Overview
APPC uses the the AAF Shiro OSGI plugin to secure access to ODL web services with AAF.
The AAF shiro plugin is preloaded in the APPC docker image along with a sample cadi.properties file.
Enabling AAF security for APPC
- update cadi.properties with the correct information for your environment
properties include:
hostname= usually machine hostname, should be unique
aaf_url= AAF instance to connect to
aaf_id= id used to connect to AAF
aaf_password= password associated with aaf_id
cadi_keyfile= keyfile used for password encryption
- edit aaa-aap-config.xml
/opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
- When you save the aaa-app-config.xml shiro should automatically reload the new configuration, if not you may need to restart APPC
Customization
The permissions used to secure urls can be customized.
To customize the permission used for a url:
Ensure the permision has been added to AAF
Identify the url in the aaa-app-config.xml
set the AAF permission to be used in the roles[] for the url
Example:
to use the permission org.onap.appc.admin|*|* for the /auth/** url
<urls>
<pair-key>/auth/**</pair-key>
<pair-value>authcBasic, roles[org.onap.appc.admin|*|*]</pair-value>
</urls>
Older ODL versions
Older versions of ODL use shiro.ini located in the /etc directory in place of aaa-app-config.xml. The properties used in shiro.ini are the same. When updating the shiro.ini ODL has to be restared for changes to take effect.