User management
- Herbert Eiselt
- Michael Dürre
- Martin Skorupski
- 1 Overview
- 1.1 Standards
- 1.2 Identityprovider
- 1.2.1 Requirements
- 1.3 AAA configuration
- 1.4 Work split
Overview
Provide simple user management.
User groups : admin, configure, read
Authentication and authorization
Choose existing identity provider:
User management
OAuth 2.0 token (key)
Standards
OpenID (https://en.wikipedia.org/wiki/OpenID)
OpenID Connect (https://en.wikipedia.org/wiki/OpenID_Connect)
OAuth 2.0 (https://en.wikipedia.org/wiki/OAuth)
Identityprovider
ory/hydra
github https://github.com/ory/hydra
as docker https://hub.docker.com/r/oryd/hydra/
ory/kratos
as docker https://hub.docker.com/r/oryd/kratos
Quickstart: https://www.youtube.com/watch?v=5t1Zr_zJc7E
keycloak
Requirements
OpenId Connect as Identity Provider
AAA configuration
The term AAA configuration groups the configuration of
user domains
user roles
user policies
users
and the associations for users to domains, roles and policies
At startup time of the system domains, roles and policies are configured and should not change during the runtime of the system. Users and their associations to domains, roles and policies can be configured during runtime.
For a better understanding of such configuration ONAP SDN-R should provide the following default configuration:
SDN-R default configuration for "Domains"
Domain ID | Description |
|---|---|
sdn | Default OpenDaylight SDN domain |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
SDN-R default configuration for "Roles"
Role ID | Description | Domain |
|---|---|---|
admin | A role with full read and write access. | sdn |
provision | A role for those who are provisioning the network. This allows read-write access to everything, accept security settings. Open: each user should be able to configure his own password. | sdn |
supervision | A role read-only access. Open: each user should be able to configure his own password. | sdn |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
SDN-R default configuration for "Policies"
REST pattern (Policy ID) | ROLE | HTTP-GET | HTTP-PUT | HTTP-PATCH | HTTP-DELETE | HTTP-POST |
|---|---|---|---|---|---|---|
/oauth/** | anon | |||||
/ready | anon | |||||
/odlux/** | anon | |||||
/about | anon | |||||
/help/** | anon | |||||
/apidoc/** | admin | |||||
/restconf/** | admin | true | true | true | true | true |
/rests/data/network-topology:network-topology/topology=topology-netconf/** | admin, provision | true | true | true | true | true |
/rests/data/network-topology:network-topology/topology=topology-netconf/** | supervision | true | false | false | false | false |
Please note that this configuration is set during start-up time of the system e.g. by K8s.
Open: How to allow EACH user to update its own user password?
SDN-R default configuration for "Users"
NAME (User ID) | DESCRIPTION | PASSWORD | DOMAIN | |
|---|---|---|---|---|
leia.organa | The first administrator of ONAP SDN-R. | Default4SDN! | sdn | |
r2.d2 | The automation administrator for ONAP SDN-R. | Default4SDN! | sdn | |
luke.skywalker | The son of Anakin Skywalker and Padmé Amidala, Luke Skywalker was born mere days after the formation of the Galactic Empire. | Default4SDN! | sdn | |
jargo.fett | Just read - don't write. | Default4SDN! | sdn |
Please note that this configuration can be set set during start-up time and during run time.
SDN-R default configuration for "Grants"
NAME | DOMAIN | ROLE |
|---|---|---|
leia.organa | sdn | admin |
r2.d2 | sdn | admin |
luke.skywalker | sdn | provision |
jargo.fett | sdn | supervision |
Work split
Acting components
User
Identification provider
ODLUX Client
SDN-R server
Identity provider
authentication
providing key for registered users indicating level of rights (group)
SDN-R Server
ODLUX Client
authorization for GUI
Use list of identity providers to offer login
Get key with identity and group of user from identity provider into ODLUX Userspace
Get SDN-R User group from server
User user group to enable/disable functions in ODLUX GUI