blob: 71f52a63f224879fc28e37d703c2bcb4858337a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
## Welcome to the OPNFV/Opendaylight AAA Project!
This project is aimed at providing a flexible, pluggable framework with out-of-the-box capabilities for:
* *Authentication*: Means to authenticate the identity of both human and machine users (direct or federated).
* *Authorization*: Means to authorize human or machine user access to resources including RPCs, notification subscriptions, and subsets of the datatree.
* *Accounting*: Means to record and access the records of human or machine user access to resources including RPCs, notifications, and subsets of the datatree
### Building
*Prerequisite:* The followings are required for building AAA:
- Maven 3
- Java 7
Get the code:
clone the project with git
Build it:
cd aaa && mvn clean install -DskipTests
### Export Moon information
export MOON_SERVER_ADDR=192.168.105.135
export MOON_SERVER_PORT=5000
### Installing
AAA installs into an existing Opendaylight controller Karaf installation. If you don't have an Opendaylight installation, please refer to this [page](https://wiki.opendaylight.org/view/OpenDaylight_Controller:Installation).
Start the controller Karaf container:
cd distribution-karaf/target/assembly/
bin/karaf
Install AAA AuthN features:
feature:install odl-aaa-shiro
### Running
Once the installation finishes, one can authenticates with the Opendaylight controller by presenting a username/password and a domain name (scope) to be logged into:
curl -s -d 'grant_type=password&username=admin&password=admin&scope=sdn' http://<controller>:<port>/moon/token
Upon successful authentication, the controller returns an access token with a configurable expiration in seconds, something similar to the followings:
{"expires_in":3600,"token_type":"Bearer","access_token":"d772d85e-34c7-3099-bea5-cfafd3c747cb"}
The access token can then be used to access protected resources on the controller by passing it along in the standard HTTP Authorization header with the resource request. Example:
curl -s -H 'Authorization: Bearer d772d85e-34c7-3099-bea5-cfafd3c747cb' http://<controller>:<port>/restconf/operational/opendaylight-inventory:nodes
The operational state of access tokens cached in the MD-SAL can also be obtained after enabling the restconf feature:
feature:install odl-aaa-all
At the following URL
http://controller:8181/restconf/operational/aaa-authn-model:tokencache/
|