role", + "description": "", + "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", + "responses": [] + }, + { + "id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", + "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", + "preRequestScript": "", + "pathVariables": {}, + "method": "PUT", + "data": [], + "dataMode": "raw", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1439405844861, + "name": "Secure RestConfService for admin role", + "description": "", + "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", + "responses": [], + "rawModeData": "{\n \"policies\": {\n \"resource\": \"*\",\n \"service\":\"RestConfService\",\n \"role\": \"admin\"\n }\n}" + } + ] +} \ No newline at end of file -- cgit 1.2.3-korg