1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
#
# Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved.
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v1.0 which accompanies this distribution,
# and is available at http://www.eclipse.org/legal/epl-v10.html
#
###############################################################################
# shiro.ini #
# #
# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
# implementations include: #
# - TokenAuthRealm (enabled by default) #
# - ODLJndiLdapRealm (disabled by default) #
# - ODLJndiLdapRealmAuthNOnly (disabled by default) #
# Basic user configuration through shiro.ini is disabled for security #
# purposes. #
###############################################################################
[main]
###############################################################################
# realms #
# #
# This section is dedicated to setting up realms for OpenDaylight. Realms #
# are essentially different methods for providing AAA. ODL strives to provide#
# highly-configurable AAA by providing pluggable infrastructure. By deafult, #
# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
# mechanisms). More than one realm can be enabled, and the realms are #
# tried Round-Robin until: #
# 1) a realm successfully authenticates the incoming request #
# 2) all realms are exhausted, and 401 is returned #
###############################################################################
# ODL provides a few LDAP implementations, which are disabled out of the box.
# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
# extracted through and LDAP search. This requires a bit of knowledge about
# how your LDAP system is setup. An example is provided below:
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
#ldapRealm.ldapAttributeForComparison = objectClass
# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
# access through AAAFilter to any user that can authenticate against the
# provided LDAP server.
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
# This realm is enabled by default, and utilizes h2-store by default.
#tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
# Defining moon realm
moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
# The CSV list of enabled realms. In order to enable a realm, add it to the
# list below:
#securityManager.realms = $tokenAuthRealm
# Configure the Shiro Security Manager to use Moon Realm
securityManager.realms = $moonAuthRealm
# adds a custom AuthenticationFilter to support OAuth2 for backwards
# compatibility. To disable OAuth2 access, just comment out the next line
# and authcBasic will default to BasicHttpAuthenticationFilter, a
# Shiro-provided class.
authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
# OAuth2 Filer for moon token AuthN
rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
# add in AuthenticationListener, a Listener that records whether
# authentication attempts are successful or unsuccessful. This audit
# information is disabled by default, to avoid log flooding. To enable,
# issue the following in karaf:
# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
securityManager.authenticator.authenticationListeners = $accountingListener
[urls]
###############################################################################
# url authorization section #
# #
# This section is dedicated to defining url-based authorization according to: #
# http://shiro.apache.org/web.html #
###############################################################################
# Restrict AAA endpoints to users w/ admin role
/v1/users/** = authcBasic
/v1/domains/** = authcBasic
/v1/roles/** = authcBasic
#Filter OAuth2 request$
/token = rest
# General access through AAAFilter requires valid credentials (AuthN only).
/** = authcBasic
# Access to the credential store is limited to the valid users who have the
# admin role. The following line is only needed if the mdsal store is enabled
#(the mdsal store is disabled by default).
/config/aaa-authn-model** = authcBasic,roles[admin]
|