Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

Overview

Provide simple user management. 

  • User groups : admin, configure, read
  • Authentication and authorization
  • Choose existing identity provider:
    • User management
    • OAuth 2.0 token (key)

Standards

Identityprovider

Requirements

AAA configuration

The term AAA configuration groups the configuration of 

  • user domains
  • user roles 
  • user policies
  • users
  • and the associations for users to domains, roles and policies

At startup time of the system domains, roles and policies are configured and should not change during the runtime of the system. Users and their associations to domains, roles and policies can be configured during runtime.

For a better understanding of such configuration ONAP SDN-R should provide the following default configuration:

SDN-R default configuration for "Domains"

Domain IDDescription
sdnDefault OpenDaylight SDN domain

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Roles"

Role IDDescriptionDomain
adminA role with full read and write access.sdn
provision

A role for those who are provisioning the network. This allows read-write access to everything, accept security settings.

Open: each user should be able to configure his own password.

sdn
supervision

A role read-only access.

Open: each user should be able to configure his own password.

sdn

Please note that this configuration is set during start-up time of the system e.g. by K8s.

SDN-R default configuration for "Policies"

REST pattern (Policy ID)ROLEHTTP-GETHTTP-PUTHTTP-PATCHHTTP-DELETEHTTP-POST
/restconf/**admintruetruetruetruetrue
/rests/data/network-topology:network-topology/topology=topology-netconf/**admintruetruetruetruetrue
/rests/data/network-topology:network-topology/topology=topology-netconf/**provisiontruetruetruetruetrue
/rests/data/network-topology:network-topology/topology=topology-netconf/**supervisiontruefalsefalsefalsefalse

Please note that this configuration is set during start-up time of the system e.g. by K8s.

Open: How to allow EACH user to update its own user password?

SDN-R default configuration for "Users"

NAME (User ID)DESCRIPTIONEMAILPASSWORDDOMAIN

leia.organa


The first administrator of ONAP SDN-R.leia.organa@sdnr.onap.orgDefault4SDN!sdn
r2.d2The automation administrator for ONAP SDN-R.r2.d2@sdnr.onap.orgDefault4SDN!sdn
luke.skywalkerThe son of Anakin Skywalker and Padmé Amidala, Luke Skywalker was born mere days after the formation of the Galactic Empire. luke.skywalker@sdnr.onap.orgDefault4SDN!sdn
jargo.fettJust read - don't write.jargo.fett@sdnr.onap.orgDefault4SDN!sdn

Please note that this configuration can be set set during start-up time and during run time.

SDN-R default configuration for "Grants"

NAMEDOMAINROLE
leia.organasdnadmin
r2.d2sdnadmin
luke.skywalkersdnprovision
jargo.fettsdnsupervision



Work split

  • Acting components
    • User
    • Identification provider
    • ODLUX Client
    • SDN-R server
  • Identity provider
  • SDN-R Server
  • ODLUX Client
    • authorization for GUI
    • Use list of identity providers to offer login
    • Get key with identity and group of user from identity provider into ODLUX Userspace
    • Get SDN-R User group from server
    • User user group to enable/disable functions in ODLUX GUI


OAuth Provider bundle

requestparamsresponsedescription
GET /oauth/providers
OAuthProvider arraylist of configured identity providers
GET /oauth/redirect
TokenResponse
POST /oauth/loginusername={}&password={}TokenResponse

Environment Vars:

envdefault valuedescription
TOKEN_SECRETsecretkey to sign the token
TOKEN_ISSUERONAP SDNC
HOST_URLnull => autodetectedimportant for reverse proxy use case
ODLUX_REDIRECT_URI/odlux/index.html#/oauth?token=OAuth redirect will be responded
SUPPORT_ODLUSERStruelogin interface enabled for internal odl configured users


Dataflow example for Login with external Identity Provider (KeyCloak)





  • No labels