Overview
Provide simple user management.
- User groups : admin, configure, read
- Authentication and authorization
- Choose existing identity provider:
- User management
- OAuth 2.0 token (key)
Standards
- OpenID (https://en.wikipedia.org/wiki/OpenID)
- OpenID Connect (https://en.wikipedia.org/wiki/OpenID_Connect)
- OAuth 2.0 (https://en.wikipedia.org/wiki/OAuth)
Identityprovider
ory/hydra- github https://github.com/ory/hydra
- as docker https://hub.docker.com/r/oryd/hydra/
ory/kratos- github https://github.com/ory/kratos
- as docker https://hub.docker.com/r/oryd/kratos
- Quickstart: https://www.youtube.com/watch?v=5t1Zr_zJc7E
- keycloak
Requirements
- OpenId Connect as Identity Provider
AAA configuration
The term AAA configuration groups the configuration of
- user domains
- user roles
- user policies
- users
- and the associations for users to domains, roles and policies
At startup time of the system domains, roles and policies are configured and should not change during the runtime of the system. Users and their associations to domains, roles and policies can be configured during runtime.
For a better understanding of such configuration ONAP SDN-R should provide the following default configuration:
SDN-R default configuration for "Domains"
Domain ID | Description |
---|---|
sdn | Default OpenDaylight SDN domain |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
SDN-R default configuration for "Roles"
Role ID | Description | Domain |
---|---|---|
admin | A role with full read and write access. | sdn |
provision | A role for those who are provisioning the network. This allows read-write access to everything, accept security settings. Open: each user should be able to configure his own password. | sdn |
supervision | A role read-only access. Open: each user should be able to configure his own password. | sdn |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
SDN-R default configuration for "Policies"
REST pattern (Policy ID) | ROLE | HTTP-GET | HTTP-PUT | HTTP-PATCH | HTTP-DELETE | HTTP-POST |
---|---|---|---|---|---|---|
/restconf/** | admin | true | true | true | true | true |
/rests/data/network-topology:network-topology/topology=topology-netconf/** | admin | true | true | true | true | true |
/rests/data/network-topology:network-topology/topology=topology-netconf/** | provision | true | true | true | true | true |
/rests/data/network-topology:network-topology/topology=topology-netconf/** | supervision | true | false | false | false | false |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
Open: How to allow EACH user to update its own user password?
SDN-R default configuration for "Users"
NAME (User ID) | DESCRIPTION | PASSWORD | DOMAIN | |
---|---|---|---|---|
leia.organa | The first administrator of ONAP SDN-R. | leia.organa@sdnr.onap.org | Default4SDN! | sdn |
r2.d2 | The automation administrator for ONAP SDN-R. | r2.d2@sdnr.onap.org | Default4SDN! | sdn |
luke.skywalker | The son of Anakin Skywalker and Padmé Amidala, Luke Skywalker was born mere days after the formation of the Galactic Empire. | luke.skywalker@sdnr.onap.org | Default4SDN! | sdn |
jargo.fett | Just read - don't write. | jargo.fett@sdnr.onap.org | Default4SDN! | sdn |
Please note that this configuration can be set set during start-up time and during run time.
SDN-R default configuration for "Grants"
NAME | DOMAIN | ROLE |
---|---|---|
leia.organa | sdn | admin |
r2.d2 | sdn | admin |
luke.skywalker | sdn | provision |
jargo.fett | sdn | supervision |
Work split
- Acting components
- User
- Identification provider
- ODLUX Client
- SDN-R server
- Identity provider
- authentication
- providing key for registered users indicating level of rights (group)
- https://github.com/ory/kratos
- SDN-R Server
- ODLUX Client
- authorization for GUI
- Use list of identity providers to offer login
- Get key with identity and group of user from identity provider into ODLUX Userspace
- Get SDN-R User group from server
- User user group to enable/disable functions in ODLUX GUI
OAuth Provider bundle
request | params | response | description |
---|---|---|---|
GET /oauth/providers | OAuthProvider array | list of configured identity providers | |
GET /oauth/redirect | TokenResponse | ||
POST /oauth/login | username={}&password={} | TokenResponse |
Environment Vars:
env | default value | description |
---|---|---|
TOKEN_SECRET | secret | key to sign the token |
TOKEN_ISSUER | ONAP SDNC | |
HOST_URL | null => autodetected | important for reverse proxy use case |
ODLUX_REDIRECT_URI | /odlux/index.html#/oauth?token= | OAuth redirect will be responded |
SUPPORT_ODLUSERS | true | login interface enabled for internal odl configured users |
Dataflow example for Login with external Identity Provider (KeyCloak)